Microsoft Azure Security Engineer Associate AZ-500 (AZ-500) — Questions 451525

1000 questions total · 14pages · All types, answers revealed

Page 6

Page 7 of 14

Page 8
451
MCQhard

You are reviewing the above Azure Policy definition. What does this policy do?

A.Denies storage accounts that have the default network action set to Deny
B.Denies storage accounts that do not have encryption enabled
C.Denies storage accounts that have firewall rules configured
D.Denies storage accounts that allow all network traffic
AnswerA

Matches the condition and effect.

Why this answer

Option D is correct: the policy denies (via `"effect": "deny"`) any storage account that has `networkAcls.defaultAction` set to `Deny`. This means storage accounts that deny all traffic by default are blocked, which effectively requires that storage accounts allow traffic by default (i.e., `defaultAction` must not be `Deny`). Actually, the policy denies a storage account if its defaultAction equals Deny.

So it prevents storage accounts from having a deny default action. Option A is opposite. Option B is about encryption, not network.

Option C is about firewall rules, not the default action.

452
Multi-Selectmedium

Which TWO actions should you take to secure managed database backups in Azure SQL Managed Instance?

Select 2 answers
A.Configure geo-redundant backup storage (RA-GRS)
B.Enable Transparent Data Encryption (TDE)
C.Configure auditing for the managed instance
D.Enable soft delete for managed instance backups
E.Set a long-term retention policy for backups
AnswersA, D

Replicates backups to a paired region for disaster recovery.

Why this answer

Option B (geo-redundant storage) ensures backups are replicated to another region for disaster recovery. Option D (soft delete) protects backups from accidental or malicious deletion. Option A is incorrect because TDE encrypts data at rest, but backups are automatically encrypted if TDE is enabled.

Option C is incorrect because retention policies do not provide cross-region redundancy. Option E is incorrect because auditing does not protect backups directly.

453
MCQeasy

A company is deploying Microsoft Sentinel for the first time. The security team wants to ensure that all Azure activity logs, including data plane operations from Azure Storage, are ingested into Sentinel. Which data connector should they enable?

A.Azure Active Directory (now Microsoft Entra ID) data connector
B.Azure Key Vault data connector
C.Azure Activity log data connector
D.Azure Storage Account data connector
AnswerD

Correct: ingests data plane logs.

Why this answer

Option B is correct because Azure Activity log includes control plane operations; for data plane operations (e.g., blob reads), you need the Azure Storage Account data connector. Option A (Azure Activity) only covers control plane. Option C (Azure AD logs) is for identity.

Option D (Azure Key Vault) is specific to Key Vault.

454
MCQmedium

Your organization has deployed Azure Firewall in a hub-and-spoke network topology. You have configured forced tunneling so that all internet-bound traffic from the spoke virtual networks is routed through the Azure Firewall. Recently, a critical application in a spoke virtual network is experiencing intermittent connectivity failures to an external partner service. The partner service requires that traffic originate from a specific public IP address. You have configured Azure Firewall with a public IP address and have set up DNAT rules to allow inbound traffic. However, the outbound traffic from the application is still using the spoke's default outbound access via SNAT. You need to ensure that all outbound traffic from the application uses the Azure Firewall's public IP address. What should you do?

A.Disable SNAT on the Azure Firewall for the application's public IP range.
B.Add a user-defined route (UDR) on the application's subnet with 0.0.0.0/0 next hop to Azure Firewall.
C.Modify the Azure Firewall policy to enable forced tunneling.
D.Configure Azure Firewall as a next hop for the virtual network gateway in the hub.
AnswerB

This ensures all internet-bound traffic from the application subnet is routed through Azure Firewall, using its public IP.

Why this answer

Forced tunneling ensures that all internet-bound traffic is routed through the firewall. Option A is correct because a user-defined route (UDR) on the application's subnet with 0.0.0.0/0 next hop to Azure Firewall enforces that traffic goes through the firewall, thus using its public IP. Option B configures Azure Firewall as a next hop for the spoke gateway, which is not needed.

Option C is not directly related to routing. Option D incorrectly suggests disabling SNAT, which would cause traffic to use the spoke's original IP, not the firewall's.

455
MCQhard

A company uses Microsoft Defender for Cloud to manage the security posture of multiple Azure subscriptions. The security team wants to ensure that all subscriptions are covered by the same Microsoft Defender for Cloud policy initiative, but one subscription is not showing compliance data. The subscription is in the same Azure AD tenant and has the same tags. What is the most likely cause?

A.The user does not have Security Admin permissions on the subscription.
B.The subscription does not have any tags applied.
C.The subscription does not have the default policy initiative assigned.
D.The subscription is not registered with the Microsoft.Security resource provider.
AnswerD

Registration is required for Defender for Cloud to assess the subscription.

Why this answer

Option C is correct because a subscription must be registered with the Microsoft Defender for Cloud resource provider (Microsoft.Security) to be assessed. Option A is wrong because user permissions do not affect compliance data generation. Option B is wrong because tags are not required for compliance scanning.

Option D is wrong because the default policy initiative applies automatically; there is no need to assign it manually.

456
MCQhard

A company has a hub-spoke network topology. The hub virtual network contains an Azure Firewall and an ExpressRoute gateway for on-premises connectivity. The spoke virtual network hosts a critical application. They need to ensure that all outbound traffic from the spoke to the internet and to on-premises networks is routed through the Azure Firewall. They configure a user-defined route (UDR) on the spoke subnet with address prefix 0.0.0.0/0 and next hop as the Azure Firewall's private IP. They also disable 'Virtual network gateway route propagation' on the spoke subnet. However, traffic to on-premises still bypasses the firewall and goes through the ExpressRoute gateway. What is the most likely cause?

A.The Azure Firewall is not in the same region as the spoke.
B.The ExpressRoute gateway's BGP routes are still overriding the UDR because gateway propagation is not fully disabled.
C.The spoke subnet does not have a route for the on-premises prefix pointing to the firewall.
D.The route table is not associated with the spoke subnet.
AnswerC

The 0.0.0.0/0 UDR only applies to traffic with no more specific match. On-premises traffic has a specific address prefix. To route it through the firewall, you must add a UDR with that specific prefix and the next hop as the firewall.

Why this answer

The user-defined route (UDR) with 0.0.0.0/0 only covers traffic destined for the internet. Traffic to on-premises networks has a more specific destination prefix (e.g., 10.0.0.0/8). Without an explicit route for that on-premises prefix pointing to the Azure Firewall, the system uses the more specific route learned via ExpressRoute BGP, which directs traffic to the ExpressRoute gateway instead of the firewall.

Disabling 'Virtual network gateway route propagation' prevents BGP routes from being added to the route table, but it does not remove existing learned routes; however, the core issue is the lack of a specific UDR for the on-premises prefix.

Exam trap

The trap here is that candidates assume the 0.0.0.0/0 route covers all traffic, but Azure's routing logic uses the most specific prefix match, so on-premises traffic with a specific prefix will match a BGP-learned route instead of the default UDR.

How to eliminate wrong answers

Option A is wrong because Azure Firewall can be in a different region from the spoke; routing is based on the next hop IP, not region proximity. Option B is wrong because disabling 'Virtual network gateway route propagation' on the spoke subnet prevents BGP routes from being added to the route table; if propagation is disabled, BGP routes do not override the UDR. Option D is wrong because the scenario states they configured a UDR on the spoke subnet, implying the route table is associated; if it were not associated, the UDR would have no effect, but the question indicates the UDR is configured, so association is assumed.

457
Multi-Selecthard

Which THREE Microsoft Defender for Cloud features require Microsoft Defender for Servers Plan 2? (Choose three.)

Select 3 answers
A.File Integrity Monitoring (FIM)
B.Just-In-Time VM access
C.Adaptive application controls
D.Adaptive network hardening
E.Integrated vulnerability assessment (Qualys)
AnswersA, C, D

FIM is a Plan 2 feature.

Why this answer

Plan 2 includes adaptive application controls, file integrity monitoring, and adaptive network hardening. Option A (JIT VM access) is available in Plan 1. Option B (adaptive application controls) requires Plan 2.

Option C (file integrity monitoring) requires Plan 2. Option D (adaptive network hardening) requires Plan 2. Option E (vulnerability assessment) is available in Plan 1.

458
MCQmedium

Your company uses Microsoft Defender for Cloud's Security Posture Management (CSPM) features. You need to identify resources that are not compliant with the organization's security baseline. What should you do?

A.View the secure score
B.Review the security recommendations
C.Use the regulatory compliance dashboard
D.Use the inventory blade
AnswerC

Shows compliance status against standards and baselines.

Why this answer

Option C is correct because the regulatory compliance dashboard shows compliance status against various standards, including custom baselines. Option A is wrong because secure score is an aggregate score, not a detailed compliance view. Option B is wrong because recommendations are individual findings, not a compliance overview.

Option D is wrong because inventory shows resources, not compliance.

459
MCQmedium

A company is designing a hub-spoke network topology with Azure Firewall in the hub virtual network. Spoke virtual networks are peered to the hub. They want to ensure that all outbound internet traffic from virtual machines in a spoke subnet goes through the Azure Firewall. They have configured a route table on the spoke subnet with a default route (0.0.0.0/0) pointing to the Azure Firewall's private IP address as the next hop. However, traffic is still bypassing the firewall. What is the most likely cause?

A.The Azure Firewall is in a different region than the spoke VNet.
B.The route table is not associated to the spoke subnet.
C.The Azure Firewall does not have the correct network and application rules configured.
D.The spoke VNet has the 'Use remote virtual network gateways' setting disabled.
AnswerB

A route table must be explicitly associated to a subnet for its routes to be effective. Without association, the default system routes are used, and traffic bypasses the firewall.

Why this answer

The most likely cause is that the route table with the default route (0.0.0.0/0) pointing to the Azure Firewall's private IP has not been associated to the spoke subnet. Without this association, the route table is not applied to the subnet's traffic, so the default system route (which directs internet traffic directly to the internet) remains in effect, bypassing the firewall. Associating the route table to the subnet is a required step for user-defined routes (UDRs) to influence traffic flow.

Exam trap

The trap here is that candidates often assume creating a route table and adding a default route is sufficient, overlooking the critical step of associating the route table to the subnet, which is a distinct configuration action in the Azure portal or CLI.

How to eliminate wrong answers

Option A is wrong because Azure Firewall can be in a different region than the spoke VNet and still function correctly; cross-region peering supports traffic routing through the firewall as long as the route table is properly associated. Option C is wrong because network and application rules on the firewall control which traffic is allowed or denied, but they do not affect whether traffic is routed to the firewall in the first place; the routing issue occurs before the firewall inspects packets. Option D is wrong because the 'Use remote virtual network gateways' setting is relevant only for VPN/ExpressRoute gateway transit scenarios, not for routing traffic to an Azure Firewall via a UDR.

460
MCQmedium

A company uses Azure Firewall to filter outbound traffic. They want to ensure that all DNS queries from virtual machines in a spoke VNet are routed through the Azure Firewall for logging and inspection. They have already configured the firewall to use a custom DNS server. Which additional Azure Firewall feature must be enabled to ensure that the VMs use the firewall as a DNS proxy?

A.Enable DNS proxy on the firewall policy
B.Configure a DNS forwarding rule
C.Enable Threat Intelligence DNS logging
D.Create a NAT rule for DNS traffic
AnswerA

Correct. DNS proxy enables the firewall to act as a DNS proxy, accepting DNS queries from VMs and forwarding them to the configured DNS server.

Why this answer

Option A is correct because enabling DNS proxy on the Azure Firewall policy allows the firewall to act as a DNS proxy for the virtual machines in the spoke VNet. When DNS proxy is enabled, the firewall listens on port 53 and forwards DNS queries from the VMs to the configured custom DNS server, ensuring all DNS traffic is logged and inspected. This is required even after setting a custom DNS server on the firewall, as the VMs must be configured to use the firewall's private IP address as their DNS server, and the proxy handles the forwarding.

Exam trap

The trap here is that candidates often confuse enabling DNS proxy with simply configuring a custom DNS server on the firewall, or they think that a NAT rule or forwarding rule alone will route DNS traffic through the firewall, but without the DNS proxy feature, the firewall does not listen on port 53 and cannot intercept DNS queries from VMs.

How to eliminate wrong answers

Option B is wrong because configuring a DNS forwarding rule is used to forward specific DNS queries to different DNS servers based on domain names, but it does not enable the firewall to act as a DNS proxy for all VM DNS traffic; the VMs still need to point to the firewall's IP, and the proxy feature must be enabled. Option C is wrong because enabling Threat Intelligence DNS logging only logs DNS queries that match threat intelligence indicators, but it does not route or proxy DNS traffic through the firewall; it is a logging feature, not a routing mechanism. Option D is wrong because creating a NAT rule for DNS traffic would translate the destination IP of DNS queries, but it does not make the firewall a DNS proxy; the VMs would still need to send DNS queries directly to the firewall's IP, and without DNS proxy, the firewall does not listen on port 53 for DNS queries.

461
MCQhard

A Sentinel analyst needs to preserve investigation notes, related entities, and ownership while escalating a case to another analyst. Which object should be updated?

A.A watchlist item
B.A workbook parameter
C.A data connector
D.The Sentinel incident
AnswerD

Correct for the stated requirement.

Why this answer

The Sentinel incident object is the correct entity to update because it serves as the central container for investigation notes, related entities, and ownership assignments during case escalation. Updating the incident preserves the full investigation context—including comments, tags, and assigned owner—ensuring seamless handoff between analysts without data loss.

Exam trap

The trap here is that candidates confuse operational artifacts (watchlists, workbooks, connectors) with the incident object that actually holds case-specific metadata, leading them to select a static or non-persistent option instead of the dynamic incident record.

How to eliminate wrong answers

Option A is wrong because a watchlist item is a static collection of data (e.g., IP addresses or hashes) used for correlation and alerting, not for storing investigation notes or ownership metadata. Option B is wrong because a workbook parameter is a configurable input for visualizations and queries, not a persistent object that tracks case ownership or notes. Option C is wrong because a data connector defines the source and ingestion pipeline for log data; it has no role in storing investigation artifacts or managing case ownership.

462
MCQhard

You are a security analyst at Fabrikam Inc. You have deployed Microsoft Sentinel and connected it to Microsoft 365 Defender (formerly Microsoft Threat Protection). You have also enabled UEBA and set up analytics rules for detecting suspicious sign-ins. Recently, you noticed that some high-severity incidents from Microsoft 365 Defender are not appearing in Microsoft Sentinel. You have verified that the Microsoft 365 Defender connector is enabled and that incidents are being sent to the workspace. However, the incidents are not being created as Sentinel incidents. What is the most likely reason?

A.The analytics rule for sign-in detection is conflicting with the Microsoft 365 Defender connector.
B.The 'Microsoft 365 Defender' incident creation rule in Microsoft Sentinel is disabled.
C.The Microsoft 365 Defender connector requires a premium license.
D.Microsoft Sentinel cannot create incidents from Microsoft 365 Defender incidents; only alerts can be ingested.
AnswerB

Sentinel uses a built-in rule to create incidents from M365 Defender incidents; if disabled, incidents won't appear.

Why this answer

By default, Microsoft Sentinel can create incidents from Microsoft 365 Defender incidents, but the incident creation rule must be enabled. Option A is correct. Option B is incorrect because the connector does not need to be premium.

Option C is incorrect because you can create incidents from M365 Defender incidents. Option D is incorrect because the analytics rule is for generating alerts, not for ingesting incidents.

463
MCQhard

Your organization uses Azure Files shares for user home directories. You need to enforce that users access these shares only from trusted locations (corporate IP ranges) and that all access is logged. Which combination of actions should you take?

A.Use a Private Endpoint for the storage account and configure a service endpoint on the virtual network.
B.Generate a shared access signature (SAS) token that is valid only from corporate IPs and attach it to the file share.
C.Configure a storage account firewall to allow only the corporate IP range, and enable diagnostic settings to send logs to a Log Analytics workspace.
D.Assign Azure AD DS to the storage account and enable Azure AD authentication for Azure Files, then configure conditional access policies.
AnswerC

Correctly restricts access by IP and enables logging.

Why this answer

Azure Files supports network security using service endpoints and firewalls to restrict access to specific IP ranges. Diagnostic settings can send logs to Log Analytics. Option A is correct.

Option B is incorrect because Private Endpoint does not filter by IP. Option C is incorrect because SAS tokens are for delegated access, not IP restriction. Option D is incorrect because Azure AD DS does not filter by source IP.

464
MCQeasy

You need to configure a continuous export of Microsoft Defender for Cloud alerts to a third-party SIEM. Which feature should you use?

A.Create an Azure Logic App to periodically query and send alerts.
B.Use the Defender for Cloud REST API to pull alerts.
C.Configure Azure Monitor agent on all VMs.
D.Use the continuous export feature in Defender for Cloud to stream alerts to an Event Hubs namespace.
AnswerD

Continuous export supports streaming to Event Hubs for SIEM integration.

Why this answer

Option C is correct because continuous export in Defender for Cloud can stream alerts to Event Hubs, which can be consumed by a SIEM. Option A is wrong because Azure Monitor agent is for collecting logs, not exporting alerts. Option B is wrong because Logic Apps can be used but are not the primary built-in method.

Option D is wrong because API integration requires custom development.

465
MCQhard

Your organization has multiple Azure subscriptions that need to connect to a shared on-premises data center via ExpressRoute. You plan to use Azure Virtual WAN with secured hubs. Each subscription contains VNets that must communicate with on-premises and with each other through the hub. You need to ensure that traffic between VNets in different subscriptions is routed through the Azure Firewall. What configuration is required?

A.Connect each VNet to the same Virtual WAN hub and enable inter-hub routing with Azure Firewall inspection.
B.Establish VNet peering between VNets in different subscriptions and use NSGs to filter traffic.
C.Create a site-to-site VPN between the VNets and force traffic through a VPN Gateway.
D.Use Azure Firewall Manager to deploy firewalls in each VNet and route traffic between VNets through them.
AnswerA

Virtual WAN hubs can route traffic through Azure Firewall for inspection.

Why this answer

Option B is correct because Virtual WAN inter-hub routing can inspect traffic if the hubs are secured with Azure Firewall, and routing policies can force traffic through the firewall. Option A is wrong because VNet peering bypasses the firewall. Option C is wrong because NSGs do not provide centralized inspection.

Option D is wrong because VPN Gateway is not needed for inter-subscription traffic.

466
MCQmedium

Your company uses Azure Firewall Premium. You need to inspect outbound traffic for malware using signature-based detection. Which feature should you enable?

A.Web categories
B.URL filtering
C.Threat intelligence-based filtering
D.Intrusion Detection and Prevention System (IDPS)
AnswerD

IDPS provides signature-based detection for malware and exploits.

Why this answer

Option D is correct because Azure Firewall Premium includes IDPS with signature-based detection for malware. Option A is wrong because threat intelligence filtering is for known malicious IPs/domains, not file-based malware. Option B is wrong because URL filtering is for categorizing URLs.

Option C is wrong because web categories are for content filtering.

467
MCQmedium

A company uses Azure AD Identity Protection. They want to automatically block sign-ins that are detected as having a high sign-in risk. They have created a Conditional Access policy and assigned it to all users. Which configuration should they add to the policy to trigger the block based on the sign-in risk?

A.Condition: Sign-in risk: High, Grant: Block access.
B.Condition: User risk: High, Grant: Block access.
C.Condition: Sign-in risk: High, Grant: Require multi-factor authentication.
D.Condition: User risk: High, Grant: Require multi-factor authentication.
AnswerA

Correct. This configuration blocks sign-ins that Identity Protection marks as high risk at the sign-in level.

Why this answer

Option A is correct because Azure AD Identity Protection assigns a risk level (Low, Medium, High) to each sign-in based on real-time signals. A Conditional Access policy can use the 'Sign-in risk' condition to evaluate this risk level and, when set to 'High', the 'Grant' control can be configured to 'Block access', which immediately prevents the sign-in from completing. This directly meets the requirement to automatically block high-risk sign-ins.

Exam trap

The trap here is confusing 'Sign-in risk' with 'User risk', as both are risk types in Identity Protection, but only sign-in risk applies to the current authentication attempt and can be used to block a specific sign-in in real time.

How to eliminate wrong answers

Option B is wrong because 'User risk: High' reflects the likelihood that a user's identity is compromised based on historical user-level events, not the risk of a specific sign-in session; blocking based on user risk would affect all sign-ins for that user, not just the high-risk sign-in. Option C is wrong because 'Grant: Require multi-factor authentication' does not block access; it only adds an additional authentication step, which still allows the sign-in to proceed if MFA is satisfied, failing the requirement to block. Option D is wrong because it combines the incorrect condition ('User risk: High') with an incorrect grant ('Require multi-factor authentication'), neither of which achieves automatic blocking based on sign-in risk.

468
MCQmedium

You are designing a privileged identity management strategy for Microsoft Entra ID. You need to ensure that eligible role assignments require approval from a designated group before activation. What configuration is required?

A.Configure the role as eligible and set activation duration
B.Configure a Conditional Access policy with approval control
C.In PIM, configure the role settings to require approval and specify an approver group
D.Create an access review for the role
AnswerC

This enables approval workflow for activation.

Why this answer

Option C is correct because Privileged Identity Management (PIM) in Microsoft Entra ID allows you to configure role settings to require approval for activation. By specifying an approver group, you ensure that eligible role assignments cannot be activated without explicit approval from designated members, enforcing a just-in-time (JIT) access control model.

Exam trap

The trap here is that candidates often confuse Conditional Access approval controls (used for session policies) with PIM role activation approval, which is a separate configuration within the role settings in Privileged Identity Management.

How to eliminate wrong answers

Option A is wrong because configuring the role as eligible and setting activation duration only defines the eligibility and time limit for activation, but does not enforce an approval workflow. Option B is wrong because Conditional Access policies with approval control are used for session or sign-in risk scenarios, not for PIM role activation approval. Option D is wrong because creating an access review for the role is a periodic review mechanism to confirm ongoing access, not a real-time approval gate for activation.

469
MCQmedium

A company uses Microsoft Defender for Cloud to monitor security alerts. They receive an alert about a compromised virtual machine and want to automatically execute a playbook that isolates the VM by modifying the network security group. Which Defender for Cloud feature should they use to create this automated response?

A.Workflow automation
B.Security policy
C.Alert suppression
D.Continuous export
AnswerA

Workflow automation triggers a playbook (Logic App) in response to an alert, automating the isolation.

Why this answer

Workflow automation in Microsoft Defender for Cloud allows you to define automated responses to security alerts by triggering Azure Logic Apps. In this scenario, you would create a Logic App that modifies the network security group (NSG) to isolate the compromised VM, and then configure a workflow automation rule to run that Logic App whenever the specific alert is triggered. This provides a no-code, event-driven remediation without manual intervention.

Exam trap

The trap here is that candidates often confuse 'Continuous export' (which sends data to external systems) with 'Workflow automation' (which executes a playbook), assuming any export can trigger a response, but Continuous export only streams data and does not invoke Logic Apps directly.

How to eliminate wrong answers

Option B (Security policy) is wrong because security policies define compliance and configuration requirements (e.g., enforcing encryption or vulnerability assessments), not automated response actions to alerts. Option C (Alert suppression) is wrong because it only hides or dismisses alerts based on rules (e.g., false positives), it does not execute any remediation or playbook. Option D (Continuous export) is wrong because it streams alert data to Event Hubs, Log Analytics, or Azure Monitor for external processing or archiving, but it does not directly trigger a playbook or modify NSGs.

470
MCQmedium

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is a Microsoft service. How can the SQL server be granted access to the key vault to perform TDE operations?

A.Create a private endpoint on the Key Vault for the SQL server
B.Disable the Key Vault firewall
C.Enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault
D.Assign the SQL server a system-assigned managed identity and grant it access to the key vault
AnswerC

This setting allows Azure SQL Database (as a trusted Microsoft service) to access the key vault for TDE operations without enabling public access.

Why this answer

Option C is correct because Azure Key Vault's firewall includes a setting to 'Allow trusted Microsoft services to bypass this firewall.' Azure SQL Database is a trusted Microsoft service, so enabling this setting allows the SQL server to authenticate to Key Vault using its system-assigned managed identity to retrieve the customer-managed key for TDE operations, without needing to disable the firewall or create a private endpoint.

Exam trap

The trap here is that candidates often think a private endpoint is required for PaaS services to access a firewalled Key Vault, but they overlook that Azure SQL Database is a trusted Microsoft service that can bypass the firewall with the appropriate setting, and that a private endpoint would require the SQL server to be network-integrated, which it is not by default.

How to eliminate wrong answers

Option A is wrong because creating a private endpoint on the Key Vault for the SQL server would require the SQL server to be in a virtual network, but Azure SQL Database is a platform-as-a-service (PaaS) resource that does not reside in a customer VNet by default; a private endpoint on Key Vault does not directly grant the SQL server network access. Option B is wrong because disabling the Key Vault firewall would expose the vault to all public network traffic, violating the security requirement to deny all public network access. Option D is wrong because while assigning a system-assigned managed identity and granting it access to the key vault is necessary for authentication and authorization, it does not solve the network connectivity issue caused by the Key Vault firewall blocking all public traffic; the managed identity alone cannot bypass the firewall without the 'Allow trusted Microsoft services' setting.

471
MCQmedium

A company uses Azure AD Conditional Access. They need to restrict access to a cloud application such that users with unmanaged devices can only view data but cannot download it. Which Conditional Access session control should they enable?

A.Sign-in frequency
B.Use Conditional Access App Control
C.Session persistence
D.Application consent policy
AnswerB

This session control leverages policy-based access controls from Microsoft Defender for Cloud Apps, enabling real-time session monitoring and restrictions such as blocking download or copy/paste operations.

Why this answer

Option B is correct because Conditional Access App Control (Microsoft Defender for Cloud Apps) provides session-level controls that can enforce restrictions like 'Block Download' based on device compliance. This allows administrators to apply policies that restrict data exfiltration from unmanaged devices while still permitting read-only access to the cloud application.

Exam trap

The trap here is confusing session controls (like sign-in frequency or persistence) with app-level data protection controls, leading candidates to pick a control that manages authentication behavior rather than data exfiltration.

How to eliminate wrong answers

Option A is wrong because Sign-in frequency controls how often a user must re-authenticate, not the ability to download data. Option C is wrong because Session persistence controls whether a browser session remains signed in after the browser is closed, not data download restrictions. Option D is wrong because Application consent policy governs which applications can request permissions to access organizational data, not session-level data handling restrictions.

472
MCQhard

A company uses Microsoft Entra ID and has a custom application that authenticates via OAuth 2.0 device authorization grant. The app recently started receiving 'access_denied' errors for some users. The errors occur only for users who have Conditional Access policies applied. What change should be made to fix the issue while maintaining security?

A.Require MFA for the application instead of device compliance
B.Disable Conditional Access for the affected users
C.Change the application to use authorization code grant flow
D.Configure the Conditional Access policy to exclude the custom application's service principal from requiring device compliance
AnswerD

Device authorization grant flow does not support device compliance, so exclusion resolves the error.

Why this answer

The correct answer is C: Configure the Conditional Access policy to exclude the custom application's service principal from requiring device compliance. The device authorization grant flow does not support device compliance, causing the error. Option A is wrong because MFA can work with device code flow.

Option B is wrong because disabling Conditional Access is not secure. Option D is wrong because the error is not due to authentication method.

473
MCQeasy

You are analyzing network traffic patterns. You have configured NSG flow logs with Traffic Analytics as shown in the exhibit. You need to identify which virtual machines are communicating with a specific malicious IP address. Which tool should you use to query the flow log data?

A.Azure Storage Explorer
B.Log Analytics workspace using KQL queries
C.Azure Monitor Metrics Explorer
D.Network Watcher Topology
AnswerB

Traffic Analytics sends flow logs to Log Analytics, which can be queried with KQL to find traffic to a specific IP.

Why this answer

Option B is correct because Traffic Analytics stores flow log data in a Log Analytics workspace, which can be queried using KQL (Kusto Query Language) to identify traffic to a specific IP. Option A is wrong because Azure Monitor Metrics does not contain flow log details. Option C is wrong because Azure Network Watcher's topology view is for visualizing network resources, not querying flow logs.

Option D is wrong because Azure Storage Explorer can view raw logs but is not optimized for querying.

474
MCQhard

You are a security architect for a large enterprise with 500 Azure subscriptions organized into a management group hierarchy. The company uses Microsoft Defender for Cloud to assess security posture. The CISO wants a single dashboard view of the secure score across all subscriptions, but with the ability to drill down into individual management groups. You need to recommend a solution that provides this capability with minimal administrative overhead. The company already has Log Analytics workspaces deployed per region. Which approach should you take?

A.Export the secure score to a Log Analytics workspace and create a custom workbook
B.Integrate Defender for Cloud with Microsoft Power BI and create a report
C.Use the Microsoft Defender for Cloud dashboard in the Azure portal, selecting the root management group to view aggregated score
D.Use the Microsoft Defender for Cloud REST API to retrieve the secure score and build a custom dashboard
AnswerC

The Defender for Cloud dashboard inherently shows secure score per management group, allowing drill-down.

Why this answer

Option B is correct because the secure score is aggregated at the management group level in the Defender for Cloud dashboard; you can view the score per management group and drill down. Option A is wrong because exporting to a Log Analytics workspace is for advanced analytics, not for a quick dashboard view. Option C is wrong because the export API is for programmatic access, not a dashboard.

Option D is wrong because Power BI integration requires additional setup and is not the simplest approach for a single dashboard.

475
MCQmedium

Your company deploys a web application in an Azure App Service that needs to securely connect to an Azure SQL Database. You want to avoid exposing the database to the public internet. What is the recommended approach?

A.Configure the SQL database firewall to allow only the App Service outbound IP
B.Use Azure Firewall to block outbound traffic to the database
C.Create an NSG on the database subnet to deny internet traffic
D.Use a private endpoint for the SQL database and VNet integration for the App Service
AnswerD

This keeps traffic within the Microsoft backbone and avoids public exposure.

Why this answer

Option D is correct because a private endpoint assigns a private IP to the database within the VNet, and the App Service can connect via VNet integration. Option A is wrong because NSGs on the database subnet do not prevent internet exposure if the database has a public endpoint. Option B is wrong because Azure Firewall can filter but the database still has a public endpoint.

Option C is wrong because the SQL firewall allows public IPs but is less secure.

476
MCQeasy

You are designing a network security strategy for a new application that will be hosted on Azure Virtual Machines. The application must be accessible from the internet on TCP port 443. You need to minimize the attack surface and ensure that only legitimate traffic reaches the virtual machines. Which Azure service should you deploy in front of the virtual machines?

A.Azure Front Door with WAF.
B.Azure Firewall.
C.Network Security Group (NSG) on the subnet.
D.Azure Application Gateway with Web Application Firewall (WAF).
AnswerD

Provides Layer 7 protection and WAF to filter malicious traffic.

Why this answer

Option A is correct: Azure Application Gateway with Web Application Firewall (WAF) provides Layer 7 load balancing and WAF capabilities to protect against web attacks. Option B is incorrect because Network Security Groups are not deployed in front of VMs as a service; they are applied at the subnet or NIC level. Option C is incorrect because Azure Firewall is a stateful firewall but lacks WAF capabilities for web-specific threats.

Option D is incorrect because Azure Front Door is a global load balancer, but for a single region, Application Gateway is more appropriate for minimizing attack surface with WAF.

477
MCQmedium

You are configuring a site-to-site VPN connection between your on-premises network and Azure. You need to ensure that traffic between the networks is encrypted and authenticated. Which Azure service should you use?

A.Azure Virtual WAN
B.Azure ExpressRoute
C.Azure Firewall
D.Azure VPN Gateway
AnswerD

VPN Gateway provides encrypted IPsec tunnels for site-to-site connectivity.

Why this answer

Option B is correct because Azure VPN Gateway provides encrypted and authenticated site-to-site VPN connections using IPsec. Option A is wrong because Azure ExpressRoute provides private connectivity but does not encrypt traffic by default. Option C is wrong because Azure Firewall is a network firewall, not a VPN gateway.

Option D is wrong because Azure Virtual WAN can include VPN capabilities but is a broader service.

478
MCQeasy

You need to ensure that an Azure Key Vault is accessible only from a specific virtual network and that all operations are logged. What should you configure?

A.Key Vault firewall and virtual network service endpoints, and diagnostic settings
B.Azure RBAC roles and diagnostic settings
C.Soft-delete and purge protection, and diagnostic settings
D.Azure Policy and diagnostic settings
AnswerA

Firewall and service endpoints restrict network access; diagnostic settings log operations.

Why this answer

Key Vault firewall and virtual network service endpoints restrict network access. Diagnostic settings enable logging. Option A is correct.

Option B is wrong because RBAC controls permissions, not network access. Option C is wrong because soft-delete is for recovery. Option D is wrong because Azure Policy can enforce settings but does not restrict network access to the vault.

479
MCQeasy

You need to provide secure remote access to Azure virtual machines for administrators without exposing them to the public internet. The solution must use a single entry point and support Azure Active Directory (now Microsoft Entra ID) authentication. Which Azure service should you use?

A.Azure Bastion.
B.Just-in-time (JIT) VM access with Microsoft Defender for Cloud.
C.Azure Front Door with private endpoints.
D.Azure VPN Gateway with point-to-site VPN.
AnswerA

Azure Bastion is a fully managed service that provides secure and seamless RDP/SSH access to VMs via the portal, using Entra ID authentication.

Why this answer

Option A is correct because Azure Bastion provides secure RDP/SSH access to VMs directly from the Azure portal, without public IPs, and supports Entra ID authentication. The other options either expose VMs or don't provide a single entry point.

480
MCQhard

Your company has Microsoft Sentinel deployed in multiple workspaces across several Azure regions. The security operations team wants to query data from all workspaces centrally using a single KQL query. What feature should you implement?

A.Configure Log Analytics workspaces as linked to a central workspace.
B.Use cross-workspace queries with the workspace() expression in KQL.
C.Export all data to Azure Data Explorer and query there.
D.Use the Microsoft Sentinel SIEM connector to aggregate data.
AnswerB

The workspace() function allows querying multiple workspaces in a single KQL query.

Why this answer

Option B is correct because cross-workspace queries in Sentinel allow running a single KQL query across multiple workspaces. Option A is wrong because Log Analytics workspaces are the data stores, not a query method across workspaces. Option C is wrong because Azure Data Explorer is not integrated natively for this purpose.

Option D is wrong because the SIEM connector is for data ingestion, not for cross-workspace querying.

481
MCQeasy

You are a security engineer for a company that uses Microsoft Entra ID. You need to ensure that all users accessing the company's Salesforce application from unmanaged devices are prompted for multi-factor authentication (MFA) every time. What should you configure?

A.Enable per-user MFA for all users in the Salesforce application.
B.Create a Conditional Access policy that targets the Salesforce application, apply to all users, include 'All device platforms' with 'Device state' filter for 'Unmanaged', and grant access requiring MFA with session control 'Sign-in frequency - Every time'.
C.Configure device compliance policy to require MFA on non-compliant devices.
D.Configure MFA registration policy to require all users to register MFA.
AnswerB

This enforces MFA on every sign-in for unmanaged devices.

Why this answer

Option B is correct because a Conditional Access policy with a 'Device state' filter for 'Unmanaged' and 'Sign-in frequency - Every time' session control forces MFA prompts on every access attempt from unmanaged devices. This meets the requirement to prompt MFA every time for users accessing Salesforce from unmanaged devices, without affecting managed devices or requiring per-user MFA.

Exam trap

The trap here is that candidates often confuse per-user MFA (Option A) with Conditional Access MFA, not realizing that per-user MFA cannot target specific applications or device states, and that 'Sign-in frequency' is a session control, not a grant control.

How to eliminate wrong answers

Option A is wrong because per-user MFA applies MFA to all sign-ins for the user, regardless of device state or application, and does not provide the granularity to target only unmanaged devices or enforce 'every time' frequency. Option C is wrong because device compliance policies evaluate device health (e.g., encryption, OS version) but do not directly trigger MFA prompts; they can block or grant access but cannot enforce 'Sign-in frequency - Every time' as a session control. Option D is wrong because the MFA registration policy only ensures users have registered MFA methods; it does not enforce MFA prompts during sign-in, nor does it target specific applications or device states.

482
MCQhard

You are deploying a three-tier application on Azure VMs. The web tier must be accessible from the internet, but the application and database tiers must only accept traffic from the web tier. You need to implement network segmentation using Azure networking components. What is the most secure and manageable solution?

A.Use a single subnet and configure NSGs on VM NICs to restrict traffic.
B.Use VNet peering to connect separate VNets for each tier and use NSGs.
C.Use a single VNet with one subnet and use Azure Firewall to filter traffic between tiers.
D.Use separate subnets for each tier in the same VNet and configure NSGs to allow traffic only from the previous tier.
AnswerD

Separate subnets provide isolation; NSGs enforce least-privilege network access.

Why this answer

Option B is correct because placing each tier in separate subnets with NSGs restricting traffic to the previous tier provides network segmentation and is manageable. Option A is wrong because VNet peering connects separate VNets but doesn't provide fine-grained control within a single VNet. Option C is wrong because a single subnet with NSGs is less secure due to lack of isolation.

Option D is wrong because Azure Firewall is more expensive and complex than NSGs for this scenario.

483
MCQhard

A company uses Azure SQL Database to store personally identifiable information (PII). They need to encrypt specific columns containing social security numbers so that even database administrators with the 'db_owner' role cannot view the plaintext. The application must be able to perform equality searches on the encrypted columns. Which encryption technology should they implement?

A.Transparent Data Encryption (TDE)
B.Always Encrypted with deterministic encryption
C.Dynamic Data Masking
D.Row-Level Security
AnswerB

Always Encrypted encrypts data in the client driver, so the database cannot see plaintext. Deterministic encryption enables equality matching without revealing data.

Why this answer

Always Encrypted with deterministic encryption is the correct choice because it encrypts specific columns at the client-side, ensuring that even database administrators with db_owner cannot view plaintext data. Deterministic encryption generates the same ciphertext for a given plaintext value, enabling equality searches (e.g., WHERE SSN = '123-45-6789') directly on the encrypted column without decrypting the data on the server.

Exam trap

The trap here is that candidates often confuse encryption at rest (TDE) with client-side column encryption, mistakenly believing TDE protects against privileged users, but TDE only protects against physical theft of the database files, not against authorized database access.

How to eliminate wrong answers

Option A is wrong because Transparent Data Encryption (TDE) encrypts the entire database at rest (pages written to disk) but does not protect data from users or DBAs who have access to the database; plaintext is visible to anyone with query permissions. Option C is wrong because Dynamic Data Masking obfuscates data in query results for non-privileged users but does not encrypt the underlying data; DBAs with db_owner can still view the unmasked values by altering the masking rule or querying directly. Option D is wrong because Row-Level Security restricts access to rows based on a predicate function but does not encrypt column values; DBAs with db_owner can bypass or modify the security policy to see all data.

484
MCQeasy

You have an Azure virtual network (VNet1) with two subnets: SubnetA and SubnetB. SubnetA hosts web servers that must be accessible from the internet. SubnetB hosts application servers that should only be accessible from SubnetA. You need to configure network security groups (NSGs) to enforce this traffic flow. The solution must allow HTTP and HTTPS traffic from the internet to SubnetA, and allow only traffic from SubnetA to SubnetB. All other inbound traffic should be denied. What is the most efficient way to configure the NSGs?

A.Apply an NSG to SubnetA with inbound rules allowing HTTP/HTTPS from Internet, and apply a separate NSG to SubnetB with inbound rules allowing only traffic from SubnetA.
B.Apply one NSG to both subnets with rules allowing HTTP/HTTPS from internet, and allow traffic from SubnetA to SubnetB.
C.Use application security groups (ASGs) on the web servers and application servers, and configure NSG rules referencing the ASGs.
D.Deploy Azure Firewall in the virtual network and configure application rules to allow HTTP/HTTPS to SubnetA and traffic to SubnetB.
AnswerA

Separate NSGs provide clear isolation and are efficient.

Why this answer

Option B is correct. Apply an NSG to SubnetA with rules allowing HTTP/HTTPS from internet and deny all other inbound. Apply an NSG to SubnetB with a rule allowing traffic from SubnetA and deny all other inbound.

This is efficient and meets requirements. Option A is inefficient because rules on SubnetB would still allow traffic from internet if not denied. Option C is incorrect because ASGs alone don't filter traffic.

Option D is incorrect because Azure Firewall is overkill.

485
Multi-Selectmedium

Your organization is planning to use Azure Container Instances (ACI) and Azure Kubernetes Service (AKS) for running containerized workloads. The security policy mandates that container images be scanned for vulnerabilities, secrets never be stored in image layers, and network traffic between containers be encrypted. Which three of the following should you implement? (Choose three.)

Select 3 answers
.Integrate Azure Container Registry (ACR) with Microsoft Defender for Containers to scan images on push.
.Use Azure Key Vault with the AKS Secrets Store CSI Driver to mount secrets as volumes or environment variables.
.Enable Azure Policy for AKS to enforce that containers run with privileged access.
.Configure a service mesh (e.g., Azure Service Mesh or Istio) on AKS to enable mutual TLS (mTLS) between pods.
.Store all secrets as Kubernetes Secrets and reference them in the container image definition.
.Deploy ACI containers with a public IP address and rely on network security groups for encryption.

Why this answer

Integrating ACR with Microsoft Defender for Containers enables vulnerability scanning of container images at rest and on push, ensuring images are free from known vulnerabilities before deployment. This directly addresses the mandate to scan images for vulnerabilities.

Exam trap

The trap here is that candidates might think NSGs or Kubernetes Secrets provide encryption or secure secret storage, but NSGs only filter traffic (no encryption) and Kubernetes Secrets are not encrypted by default, so they fail the mandates for encrypted traffic and secret-free image layers.

486
MCQeasy

You are a security administrator for a financial institution. You need to implement a solution that allows users to authenticate using biometrics and prevents password-based attacks. Which Microsoft Entra ID feature should you enable?

A.Microsoft Entra ID Protection
B.Passwordless authentication (FIDO2 or Windows Hello for Business)
C.Password hash synchronization
D.Azure Multi-Factor Authentication
AnswerB

Passwordless methods eliminate passwords entirely and support biometric authentication.

Why this answer

Option A is correct because Passwordless authentication methods like FIDO2 security keys or Windows Hello for Business eliminate passwords and support biometrics. Option B is wrong because password hash sync still uses passwords. Option C is wrong because MFA requires something you know (password) and something you have, but still uses passwords.

Option D is wrong because Identity Protection detects risks but does not eliminate passwords.

487
MCQmedium

Your company has a policy to disable TLS versions older than 1.2 for Azure Storage accounts. You configure the minimum TLS version setting to 1.2. After a week, an audit reveals that some clients are still connecting with TLS 1.0. What is the most likely reason?

A.Clients are accessing the storage account through a private endpoint with IP rules.
B.The storage account is configured to allow TLS 1.0 by default.
C.The setting does not apply to Azure Files.
D.Some clients have established persistent connections before the change.
AnswerD

Persistent connections may retain the TLS version negotiated at connection time.

Why this answer

The minimum TLS version setting may not be enforced immediately for existing connections; clients with persistent connections may continue using older TLS. Option A is wrong because the setting applies to all storage services. Option B is wrong because the setting is not related to IP rules.

Option D is wrong because TLS 1.0 is not required by default.

488
MCQmedium

You have an Azure subscription with multiple virtual networks. You need to centrally manage and enforce security policies for all outbound traffic from virtual machines to the internet. The solution must be able to inspect traffic and log all connections. What should you deploy?

A.Azure Firewall in a hub virtual network.
B.Network security groups (NSGs) on all subnets.
C.Azure Application Gateway with WAF.
D.Azure VPN Gateway with forced tunneling.
AnswerA

Azure Firewall is a managed, cloud-based firewall service that provides outbound traffic inspection and logging.

Why this answer

Option B is correct because Azure Firewall provides centralized outbound traffic management, inspection, and logging. NSGs don't inspect traffic, and Application Gateway is for inbound web traffic. VPN gateway is for site-to-site connectivity.

489
MCQmedium

A security analyst uses Microsoft Defender for Cloud. They need to automatically apply a specific remediation action (e.g., enable audit logging) to a set of Azure SQL servers that are found to be non-compliant with a security policy. Which Defender for Cloud feature should they use?

A.Workflow automation
B.Continuous export
C.Alert suppression rules
D.Regulatory compliance dashboard
AnswerA

Correct. Workflow automation can automatically trigger a Logic App in response to a security recommendation being generated, enabling automated remediation.

Why this answer

Workflow automation in Microsoft Defender for Cloud allows you to trigger Logic Apps based on security alerts or policy compliance changes. By configuring a workflow automation rule that triggers on the 'Non-compliant resource' condition for the specific Azure SQL servers, you can automatically invoke a remediation action, such as enabling audit logging, without manual intervention.

Exam trap

The trap here is that candidates often confuse 'Continuous export' with automation, thinking exporting data to a Log Analytics workspace can trigger remediation, but it only provides raw data for downstream processing, not direct action.

How to eliminate wrong answers

Option B (Continuous export) is wrong because it streams security alerts and recommendations to Log Analytics or Event Hubs for external analysis, but it does not execute any remediation actions. Option C (Alert suppression rules) is wrong because they are designed to suppress low-fidelity or noisy alerts from appearing in the portal, not to trigger automated remediation. Option D (Regulatory compliance dashboard) is wrong because it provides a visual overview of compliance posture against standards (e.g., SOC 2, PCI DSS) but has no capability to automatically apply remediation actions to non-compliant resources.

490
MCQhard

You are implementing a B2B collaboration solution in Microsoft Entra ID. You need to ensure that external users from a partner tenant can access your internal applications, but they must use MFA from their home tenant. The partner tenant does not support MFA. What should you do?

A.Configure a Conditional Access policy targeting external users that requires MFA
B.Configure cross-tenant access settings to trust MFA from the partner tenant
C.Use Microsoft Entra ID Governance to enforce MFA
D.Disable MFA for external users
AnswerA

You can enforce MFA directly for external users if their home tenant does not support MFA.

Why this answer

Option A is correct because you can configure a Conditional Access policy that targets external users (guest users) and requires MFA. Since the partner tenant does not support MFA, you cannot rely on cross-tenant trust; instead, you enforce MFA directly in your tenant using Microsoft Entra ID's own MFA capabilities. This ensures external users must complete MFA using your tenant's authentication methods, even if their home tenant lacks MFA support.

Exam trap

The trap here is that candidates often assume cross-tenant trust (Option B) is the only way to handle MFA for external users, but when the partner tenant lacks MFA, you must enforce MFA directly in your own tenant using Conditional Access.

How to eliminate wrong answers

Option B is wrong because cross-tenant trust for MFA requires the partner tenant to support and enforce MFA; since the partner tenant does not support MFA, trusting their MFA claims is impossible. Option C is wrong because Microsoft Entra ID Governance focuses on identity lifecycle, access reviews, and entitlement management, not on enforcing MFA for external users in a Conditional Access context. Option D is wrong because disabling MFA for external users would weaken security and violate the requirement that external users must use MFA.

491
MCQmedium

Your organization uses Microsoft Defender for Cloud to secure Azure resources. You need to ensure that all Azure SQL databases have Advanced Data Security enabled. What should you do?

A.Enable Advanced Data Security on each database manually
B.Use the Azure Security Center dashboard to enable it for all databases
C.Configure the Azure SQL Firewall to allow only secure connections
D.Create an Azure Policy to enforce Advanced Data Security
AnswerD

Azure Policy can audit or enforce the setting across all databases.

Why this answer

Option C is correct because you can create an Azure Policy to audit or enforce the setting. Option A is wrong because enabling on each database individually is not scalable. Option B is wrong because Azure Security Center does not provide a global enablement switch for SQL databases.

Option D is wrong because Azure SQL Firewall rules are for network access, not security features.

492
MCQeasy

Your organization uses Microsoft Sentinel for security operations. You need to create a custom analytics rule that triggers an incident when a user executes a suspicious PowerShell command on a Windows server. The logs are stored in the 'DeviceEvents' table from Microsoft Defender for Endpoint (now part of Microsoft Defender XDR). The rule should run every 5 minutes. Which scheduling frequency and query period should you configure?

A.Run query every 10 minutes with a query period of 5 minutes
B.Run query every 5 minutes with a query period of 1 minute
C.Run query every 5 minutes with a query period of 5 minutes
D.Run query every 5 minutes with a query period of 10 minutes
AnswerC

The query period should match the frequency to avoid duplication.

Why this answer

For a rule that runs every 5 minutes, the query period should be set to 5 minutes to avoid duplication. Option B is correct. Option A would cause overlapping queries.

Option C and D are not suitable for a 5-minute frequency.

493
Drag & Dropmedium

Drag and drop the steps to configure Azure Disk Encryption for a Windows VM using Azure Key Vault into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Disk encryption requires Key Vault access and VM disk settings.

494
MCQeasy

A company has Azure virtual machines that need to download updates from specific external websites (e.g., *.microsoft.com and *.windowsupdate.com). The security team wants to centrally manage and allow outbound HTTPS traffic only to these FQDNs, while blocking all other outbound internet access. Which Azure networking service should they deploy to achieve this?

A.Azure Firewall
B.Azure Application Gateway
C.Azure Front Door
D.Azure VPN Gateway
AnswerA

Azure Firewall provides application rules that allow or deny outbound traffic based on FQDNs, making it the correct choice for this requirement.

Why this answer

Azure Firewall is a managed, cloud-native network security service that can centrally enforce outbound FQDN-based rules. It allows you to create application rules that permit HTTPS traffic to specific FQDNs (e.g., *.microsoft.com) while blocking all other outbound internet access, meeting the security team's requirement for granular, centralized control.

Exam trap

The trap here is that candidates often confuse Azure Firewall with Azure Application Gateway, mistakenly thinking the latter can filter outbound traffic, but Application Gateway is strictly an inbound reverse proxy and cannot enforce outbound FQDN rules.

How to eliminate wrong answers

Option B (Azure Application Gateway) is wrong because it is a Layer 7 load balancer designed for inbound HTTP/HTTPS traffic routing and Web Application Firewall (WAF) protection, not for centrally controlling outbound traffic to specific FQDNs. Option C (Azure Front Door) is wrong because it is a global load balancer and application delivery controller for inbound traffic, optimizing performance and providing WAF, but it does not manage outbound traffic from virtual networks. Option D (Azure VPN Gateway) is wrong because it establishes encrypted tunnels between on-premises networks and Azure, or between VNets, and does not provide FQDN-based filtering or internet traffic control.

495
MCQhard

A company has a hub-spoke network topology in Azure. They need to inspect and filter all traffic flowing between spoke virtual networks for malicious content and require that the inspection is stateful. Which Azure-native service should they deploy in the hub virtual network to meet this requirement?

A.Azure Firewall
B.Network Security Groups (NSG) on the peering connections
C.Azure Application Gateway with WAF
D.Azure DDoS Protection Standard
AnswerA

Azure Firewall provides stateful inspection and can filter traffic between spoke VNets when configured as a hub. It supports network and application rules, including threat intelligence-based filtering.

Why this answer

Azure Firewall is the correct choice because it is a fully stateful, managed firewall service that can inspect and filter traffic at Layers 3–7. In a hub-spoke topology, deploying Azure Firewall in the hub virtual network allows it to centrally inspect all traffic flowing between spoke virtual networks via forced tunneling (user-defined routes) or through the hub's network virtual appliance, meeting the requirement for stateful inspection of inter-spoke traffic.

Exam trap

The trap here is that candidates often confuse NSGs as stateful (they are stateless) or assume Azure Firewall is only for internet-bound traffic, missing that it can also inspect east-west traffic between spoke VNets via forced tunneling.

How to eliminate wrong answers

Option B is wrong because Network Security Groups (NSGs) are stateless (they do not track connection state) and cannot be applied directly to peering connections; they are applied to subnets or NICs and lack advanced inspection capabilities like intrusion detection. Option C is wrong because Azure Application Gateway with WAF is a Layer 7 load balancer focused on HTTP/HTTPS traffic and does not provide stateful inspection of all network traffic (e.g., non-web protocols) between spoke VNets. Option D is wrong because Azure DDoS Protection Standard is a mitigation service for volumetric DDoS attacks, not a stateful firewall for inspecting and filtering inter-spoke traffic.

496
MCQmedium

You need to secure outbound traffic from an Azure virtual network to the internet. All outbound traffic must be inspected by a firewall and logged. You also need to ensure that traffic to known malicious IP addresses is blocked. Which solution should you implement?

A.Use Network Security Groups (NSGs) with default outbound deny rules.
B.Deploy Azure Front Door with WAF policy.
C.Enable Azure DDoS Protection on the virtual network.
D.Configure Azure Firewall with threat intelligence-based filtering and route all outbound traffic through it.
AnswerD

Azure Firewall can inspect, log, and block malicious outbound traffic based on threat intelligence.

Why this answer

Option A is correct because Azure Firewall provides outbound traffic inspection, logging, and threat intelligence-based filtering to block known malicious IPs. Option B is wrong because NSGs do not have threat intelligence filtering and are not designed for centralized logging of all outbound traffic. Option C is wrong because Azure Front Door is for inbound HTTP/HTTPS traffic.

Option D is wrong because Azure DDoS Protection is for inbound volumetric attacks.

497
MCQhard

A company is implementing Privileged Identity Management (PIM) in Microsoft Entra ID for Azure resources. The security team wants to ensure that all privileged role activations require approval and are logged. They also want to require Azure MFA during activation. However, they notice that some users are able to activate roles without approval. What is the most likely cause?

A.Users have permanent eligible assignments that bypass approval
B.The audit log is not enabled for PIM
C.Users are assigned the role directly instead of through eligibility
D.The role settings for approval are not configured at the resource scope, and the users are using inherited settings from a management group
AnswerD

Role settings can be configured at different scopes (management group, subscription, resource group). If the approval requirement is not set at the specific scope, inherited settings may not require approval.

Why this answer

Option D is correct because PIM role settings for Azure resources can be configured at the management group, subscription, or resource group scope. If approval is required only at the subscription scope but users activate roles at a resource group scope that inherits from a management group where approval is not configured, the activation will proceed without approval. This is a common misconfiguration where the approval requirement is not applied at the correct scope.

Exam trap

The trap here is that candidates assume PIM role settings are applied globally or uniformly across all scopes, but Azure resource PIM settings are scoped and inherited, so a missing approval configuration at a higher scope (like a management group) can silently bypass approval requirements at lower scopes.

How to eliminate wrong answers

Option A is wrong because permanent eligible assignments still require activation and are subject to the role settings (including approval) configured for that role; there is no concept of 'bypassing approval' for eligible assignments. Option B is wrong because the audit log being disabled would prevent logging of activations, but it does not affect whether approval is required during activation. Option C is wrong because if users are assigned the role directly (permanent active assignment), they do not need to activate at all, so they would not see an activation approval prompt; however, the question states users are 'able to activate roles without approval,' implying they are using activation, which means they have eligible assignments, not direct assignments.

498
Multi-Selecthard

A company uses Azure Firewall Premium to inspect outbound traffic. They want to deploy a web application that must comply with the Payment Card Industry Data Security Standard (PCI DSS). Which TWO capabilities should be enabled to meet PCI DSS requirements for network security?

Select 2 answers
A.Intrusion Detection and Prevention System (IDPS)
B.TLS inspection
C.URL filtering
D.DNS proxy
E.Source Network Address Translation (SNAT)
AnswersA, B

PCI DSS requires a network intrusion detection/prevention system.

Why this answer

Options A and D are correct. TLS inspection allows the firewall to decrypt and inspect HTTPS traffic, which is often required for compliance. IDPS provides signature-based detection of threats, meeting the requirement for intrusion detection/prevention.

Option B is wrong because DNS proxy is not a PCI DSS requirement. Option C is wrong because URL filtering is about web categories, not specifically required by PCI DSS. Option E is wrong because SNAT is a function of NAT, not a compliance feature.

499
Matchingmedium

Match each Azure AD authentication method to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Syncs password hashes from on-prem to Azure AD

Validates passwords on-prem without storing hashes in cloud

Redirects authentication to on-prem identity provider

Requires second form of verification

Uses client certificates for authentication

Why these pairings

These are common authentication methods for hybrid identities.

500
MCQhard

A company uses Azure Key Vault to store secrets for their applications. They want to ensure that an application hosted on an Azure virtual machine can access secrets from only a specific Key Vault, and that all traffic between the VM and Key Vault remains within the Azure network and does not traverse the public internet. Which configuration should they implement?

A.Create a private endpoint for Key Vault in the same VNet as the VM and disable public network access on the Key Vault.
B.Enable the Key Vault firewall and add the VM's public IP address to the allowed list.
C.Use a service endpoint for Key Vault on the VM's subnet, and assign a managed identity to the VM.
D.Assign a system-assigned managed identity to the VM and grant it access to the Key Vault.
AnswerA

Private endpoints use private IPs from the VNet, keeping traffic off the internet. Disabling public access ensures only private endpoint traffic is accepted.

Why this answer

Option A is correct because it combines a private endpoint for Azure Key Vault with disabling public network access. A private endpoint assigns a private IP address from the VM's VNet to the Key Vault, ensuring all traffic stays within the Microsoft Azure backbone network and never traverses the public internet. Disabling public network access on the Key Vault firewall then blocks any attempts to access the vault via its public endpoint, enforcing that only traffic through the private endpoint is allowed.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, not realizing that service endpoints still use the public endpoint of the resource and do not provide true private IP-based isolation, while private endpoints assign a private IP and can fully disable public access.

How to eliminate wrong answers

Option B is wrong because adding the VM's public IP address to the Key Vault firewall allows traffic that still traverses the public internet; it does not keep traffic within the Azure network. Option C is wrong because a service endpoint for Key Vault on the VM's subnet only routes traffic to the Key Vault's public endpoint via the Azure backbone, but it does not prevent the Key Vault from being accessible over the public internet, and it does not use a private IP address; a managed identity alone does not enforce network isolation. Option D is wrong because assigning a system-assigned managed identity and granting it access to Key Vault only handles authentication and authorization; it does not address network-level isolation or prevent traffic from leaving the Azure network.

501
MCQmedium

A company uses Azure AD B2B collaboration to invite external partner users to collaborate on a project. The security team wants to ensure that when a partner user's account is disabled in their home Azure AD tenant, the user should immediately lose access to the company's resources, even if the user had a valid session token. Which configuration should they implement in cross-tenant access settings?

A.Configure cross-tenant access settings to trust the user's account status from the home tenant.
B.Configure external collaboration settings to restrict B2B users to specific apps.
C.Assign a conditional access policy that requires device compliance for B2B users.
D.Enable Azure AD Identity Protection for B2B users.
AnswerA

Enabling 'Trust user's account' in inbound settings makes Azure AD validate the account status with the home tenant every time the user signs in, ensuring disabled accounts are blocked immediately.

Why this answer

Option A is correct because configuring cross-tenant access settings to trust the user's account status from the home tenant enables Azure AD to evaluate the external user's account state (enabled/disabled) in their home tenant at each authentication. When the partner user's account is disabled in their home tenant, Azure AD will deny access even if a valid session token exists, because the token's validity is rechecked against the home tenant's account status via the cross-tenant trust policy.

Exam trap

The trap here is that candidates often confuse session token revocation with conditional access policies or app restrictions, failing to realize that only the cross-tenant trust setting directly ties the external user's access to their home tenant's account status, enabling immediate revocation without waiting for token expiry.

How to eliminate wrong answers

Option B is wrong because restricting B2B users to specific apps controls which applications they can access, not whether their account status is honored from the home tenant; it does not enforce immediate revocation when the account is disabled. Option C is wrong because a conditional access policy requiring device compliance checks the device state, not the user account status in the home tenant; it cannot detect or react to a disabled account in the external tenant. Option D is wrong because enabling Azure AD Identity Protection for B2B users provides risk-based conditional access (e.g., risky sign-ins), but it does not directly trust the home tenant's account disabled state; it relies on Microsoft's risk signals, not the partner tenant's directory status.

502
MCQhard

You are a security architect for Contoso, a global financial services company with 10,000 employees. Contoso uses Microsoft Entra ID (P2 licensed), Microsoft Intune, and Microsoft Defender for Cloud Apps. All corporate devices are enrolled in Intune and marked as compliant. The company is adopting Microsoft Copilot for Microsoft 365 to boost productivity. The security team requires that access to Copilot for Microsoft 365 be restricted to users who have completed the required training (confirmed by HR system). Additionally, any access to Copilot from unmanaged devices must be blocked. You need to design an access control solution that meets these requirements with minimal administrative overhead and without custom code. Which action should you take?

A.Create a dynamic group in Microsoft Entra ID based on the department attribute and assign the Copilot license to that group.
B.Create an access package in Microsoft Entra ID Governance that includes the Copilot for Microsoft 365 app, with a policy requiring a custom extension to verify training completion via the HR system, and configure Conditional Access to allow access only from compliant devices.
C.Use Microsoft Entra Identity Protection to create a risk policy that blocks access if the user's training is incomplete.
D.Configure Privileged Identity Management (PIM) for the Copilot for Microsoft 365 application, requiring approval for activation.
AnswerB

Access packages can manage user access with policies, and Conditional Access can enforce device compliance.

Why this answer

Option C is correct: Use Microsoft Entra ID Governance with Access Packages. This allows you to create an access package that requires a custom attribute (training completion) and automatically restricts access to managed devices via Conditional Access integration. Option A is wrong because PIM is for privileged roles, not user access to apps.

Option B is wrong because dynamic groups do not enforce device compliance; they are for group membership. Option D is wrong because Identity Protection does not handle HR-based attributes or device compliance in one policy.

503
MCQhard

Your organization uses Microsoft Defender for Cloud to manage security posture. You need to ensure that all Azure subscriptions have the 'MFA should be enabled on accounts with owner permissions' security control applied. The compliance dashboard shows this control as 'Unhealthy' for several subscriptions. What should you do to automatically remediate non-compliant subscriptions?

A.Enable 'Enforce MFA' in Azure AD Conditional Access policy for all users.
B.Run a remediation task from Defender for Cloud for the non-compliant subscriptions.
C.Create an Azure Policy initiative that enforces MFA for owner accounts and assign it to the subscriptions.
D.Configure a Microsoft Sentinel playbook triggered by a compliance alert to add MFA.
AnswerC

Correct: policy enforces compliance automatically.

Why this answer

Option C is correct because you can create an Azure Policy initiative with a 'DeployIfNotExists' effect that enforces MFA on owner accounts. Option A (turn on 'Enforce MFA' in conditional access) applies to all users but not subscriptions automatically. Option B (remediation task) only fixes existing non-compliance but does not prevent future drift; however, it is part of the solution.

Option D (Sentinel playbook) is custom and not automatic. The best approach is to use Azure Policy to enforce.

504
MCQmedium

You are an Azure security engineer. Your team has assigned the Azure Policy shown in the exhibit. A developer creates a new virtual network with a subnet that does not have a Network Security Group (NSG) associated. What will happen when the policy is evaluated?

A.A default NSG is automatically associated with the subnet.
B.The virtual network creation fails because a subnet lacks an NSG.
C.The virtual network is created, but the subnet is denied.
D.The virtual network is created, and a non-compliant alert is generated.
AnswerB

The deny effect prevents the deployment of the virtual network.

Why this answer

Option C is correct because the policy denies the creation of a virtual network if any subnet does not have an NSG associated. The existenceCondition checks that for each subnet, an NSG exists; if false, the deny effect is triggered, and the virtual network creation fails. Option A is wrong because the policy does not audit; it denies.

Option B is wrong because the policy denies the entire virtual network deployment. Option D is wrong because the policy does not create an NSG automatically.

505
MCQhard

Refer to the exhibit. A security administrator runs the Azure CLI commands to create a VM with a single NIC and applies an NSG rule to deny outbound TCP traffic to the Internet on ports 80 and 443. However, the VM can still access websites on the Internet. What is the most likely reason?

A.The NSG rule uses the 'Internet' service tag incorrectly; it should specify an IP range.
B.The NSG is not associated with the NIC because the command did not specify the NIC correctly.
C.The NSG rule is applied at the NIC level, but the subnet's NSG (if any) has a default outbound allow rule that takes precedence.
D.The NSG rule should be an inbound rule to block outbound traffic.
AnswerC

If the subnet has no NSG, the default outbound allow rule permits traffic, and the NIC NSG rule is not evaluated because the first match (subnet default allow) applies.

Why this answer

The NSG rule denies traffic to 'Internet' service tag, but the NIC is attached to a subnet that may also have an NSG that allows outbound traffic. Additionally, the rule specifies 'Tcp' protocol with ports 80 and 443, but HTTPS uses TCP port 443. The rule should block it.

However, Azure VMs have a default outbound access via SNAT; if the VM is using a public IP or has a default route, the NSG should block. The most likely issue is that the NSG is applied to the NIC but not to the subnet, and the subnet's default NSG (or lack thereof) allows traffic. But the commands show NSG applied to NIC.

Another possibility: the rule priority is 100, but maybe there is a higher priority allow rule? The commands do not show any allow rule. Actually, the problem may be that the NSG rule's protocol is 'Tcp' but the outbound traffic might be using UDP? Unlikely. The correct answer is that the NSG is not associated with the subnet; NIC-level NSG works, but the rule's destination is 'Internet' tag, which should work.

The most plausible answer is that the VM has a public IP and the NSG rule is outbound, but maybe the VM is using a different port (e.g., 443 is blocked but 80 is allowed? No). Wait, the commands do not create a VM; they create a NIC and NSG, but the NIC is not attached to a VM? Actually, the commands create a VNet, subnet, NIC, NSG, and attach NSG to NIC. They do not create a VM.

But the stem says 'creates a VM with a single NIC' assuming the NIC is used for a VM. The real issue: the NSG rule denies TCP to Internet on ports 80 and 443, but the VM may be using a different protocol (e.g., HTTP/HTTPS uses TCP). The most likely reason: the NSG is applied at the NIC level, but the subnet may have a separate NSG that allows the traffic, and NSG rules are evaluated at both levels (subnet first, then NIC).

If the subnet NSG allows, the traffic is allowed. The commands do not apply an NSG to the subnet. Therefore, the default subnet NSG (if any) or no NSG on subnet means no filtering at subnet level.

However, the NIC NSG should still block. Actually, Azure NSG evaluation: subnet NSG is evaluated first, then NIC NSG. If subnet NSG has no rule, it defaults to allow all.

So the traffic would be allowed by subnet NSG default allow, and then NIC NSG denies, but the overall is deny? Actually, security rules are evaluated and the first match applies. If subnet NSG has no rule (default deny inbound, default allow outbound), the default outbound allow would match and allow the traffic before the NIC NSG rule is evaluated. That's the catch: default outbound allow in subnet NSG lets traffic out, and the NIC NSG deny rule is not evaluated because a match already occurred.

So the correct answer is that the subnet has no NSG, and its default outbound rule allows all traffic.

506
MCQeasy

A security analyst uses Microsoft Sentinel. They want to create a scheduled analytics rule that runs every hour and queries Azure Activity logs to detect deployment of VMs in non-approved regions. They want to generate an incident automatically when suspicious activity is found. Which configuration is required to automatically create an incident?

A.Enable 'Create incident from alerts triggered by this rule' in the Incident settings
B.Configure the 'Alert details' section with the appropriate severity and description
C.Define entity mapping in the 'Entity mapping' tab
D.Connect Azure Activity log to Sentinel via Event Hub
AnswerA

This setting ensures that every alert generated by the rule automatically creates an incident in Sentinel.

Why this answer

Option A is correct because the 'Create incident from alerts triggered by this rule' setting in the Incident settings tab is the specific toggle that instructs Microsoft Sentinel to automatically generate a security incident whenever the scheduled analytics rule fires an alert. Without this setting enabled, the rule will only produce raw alerts that must be manually triaged or routed through a separate automation rule to become incidents. This is the direct configuration required for automatic incident creation from a scheduled query rule.

Exam trap

The trap here is that candidates often confuse the 'Alert details' configuration (which only sets alert metadata) with the incident creation toggle, assuming that defining severity and description automatically generates an incident, when in fact a separate explicit setting is required.

How to eliminate wrong answers

Option B is wrong because configuring the 'Alert details' section (severity and description) only defines the metadata of the alert itself, not the automatic creation of an incident from that alert. Option C is wrong because entity mapping enriches alerts with entity types (e.g., IP, host) for correlation and investigation, but does not control whether an incident is automatically generated. Option D is wrong because connecting Azure Activity log to Sentinel via Event Hub is a data ingestion method, not a configuration for incident creation; the log source must already be connected for the rule to query it, but that step is separate from the incident creation setting.

507
MCQhard

Your company is migrating from on-premises Active Directory to Microsoft Entra ID. You need to synchronize user accounts and enable self-service password reset (SSPR) for cloud users. You have set up Microsoft Entra Connect Sync. Which additional configuration is required to allow password writeback for SSPR?

A.Enable password writeback in Microsoft Entra Connect and assign Azure AD Premium licenses
B.Configure pass-through authentication
C.Enable password hash synchronization
D.Install the Azure AD Password Protection proxy
AnswerA

Writeback requires Premium licenses and enabling the feature.

Why this answer

Option C is correct because password writeback requires an Azure AD Premium license and the writeback feature enabled in Entra Connect. Option A is incorrect because password hash sync alone does not enable writeback. Option B is incorrect because PHS is not required for writeback.

Option D is incorrect because Password Protection is a separate feature.

508
MCQmedium

Your company uses Microsoft Entra ID and has Microsoft Defender for Cloud Apps. You need to monitor and control access to cloud apps based on user behavior. Which feature should you use?

A.Conditional Access for Cloud Apps (session control)
B.Information Protection (DLP)
C.Cloud Discovery
D.Application Proxy
AnswerA

Session control allows real-time monitoring and control of user actions.

Why this answer

Option B is correct because session control in Conditional Access for Cloud Apps enables real-time monitoring and control. Option A is wrong because app proxy is for on-prem apps. Option C is wrong because DLP is for data protection.

Option D is wrong because Cloud Discovery identifies shadow IT.

509
MCQmedium

You execute the KQL query shown in the exhibit in Microsoft Sentinel. The query returns no results, but you know there have been high-severity malware alerts in the past week. What is the most likely issue?

A.The SecurityAlert table does not contain malware alerts.
B.The time range filter is incorrect.
C.There are no high-severity alerts in the past week.
D.The alert name is case-sensitive and does not exactly match 'Malware'.
AnswerD

Correct. KQL is case-sensitive, so 'Malware' may not match actual alert names.

Why this answer

Option D is correct because the query filters on AlertName containing "Malware" (case-sensitive). If the actual alert name uses a different case, like "malware" or "MalwareDetected", it might not match. Option A is wrong because if there were no alerts, other filters would also return empty.

Option B is wrong because the data source is different; SecurityAlert table contains alerts from various sources. Option C is wrong because the time range is valid.

510
MCQmedium

Refer to the exhibit. You are reviewing an NSG rule configuration for a subnet. The source subnet is 10.0.0.0/24 and the destination subnet is 10.0.1.0/24. What is the effect of this rule?

A.Allows outbound SSH traffic from 10.0.1.0/24 to 10.0.0.0/24.
B.Blocks inbound SSH traffic from 10.0.0.0/24 to 10.0.1.0/24.
C.Allows all inbound traffic from 10.0.0.0/24 to 10.0.1.0/24.
D.Allows inbound SSH traffic from 10.0.0.0/24 to 10.0.1.0/24.
AnswerD

The rule explicitly allows SSH from the source to the destination.

Why this answer

Option A is correct because the rule allows inbound TCP traffic on port 22 from source range 10.0.0.0/24 to destination range 10.0.1.0/24. Option B is wrong because the rule allows inbound, not outbound. Option C is wrong because the rule allows SSH, not blocks.

Option D is wrong because the rule is specific to port 22.

511
MCQhard

You are the security engineer for Contoso, a multinational company with 50,000 users in Microsoft Entra ID Premium P2. The company has a strict security policy requiring that all administrative actions be performed using just-in-time (JIT) access with approval, and that all privileged role activations be audited. Additionally, you need to ensure that Global Administrators are required to use phishing-resistant MFA (e.g., FIDO2 security keys) when activating their role. You have already configured Privileged Identity Management (PIM) for Azure AD roles. However, during a recent audit, you discovered that several Global Administrators were able to activate their role using only a text message (SMS) for MFA, violating the policy. You need to enforce the use of phishing-resistant MFA for all privileged role activations. What should you do?

A.Create a Conditional Access policy that targets all cloud apps and requires authentication strength 'Phishing-resistant MFA'
B.In PIM, configure the role settings to require Azure MFA and set the authentication method to FIDO2
C.Create a Conditional Access policy that targets the 'Azure AD Privileged Identity Management' app and requires authentication strength 'Phishing-resistant MFA'
D.Configure authentication methods policy to allow only FIDO2 security keys for all users
AnswerC

This policy enforces FIDO2 specifically for PIM activation.

Why this answer

Option C is correct because Privileged Identity Management (PIM) role activation is triggered by signing in to the Azure AD Privileged Identity Management application (the PIM blade or API). By creating a Conditional Access policy that targets this specific app and requires the 'Phishing-resistant MFA' authentication strength, you enforce FIDO2 or Windows Hello for Business during the activation step, regardless of the user's baseline MFA method. This directly addresses the audit finding that Global Administrators were using SMS to activate their roles.

Exam trap

The trap here is that candidates mistakenly think PIM role settings can enforce a specific MFA method (like FIDO2) directly, when in reality PIM only requires MFA generically and the method is controlled by Conditional Access policies targeting the PIM application.

How to eliminate wrong answers

Option A is wrong because targeting all cloud apps would apply the phishing-resistant MFA requirement to every application access, not just PIM role activations, which is overly broad and could block legitimate non-privileged access. Option B is wrong because PIM role settings only offer a toggle to 'Require Azure MFA' on activation; they do not allow you to specify a particular authentication method like FIDO2—that granularity is handled by Conditional Access authentication strengths. Option D is wrong because restricting the authentication methods policy to only FIDO2 for all users would prevent users from using other allowed methods (e.g., Microsoft Authenticator) for everyday sign-ins, causing widespread disruption and violating the principle of least privilege for non-administrative tasks.

512
MCQeasy

Your company uses Microsoft Entra ID. You need to block sign-ins from countries where your company does not operate. Which approach should you use?

A.Configure MFA for all users
B.Create a Conditional Access policy to block access from those countries
C.Use Identity Protection user risk policy
D.Add those countries as Named locations
AnswerB

Conditional Access can block sign-ins from specific locations.

Why this answer

Option B is correct because Conditional Access policies can block sign-ins by geographic location. Option A is wrong because MFA doesn't block by location. Option C is wrong because Named locations are used in Conditional Access, but they define trusted locations, not block others.

Option D is wrong because Identity Protection detects risky sign-ins but does not block by country.

513
MCQhard

You are the security engineer for a multinational company that uses Azure to host critical workloads. The company has deployed Microsoft Defender for Cloud with the enhanced security features enabled on all subscriptions. Recently, a security audit revealed that several virtual machines (VMs) in the production environment are missing critical security updates. The audit report indicates that the VMs are not being assessed for missing updates by Defender for Cloud. You need to ensure that all VMs are automatically assessed for missing OS updates using Defender for Cloud's vulnerability assessment capabilities. The solution must minimize administrative overhead and should not require manual installation of agents on existing VMs. What should you do?

A.Enable the 'SQL servers on machines' plan in Defender for Cloud.
B.Enable the 'Servers' plan in Defender for Cloud and ensure that the 'Vulnerability assessment for machines' setting is turned on.
C.Configure a vulnerability assessment solution from the Azure Marketplace and assign it to the VMs.
D.Deploy the Log Analytics agent to all VMs using Azure Policy.
AnswerB

This enables built-in vulnerability assessment using Microsoft Defender Vulnerability Management, which automatically assesses VMs for missing updates without manual agent installation.

514
MCQeasy

Your security team uses Microsoft Sentinel to detect threats. You need to set up a rule that triggers an alert when a user account is created in Microsoft Entra ID. Which rule type should you configure?

A.Near-Real-Time (NRT) rule
B.Anomaly rule
C.Fusion rule
D.Scheduled query rule
AnswerD

Correct: Scheduled rules run periodically on log data to detect specific events like user creation.

Why this answer

Option B is correct because Scheduled query rules run periodically on log data. Option A is wrong because NRT rules are for near-real-time detection but are more suitable for data arriving in a stream. Option C is wrong because Fusion is for advanced multistage attacks.

Option D is wrong because Anomaly rules use machine learning to detect unusual patterns, not specific events.

515
MCQmedium

A company uses Azure SQL Database with Transparent Data Encryption (TDE) encrypted using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault is protected by a firewall and virtual network service endpoints. The storage account used for TDE logs is in the same Azure region. What additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for TDE operations?

A.Enable 'Allow trusted Microsoft services to bypass this firewall' in the Key Vault firewall settings.
B.Disable public network access on the Key Vault.
C.Add the SQL Database server's system-assigned managed identity to the Key Vault access policy.
D.Enable soft-delete on the Key Vault.
AnswerA

Correct. This setting allows Azure SQL Database (a trusted service) to bypass the Key Vault firewall and access the CMK for TDE operations.

Why this answer

Azure SQL Database uses TDE with a customer-managed key stored in Key Vault. When the Key Vault has a firewall enabled, Azure SQL Database must be able to bypass that firewall to access the key. Enabling 'Allow trusted Microsoft services to bypass this firewall' is required because Azure SQL Database is a trusted Microsoft service that needs to reach the Key Vault endpoint for TDE operations, even when the firewall blocks public network access.

Exam trap

The trap here is that candidates often think adding a managed identity or disabling public access is sufficient, but they miss that the Key Vault firewall explicitly requires the 'Allow trusted Microsoft services' bypass for Azure SQL Database to access the CMK.

How to eliminate wrong answers

Option B is wrong because disabling public network access on the Key Vault would block all external traffic, including from Azure SQL Database, unless the 'Allow trusted Microsoft services' setting is also enabled; it is not a standalone solution. Option C is wrong because Azure SQL Database for TDE does not use a system-assigned managed identity to authenticate to Key Vault; instead, it uses the Azure SQL logical server's identity (which is automatically granted permissions via the Key Vault access policy when using CMK). Option D is wrong because soft-delete is a data protection feature that prevents permanent deletion of keys, secrets, or certificates, but it is not required for TDE access; it is recommended for recovery but not a prerequisite for the SQL Database to reach the key.

516
MCQhard

Your organization has a hybrid identity environment with Microsoft Entra ID (formerly Azure AD) and on-premises Active Directory. You are using Microsoft Defender for Cloud to monitor security posture. You notice that the recommendation 'MFA should be enabled on accounts with owner permissions on your subscription' shows a status of 'Unhealthy' for some accounts, but those accounts already have Microsoft Entra Conditional Access policies requiring MFA. What is the most likely reason for the discrepancy?

A.The Conditional Access policies are not applied to all users; some users bypass MFA.
B.The accounts are guest users from another tenant; MFA cannot be enforced.
C.Defender for Cloud evaluates the 'per-user' MFA state, which is separate from Conditional Access.
D.The recommendation requires MFA to be configured in the subscription's access control (IAM) blade.
AnswerC

Defender for Cloud checks if MFA is enabled per user, not via Conditional Access.

Why this answer

Option B is correct because Defender for Cloud checks the 'per-user' MFA state, not Conditional Access policies. Option A is wrong because MFA is enabled correctly. Option C is wrong because guest accounts are also subject to MFA requirements.

Option D is wrong because the recommendation is based on Microsoft Entra ID data.

517
Multi-Selecteasy

Your company has a single Azure subscription with a hub-and-spoke network topology. The hub virtual network contains Azure Firewall and a VPN gateway for hybrid connectivity. You need to ensure that all traffic from the spoke virtual networks to on-premises is inspected by the Azure Firewall. Which THREE actions should you take? (Choose three.)

Select 3 answers
A.Enable BGP on the Azure VPN gateway and advertise routes to the on-premises network.
B.Configure Azure Firewall with a route to the VPN gateway for on-premises traffic.
C.In the hub virtual network, set 'Use remote gateways' on the peering connection to the spoke.
D.Configure user-defined routes (UDRs) in each spoke subnet with 0.0.0.0/0 next hop to Azure Firewall, and include on-premises prefixes with next hop to Azure Firewall.
E.In the spoke virtual network, set 'Gateway transit' on the peering connection to the hub.
AnswersB, D, E

The firewall needs a route to forward traffic to the VPN gateway.

Why this answer

Option A is correct: UDRs force spoke traffic to the firewall. Option B is correct: The firewall must be configured to route traffic to the VPN gateway. Option C is correct: Propagating gateway routes ensures the route table includes routes from the VPN gateway.

Option D is incorrect because VNet peering does not inspect traffic. Option E is incorrect because BGP does not force traffic through the firewall.

518
MCQmedium

Your company has an Azure subscription with several VNets. You deploy Azure Firewall in a hub VNet. You need to ensure that all traffic from spoke VNets to the internet goes through the firewall. What should you configure?

A.Configure forced tunneling on the spoke VNet gateways.
B.Enable VNet peering to the hub VNet.
C.Apply an Azure Firewall policy that denies internet access for spoke VNets.
D.Create a route table with a default route (0.0.0.0/0) to the Azure Firewall private IP and associate it with the spoke subnets.
AnswerD

UDRs override Azure's default routing to force traffic through the firewall.

Why this answer

Option A is correct because a User-Defined Route (UDR) with next hop type VirtualAppliance and the firewall's private IP forces traffic to the firewall. Option B is wrong because forced tunneling is a VPN configuration. Option C is wrong because Azure Firewall policies define rules, not routing.

Option D is wrong because VNet peering does not route traffic; it provides connectivity.

519
Multi-Selecteasy

Which TWO of the following are benefits of using managed identities for Azure resources to access Azure Storage? (Choose two.)

Select 2 answers
A.Replicates storage data across regions for disaster recovery
B.Eliminates the need to store credentials in code or configuration files
C.Enables federated identity with external identity providers
D.Automatically rotates the credentials used for authentication
E.Provides granular auditing of all storage access
AnswersB, D

Managed identities provide an automatically managed identity in Azure AD, removing the need for secrets.

Why this answer

Options A and B are correct. Managed identities eliminate the need to manage credentials (A) and provide automatic rotation (B). Option C (auditing) is not a benefit, though managed identities support auditing via Azure AD.

Option D (federated identity) is for external users. Option E (replication) is unrelated.

520
MCQhard

Your company uses Microsoft Entra ID with hybrid identity. You have a custom line-of-business application that uses SAML 2.0 for authentication. The application is registered in Microsoft Entra ID as an enterprise application. Users report that they are prompted for credentials twice when accessing the app from a domain-joined Windows 10 device. You need to prevent the second prompt. What should you do?

A.Configure the application to include a domain hint (whr parameter) in the SAML request.
B.Create a Conditional Access policy requiring device compliance.
C.Enable Seamless Single Sign-On (SSO) for all users.
D.Implement Password Hash Sync (PHS) for the directory.
AnswerA

A domain hint directs authentication to the on-premises domain, enabling Seamless SSO and eliminating the second prompt.

Why this answer

Option D is correct because the double prompt for SAML apps on domain-joined devices typically occurs when Kerberos authentication fails to the application's domain or when the app expects a different authentication method. Configuring a domain hint (whr parameter) in the SAML request tells Entra ID to use the on-premises domain for authentication, enabling Seamless SSO and avoiding the second prompt. Option A is wrong because Seamless SSO alone may not fix the SAML app issue without a domain hint.

Option B is wrong because Password Hash Sync is unrelated to SAML authentication flow. Option C is wrong because Conditional Access policies do not affect the number of prompts.

521
MCQhard

Your organization is deploying a multi-region application using Azure Front Door to distribute traffic. You need to ensure that only traffic from Azure Front Door can reach the backend origins (App Services) and that no direct internet traffic bypasses Front Door. What combination of steps should you take?

A.Configure App Service Access Restrictions to deny all public traffic and enable Azure Front Door private link.
B.Configure Azure Front Door to use a custom domain and enable Azure WAF on Front Door.
C.Configure App Service Access Restrictions to allow only the 'AzureFrontDoor.Backend' service tag.
D.Configure App Service Access Restrictions to allow only the Azure Front Door backend IP ranges and validate the X-Azure-FDID header.
AnswerD

This ensures only traffic from your Front Door instance (checked via header) and from Front Door IP ranges is allowed.

Why this answer

Azure Front Door uses a set of backend IP ranges. By configuring Access Restrictions on App Service to allow only those IP ranges and enabling the 'X-Azure-FDID' header check, you ensure only Front Door traffic is accepted. Disabling public access entirely would break Front Door's ability to reach the backend.

522
MCQmedium

A company wants to identify excessive permissions across Azure, AWS, and GCP identities. Which Microsoft security capability is designed for cloud infrastructure entitlement management?

A.Azure Monitor metrics
B.Microsoft Purview eDiscovery
C.Azure Front Door WAF
D.Microsoft Entra Permissions Management
AnswerD

Correct for the stated requirement.

Why this answer

Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) solution that provides visibility into permissions assigned to identities across multi-cloud environments (Azure, AWS, GCP). It helps detect and remediate excessive, unused, or risky permissions by analyzing identity activity and entitlement data, enabling least-privilege access control.

Exam trap

The trap here is that candidates may confuse Azure Monitor (a monitoring tool) with a security management tool, or assume a WAF or eDiscovery solution can handle identity permissions, when only a dedicated CIEM like Entra Permissions Management is designed for multi-cloud entitlement visibility.

How to eliminate wrong answers

Option A is wrong because Azure Monitor metrics collect and analyze telemetry data (e.g., CPU usage, request rates) from Azure resources, not identity permissions across clouds. Option B is wrong because Microsoft Purview eDiscovery focuses on legal discovery and compliance searches for content in Microsoft 365, not on managing cloud infrastructure entitlements. Option C is wrong because Azure Front Door WAF is a web application firewall that protects HTTP/HTTPS traffic from common web exploits, not a tool for identity permission analysis.

523
MCQmedium

Refer to the exhibit. You are reviewing the Microsoft Defender for Cloud settings for a subscription. The JSON shows that 'autoProvision' is set to true. What does this mean?

A.All Microsoft Defender plans are automatically enabled for new resources
B.The Log Analytics agent is automatically installed on new Azure VMs
C.Security policies are automatically assigned to new resource groups
D.Continuous export of security alerts is enabled
AnswerB

AutoProvision ensures the agent is installed for data collection.

Why this answer

Option B is correct because autoProvision refers to automatic provisioning of the Log Analytics agent on new VMs. Option A is wrong because autoProvision does not enable all Defender plans. Option C is wrong because it does not automatically assign policies.

Option D is wrong because it does not enable continuous export.

524
MCQhard

You are designing a secure data solution for a financial services company. Data must be encrypted at rest and in transit. Additionally, you need to prevent administrators from accessing the encryption keys. What should you use?

A.Azure Storage encryption with service-side encryption and HTTPS enforced.
B.Azure Storage encryption with customer-managed keys and a key vault access policy that denies key operations for the admin group.
C.Azure Storage encryption with Microsoft-managed keys.
D.Azure Storage encryption with infrastructure encryption enabled.
AnswerB

CMK with restricted access ensures admins cannot access keys.

Why this answer

Azure Storage encryption with customer-managed keys stored in a key vault with vault access policy set to deny all key operations for administrators meets the requirement. Option A is wrong because infrastructure encryption does not prevent admin access. Option B is wrong because Microsoft-managed keys do not meet the requirement.

Option D is wrong because encryption in transit alone does not address at-rest encryption.

525
MCQmedium

You are designing a network security solution for a multi-tier application in Azure. The web tier must be accessible from the internet, the application tier only from the web tier, and the database tier only from the application tier. All tiers are in different subnets of the same VNet. What is the minimum configuration?

A.Use service endpoints for each tier.
B.Create separate VNets for each tier and use VNet peering.
C.Deploy Azure Firewall in the VNet and route all traffic through it.
D.Configure NSGs on each subnet with appropriate allow rules.
AnswerD

NSGs can filter traffic between subnets.

Why this answer

Option A is correct because NSGs on each subnet can control inbound traffic: allow internet to web, allow web to app, allow app to db. Option B is wrong because Azure Firewall is not required. Option C is wrong because VNet peering is not needed.

Option D is wrong because service endpoints are for Azure services.

Page 6

Page 7 of 14

Page 8