Microsoft Azure Security Engineer Associate AZ-500 (AZ-500) — Questions 526600

1000 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQmedium

Your company uses Azure Blob Storage to store sensitive documents. You need to prevent data exfiltration by ensuring that all access to the storage account is through Microsoft's private network. What should you configure?

A.Apply a network security group (NSG) to the subnet with a deny rule for internet traffic.
B.Create a private endpoint for the storage account and disable public network access.
C.Set the firewall to deny all and add a rule to allow only your VNet's public IP.
D.Enable service endpoints and configure a service endpoint policy.
AnswerB

Traffic goes through Private Link, staying on Microsoft network.

Why this answer

Option C is correct because Azure Private Link with Private Endpoint ensures that traffic to the storage account stays within the Microsoft backbone network. Service endpoints also keep traffic on the Azure backbone but do not prevent exfiltration if the storage account is exposed to the internet. Option A is wrong because service endpoints do not block internet access.

Option B is wrong because firewall rules only restrict IPs, but traffic may still leave Azure backbone. Option D is wrong because network security groups (NSGs) are for subnets, not storage accounts.

527
MCQhard

Your company uses Microsoft Sentinel to monitor security events. You are asked to create an analytics rule that detects when a user outside of business hours (9 PM to 5 AM) performs a high-risk operation like deleting a large number of Azure resources. The rule must trigger an incident and assign it to the SOC team. Which rule type and configuration should you use?

A.Create a Scheduled query rule with a KQL query filtering sign-in logs and resource deletion events outside business hours.
B.Create an Anomaly rule based on historical user behavior.
C.Create a Near-real-time (NRT) rule with a query that detects resource deletions.
D.Create a Fusion rule that correlates alerts from Microsoft Defender XDR.
AnswerA

Scheduled rules allow complex KQL queries and custom scheduling.

Why this answer

Option A is correct because scheduled query rules can run at defined intervals and use KQL to filter events based on time and activity. Option B is wrong because NRT rules are for near-real-time detection but are limited to simple conditions. Option C is wrong because anomaly rules use machine learning for baseline deviations, not specific time-based conditions.

Option D is wrong because fusion rules correlate alerts from multiple sources, not specific user activities.

528
MCQhard

You are deploying a containerized application on Azure Kubernetes Service (AKS). The application needs to pull images from a private Azure Container Registry (ACR) and access secrets from Azure Key Vault. You want to minimize credential exposure. What should you configure?

A.Use a service principal with certificate authentication, and rotate the certificate annually.
B.Create a service principal with a secret, assign it acrpull role, and store the secret in a Kubernetes secret for imagePullSecrets.
C.Enable managed identity on the AKS cluster, grant the identity acrpull role on ACR, and use Azure Key Vault Provider for Secrets Store CSI Driver.
D.Enable the admin account on ACR and use the admin credentials in Kubernetes secrets.
AnswerC

Managed identity eliminates static credentials; CSI driver mounts secrets as volumes.

Why this answer

Option A is correct because AKS can use managed identity to authenticate to ACR (via acrpull role) and to Key Vault (via Secret Provider or CSI driver). Option B (service principal with secret) exposes a credential. Option C (admin account on ACR) is not recommended.

Option D (image pull secrets with service principal) exposes credentials.

529
MCQmedium

A company stores sensitive documents in an Azure Blob Storage account. They have enabled infrastructure encryption and configured the storage account to use a customer-managed key stored in Azure Key Vault for encryption at rest. Despite this, newly uploaded blobs are still encrypted with Microsoft-managed keys. What is the most likely cause?

A.The Key Vault is in a different Azure region than the storage account.
B.The storage account does not have a system-assigned managed identity enabled.
C.A default encryption scope is configured on the blob container that uses a Microsoft-managed key.
D.The customer-managed key in Key Vault is disabled or expired.
AnswerC

Encryption scopes can be set at the container level. A default encryption scope overrides the storage account-level encryption. If the scope uses Microsoft-managed keys, new blobs in that container will not use the customer-managed key.

Why this answer

Option C is correct because when a default encryption scope is set on a blob container, it overrides the storage account's encryption settings for all blobs uploaded to that container. Even if the storage account is configured with a customer-managed key (CMK), the container-level encryption scope with a Microsoft-managed key takes precedence, causing new blobs to be encrypted with Microsoft-managed keys instead.

Exam trap

The trap here is that candidates assume the storage account-level CMK setting applies uniformly to all blobs, but they overlook that encryption scopes at the container level can override that setting, causing a silent fallback to Microsoft-managed keys.

How to eliminate wrong answers

Option A is wrong because Azure Key Vault and the storage account can be in different regions; cross-region CMK is supported as long as the Key Vault is in the same Azure Active Directory tenant. Option B is wrong because a system-assigned managed identity is not required for CMK; a user-assigned managed identity can be used, or the storage account can use its own identity implicitly when granted access to Key Vault via access policies or RBAC. Option D is wrong because if the customer-managed key were disabled or expired, the storage account would fail to encrypt or decrypt blobs, resulting in errors (e.g., 403 Forbidden) rather than silently falling back to Microsoft-managed keys.

530
MCQmedium

A company uses Azure Virtual WAN with secured virtual hubs. The security team wants to ensure that all traffic from branch offices to Azure resources is inspected by the Azure Firewall in the secured hub. What configuration is needed?

A.Add user-defined routes in each spoke pointing to the Azure Firewall.
B.Configure forced tunneling on the branch VPN devices to send all traffic to the hub.
C.Enable 'Inter-hub' and 'Branch-to-branch' traffic routing in the Virtual WAN settings.
D.Create a firewall policy in Azure Firewall Manager and associate it with the virtual hub.
AnswerC

These settings ensure all traffic flows through the secured hub.

Why this answer

Option C is correct because Virtual WAN automatically routes traffic through secured hubs when configured. Option A is wrong because Azure Firewall Manager is used to configure policies, not routing. Option B is wrong because forcing tunneling is for Azure VPN Gateway, not Virtual WAN.

Option D is wrong because UDRs are not needed in Virtual WAN.

531
MCQhard

A company stores highly sensitive data in Azure Blob Storage. They require encryption at rest using a customer-managed key. Additionally, they want to ensure that the key can only be used from the same Azure region as the storage account. Which configuration must they implement?

A.Store the key in a key vault in each region and use a managed identity to access the key vault.
B.Use a key stored in an Azure Key Vault with the 'Soft Delete' enabled.
C.Use an Azure Key Vault with 'Purge Protection' enabled.
D.Use an Azure Key Vault in the same region as the storage account (keys are region-bound by default).
AnswerD

Customer-managed keys must be stored in a key vault that resides in the same Azure region as the storage account; this is an inherent constraint.

Why this answer

Option D is correct because Azure Key Vault keys are inherently region-bound; when you create a key vault in a specific Azure region, the key material and its cryptographic operations are confined to that region. By placing the key vault in the same region as the storage account, you ensure that the customer-managed key used for Azure Storage Service Encryption (SSE) can only be accessed and used within that region, satisfying the requirement for region-restricted key usage.

Exam trap

The trap here is that candidates may overthink the solution by focusing on additional security features like soft delete or purge protection, when the core requirement is simply about regional restriction, which is already a default behavior of Azure Key Vault.

How to eliminate wrong answers

Option A is wrong because storing the key in a key vault in each region and using a managed identity does not enforce region-bound key usage; it allows cross-region access if the managed identity is granted permissions, and it introduces unnecessary complexity without addressing the region constraint. Option B is wrong because enabling 'Soft Delete' on a key vault is a data protection feature that prevents accidental deletion of keys, but it does not restrict key usage to a specific region. Option C is wrong because 'Purge Protection' is an additional safeguard that prevents permanent deletion of soft-deleted keys, but it has no effect on the regional scope of key operations.

532
Multi-Selecteasy

Which TWO database-level security features are available in Azure SQL Database to protect sensitive data?

Select 2 answers
A.Azure Information Protection
B.Always Encrypted
C.Dynamic Data Masking
D.Azure AD authentication
E.Azure Disk Encryption
AnswersB, C

Column-level encryption.

Why this answer

Option A and Option C are correct. Always Encrypted (A) encrypts data at the column level, and Dynamic Data Masking (C) obfuscates data in query results. Option B is wrong because Azure AD authentication is an access control feature, not data protection.

Option D is wrong because Azure Information Protection is a classification service. Option E is wrong because Azure Disk Encryption is for VMs.

533
MCQmedium

Refer to the exhibit. You are creating a custom Azure RBAC role for a security analyst. The role as shown allows read access to storage accounts. The analyst reports that they cannot read the contents of a blob container in a storage account. Why is this?

A.The role is not assigned to the analyst's user account.
B.The role does not include dataActions to read blob data.
C.The assignable scope is incorrect; it should be at the resource group level.
D.The storage account does not exist in the specified subscription.
AnswerB

Management plane actions do not allow data plane access.

Why this answer

The custom RBAC role only includes read permissions for the storage account's control plane (e.g., listing keys, reading properties) but lacks the necessary dataActions to read blob data. To read blob container contents, the role must include 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' under dataActions, which governs access to the data plane. Without this, the analyst can see the storage account but cannot access the blobs within it.

Exam trap

The trap here is that candidates often assume that 'read' access to a storage account automatically grants read access to its data, but Azure RBAC requires explicit dataActions for data plane operations, a distinction that is frequently tested on the AZ-500 exam.

How to eliminate wrong answers

Option A is wrong because the question states the role is created and assigned, so the issue is not a missing assignment but a missing permission. Option C is wrong because the assignable scope (subscription) is broader than the resource group level and does not prevent reading blob data; the problem is the lack of dataActions, not the scope. Option D is wrong because the storage account exists in the specified subscription (the analyst can see it), and the error is about reading blob contents, not account existence.

534
MCQhard

A company uses Azure Front Door (AFD) with WAF policy in front of a web application. The security team notices that some requests from a specific IP range are being blocked incorrectly. The WAF policy uses custom rules. The team wants to allow a specific IP range while still having the WAF inspect other traffic. What is the most efficient way to configure this?

A.Add a custom rule with priority 100, action 'Block', and match condition for the IP range.
B.Create a custom rule with priority 1, action 'Allow', and match condition for the source IP range.
C.Add a rate limit rule that allows traffic from the IP range.
D.Disable the managed rule sets for the specific IP range using a geo-match condition.
AnswerB

A custom rule with higher priority (lower number) evaluates first and allows the traffic, skipping remaining rules.

Why this answer

Option A is correct because custom rules are evaluated before managed rule sets, and a rule with priority 1 and action 'Allow' for the IP range will allow that traffic, bypassing later rules (including managed rules). Option B is wrong because managed rule sets apply to all traffic after custom rules, so disabling them for that range is not granular. Option C is wrong because rate limiting is for limiting request rates, not for allowing specific IPs.

Option D is wrong because 'Block' action would block the IP range, not allow it.

535
MCQmedium

A Defender for Cloud recommendation requires enabling private endpoints for a storage account. Which security risk is primarily reduced?

A.VM disk fragmentation
B.Public internet exposure of the storage service endpoint
C.Unauthorized changes to Azure AD users
D.Excessive Log Analytics ingestion
AnswerC

Correct for the stated requirement.

Why this answer

Enabling private endpoints for a storage account removes the public endpoint from the service, ensuring that all traffic to the storage account traverses the Microsoft backbone network via a private IP address in your virtual network. This directly mitigates the risk of data exposure to the public internet, which is the primary security concern addressed by this Defender for Cloud recommendation.

Exam trap

The trap here is that candidates may confuse the security benefit of private endpoints (reducing public exposure) with identity-related risks like unauthorized Azure AD changes, but the question specifically asks about the risk primarily reduced by enabling private endpoints for a storage account, which is public internet exposure.

How to eliminate wrong answers

Option A is wrong because VM disk fragmentation is a performance issue related to virtual hard disk (VHD) storage and I/O operations, not a security risk that private endpoints address. Option B is wrong because while private endpoints do reduce public internet exposure, the question asks which risk is primarily reduced, and the correct answer is unauthorized changes to Azure AD users, which is not directly related to private endpoints for storage accounts. Option D is wrong because excessive Log Analytics ingestion is a cost and data volume management concern, not a security risk that private endpoints mitigate.

536
Multi-Selecthard

Which THREE components are part of Microsoft Entra Conditional Access? (Choose three.)

Select 3 answers
A.Multi-factor authentication service settings
B.Conditions (sign-in risk, device state, location)
C.Access controls (grant, block, session controls)
D.Role assignments
E.Assignments (users, groups, workload identities)
AnswersB, C, E

Conditions define when the policy applies.

Why this answer

Microsoft Entra Conditional Access is a policy-based engine that evaluates signals to enforce access decisions. The three core components are Assignments (who the policy applies to, such as users, groups, or workload identities), Conditions (the signals evaluated, like sign-in risk, device state, or location), and Access Controls (the enforcement actions, such as grant or block access, and session controls). These three elements form the complete structure of a Conditional Access policy.

Exam trap

The trap here is that candidates often confuse the 'Assignments' component (users/groups/workload identities) with Azure RBAC role assignments, but Conditional Access Assignments define who the policy applies to, not what permissions they have.

537
MCQhard

A company has two Azure virtual networks: VNet-A and VNet-B. They peer the VNets and deploy a network virtual appliance (NVA) in VNet-A. They want to inspect all outbound traffic from VNet-B to the internet using the NVA. They configure a user-defined route (UDR) in a route table associated with the subnet in VNet-B, with a default route (0.0.0.0/0) and next hop set to the private IP of the NVA in VNet-A. However, outbound traffic from VNet-B still goes directly to the internet. What is the most likely cause?

A.The NVA's network interface must have 'IP forwarding' enabled.
B.The VNet peering is not configured to allow traffic from VNet-B to route through VNet-A.
C.The route table is not associated with the subnet in VNet-B.
D.The NVA does not have a public IP address.
AnswerA

IP forwarding allows the NVA to accept and forward traffic not destined to its own IP. Without it, the NVA drops the packets.

Why this answer

The most likely cause is that IP forwarding is disabled on the NVA's network interface. Even with a correct user-defined route (UDR) pointing 0.0.0.0/0 traffic to the NVA's private IP, Azure will drop packets destined to the NVA unless the NIC is configured to accept and forward traffic not addressed to itself. Enabling IP forwarding allows the NVA to act as a router, processing and forwarding packets between VNets.

Exam trap

The trap here is that candidates assume a UDR alone is sufficient to force traffic through an NVA, forgetting that the NVA's NIC must explicitly be configured to forward traffic not destined to itself.

How to eliminate wrong answers

Option B is wrong because VNet peering does not need a specific 'allow routing through' setting; peered VNets can route traffic between each other by default, and the UDR in VNet-B already directs traffic to the NVA in VNet-A. Option C is wrong because the question states the route table is associated with the subnet in VNet-B, so a missing association is not the issue. Option D is wrong because the NVA does not require a public IP address to inspect outbound traffic; it only needs a private IP to receive and forward traffic from VNet-B, and internet-bound traffic can be routed through the NVA without a public IP on the NVA itself.

538
MCQhard

Your organization uses Microsoft Sentinel to monitor hybrid workloads. You need to collect logs from on-premises Linux servers and send them to Sentinel. The solution must minimize latency and administrative overhead. What should you deploy?

A.Connect servers via Azure Arc and install the Azure Monitor Agent
B.Use the Microsoft Monitoring Agent to send logs directly
C.Configure a syslog server to forward logs to the Log Analytics workspace
D.Install the Log Analytics agent on each server
AnswerA

Azure Arc allows centralized management and the Azure Monitor Agent is the modern agent.

Why this answer

Option C is correct because Azure Arc enables management of on-premises servers and allows installation of the Azure Monitor Agent with minimal overhead. Option A is wrong because the legacy Log Analytics agent is deprecated. Option B is wrong because Syslog forwarding adds latency.

Option D is wrong because the Microsoft Monitoring Agent is the legacy agent.

539
MCQhard

Refer to the exhibit. You are analyzing the Always Encrypted configuration for an Azure SQL Database. The SSN column uses randomized encryption, and the CreditCard column uses deterministic encryption. Which statement is true regarding querying these columns?

A.Both columns support equality searches.
B.Only the CreditCard column supports equality searches.
C.Both columns support pattern matching with LIKE.
D.Only the SSN column supports point lookups.
AnswerB

Deterministic encryption allows equality comparisons.

Why this answer

Option B is correct. Deterministic encryption allows equality comparisons (e.g., WHERE CreditCard = 'value') because it always generates the same ciphertext for a given plaintext. Randomized encryption does not allow any operations on encrypted data.

Option A is wrong because randomized encryption does not allow equality checks. Option C is wrong because deterministic encryption does not allow pattern matching. Option D is wrong because both columns support point lookups via equality; randomized does not.

540
Multi-Selecteasy

You are deploying Microsoft Sentinel in a new Azure environment. Which THREE resources are required to deploy a Sentinel workspace?

Select 3 answers
A.Contributor permissions on the resource group
B.The Microsoft.OperationsManagement resource provider registered
C.Microsoft Defender for Cloud enabled
D.A Log Analytics workspace
E.The Microsoft.Sentinel resource provider registered
AnswersA, B, D

Needed to enable Sentinel on the workspace.

Why this answer

Option A, Option B, and Option D are correct because Sentinel requires a Log Analytics workspace, a Contributor role on the resource group to deploy resources, and the Microsoft.OperationsManagement resource provider to be registered. Option C is wrong because the Azure Sentinel resource provider is not required; the OperationsManagement provider is needed. Option E is wrong because Microsoft Defender for Cloud is not a prerequisite.

541
MCQmedium

You are designing a backup strategy for Azure Virtual Machines that host a critical database. Compliance requires that backups be stored in a separate Azure region and be immutable for 90 days. What should you use?

A.Azure Backup with Locally Redundant Storage (LRS) and a retention policy of 90 days
B.Azure Backup with Geo-Redundant Storage (GRS) and enable soft delete
C.Azure Disk Encryption with a backup policy stored in a different region
D.Azure Site Recovery with a recovery plan and retention of 90 days
AnswerB

GRS replicates to a paired region; soft delete provides immutability for 90 days.

Why this answer

Azure Backup with geo-redundant storage (GRS) stores backups in a paired region. Immutable storage for Azure Backup is achieved by enabling soft delete and using backup policies with retention that prevents deletion. Option B is correct.

Option A is incorrect because LRS does not provide cross-region storage. Option C is incorrect because Azure Site Recovery is for disaster recovery, not long-term backup. Option D is incorrect because Azure Disk Encryption encrypts disks but does not provide geo-redundancy or immutability.

542
MCQmedium

Your company stores sensitive customer data in Azure Blob Storage. You need to ensure that data at rest is encrypted using a customer-managed key stored in Azure Key Vault. The key must be automatically rotated every 90 days. Which Azure policy should you configure to enforce this requirement?

A.Configure encryption of Azure Blob Storage with customer-managed key stored in Azure Key Vault with automatic key rotation
B.Configure encryption of Azure Blob Storage with customer-managed key stored in Azure Key Vault
C.Configure Transparent Data Encryption for Azure SQL Database with customer-managed key
D.Deploy encryption of Azure Blob Storage using Azure Disk Encryption
AnswerA

Includes both CMK and automatic rotation.

Why this answer

Option B is correct because 'Configure encryption of Azure Blob Storage with customer-managed key stored in Azure Key Vault with automatic key rotation' enforces CMK and automatic rotation. Options A and C do not include rotation. Option D is for Azure SQL Database, not Blob Storage.

543
MCQhard

Your company has a large number of Azure SQL databases that contain personally identifiable information (PII). You need to classify and protect sensitive columns across all databases. The solution must automatically discover and label sensitive data, and enable auditing of access to that data. What should you implement?

A.Always Encrypted with secure enclaves
B.Microsoft Defender for SQL
C.Dynamic Data Masking
D.Data Discovery & Classification
AnswerD

Automatically discovers and classifies sensitive data.

Why this answer

Option D is correct because Azure SQL Database's Data Discovery & Classification automatically discovers sensitive columns, allows labeling, and integrates with auditing and vulnerability assessment. Option A is wrong because Dynamic Data Masking only masks data, it does not classify. Option B is wrong because Always Encrypted encrypts data at rest, but does not classify or audit.

Option C is wrong because Microsoft Defender for SQL provides security alerts and vulnerability assessment, but not classification.

544
MCQmedium

Your security team receives a high-priority alert from Microsoft Sentinel indicating a potential brute-force attack against an Azure SQL Database. The alert was generated by an analytics rule using the following KQL query: 'SigninLogs | where ResultType == "50057" | summarize Count = count() by UserPrincipalName, IPAddress | where Count > 10'. What is the most likely cause of the alert?

A.Multiple failed MFA attempts by a user.
B.A user successfully signed in after many attempts.
C.Multiple sign-in attempts using a disabled account from the same IP address.
D.Multiple sign-in attempts from a non-existent user account.
AnswerC

ResultType 50057 means account disabled; query groups by account and IP.

Why this answer

Option B is correct because ResultType 50057 indicates 'User account is disabled', so the alert is triggered when a disabled account has more than 10 sign-in attempts from the same IP. Option A is wrong because MFA failure is a different result type. Option C is wrong because the query does not check if the user is enabled.

Option D is wrong because the query specifically targets a disabled account, not a non-existent one.

545
Multi-Selectmedium

Which TWO are capabilities of Microsoft Sentinel UEBA? (Choose two.)

Select 2 answers
A.Integration with external threat intelligence feeds
B.Entity pages with timelines and related events
C.Automatic incident creation for all detected anomalies
D.Peer group analysis to detect anomalies
E.Automated response actions like blocking IPs
AnswersB, D

Correct: UEBA provides entity pages.

Why this answer

Options A and D are correct. UEBA can detect anomalous behavior based on peer group analysis (A) and provide entity pages with investigative insights (D). Option B is wrong because threat intelligence feeds are separate.

Option C is wrong because UEBA does not automatically create incidents; analytics rules do. Option E is wrong because automated response is via playbooks, not UEBA.

546
MCQmedium

Your company has a hub-and-spoke network topology in Azure. The hub virtual network contains an Azure Firewall and a VPN gateway. Spoke virtual networks are peered to the hub. You need to ensure that all outbound traffic from spoke VMs to the internet is routed through the Azure Firewall. What should you configure on the spoke virtual networks?

A.Apply a network security group (NSG) to the spoke subnets with a deny rule for internet traffic
B.Configure VNet peering with 'Use remote gateway' enabled
C.Create a route table with a route for 0.0.0.0/0 pointing to the Azure Firewall private IP, and associate it with the spoke subnets
D.Configure the Azure Firewall to use forced tunneling
AnswerC

User-defined routes (UDRs) force traffic to the firewall for inspection.

Why this answer

Option C is correct because adding a route table with a default route (0.0.0.0/0) pointing to the Azure Firewall as the next hop forces all outbound traffic through the firewall. Option A is wrong because VNet peering does not automatically route internet traffic through a firewall. Option B is wrong because NSGs can control inbound/outbound rules but cannot route traffic.

Option D is wrong because the firewall itself doesn't need a route table change.

547
MCQeasy

Your organization uses Microsoft Sentinel for security monitoring. You have configured data connectors to collect logs from Azure Firewall and Windows Event logs from virtual machines. You need to ensure that network traffic from a specific subnet is not sent to Microsoft Sentinel due to privacy regulations. What should you do?

A.Create an analytics rule to delete events from the subnet after ingestion.
B.Configure a network security group (NSG) to block traffic from the subnet to Microsoft Sentinel.
C.Create a workbook in Microsoft Sentinel that filters out the subnet data.
D.Modify the Azure Firewall data connector settings to exclude the subnet IP range.
AnswerD

This prevents logs from that subnet from being collected.

Why this answer

Option B is correct: Azure Policy can be used to audit or enforce resource configurations, but to prevent data from being sent to Sentinel, the best approach is to filter at the source using NSG flow logs or by not configuring the data connector for that subnet. However, the question asks for a direct action. Option B is correct because you can configure the Azure Firewall data connector to exclude certain IP ranges.

Option A is incorrect because network security groups do not filter logs to Sentinel. Option C is incorrect because workbook filters only affect visualization, not ingestion. Option D is incorrect because analytics rules do not affect ingestion.

548
MCQeasy

You need to secure a Linux virtual machine running a web application in Azure. The solution must ensure that only traffic on port 443 (HTTPS) is allowed from the internet, and that SSH access is restricted to a management subnet. What should you configure?

A.Azure Firewall with application rules to allow HTTPS and SNAT SSH traffic
B.Network Security Group (NSG) on the VM NIC with inbound rules: Allow HTTPS from Internet, Allow SSH from management subnet, Deny all other inbound
C.Application Security Group with a network security group that allows HTTPS and SSH
D.Network Security Group on the subnet with inbound rules: Allow HTTPS from Internet, Allow SSH from management subnet, Deny all other inbound
AnswerB

NSG on NIC provides host-level control.

Why this answer

Option A is correct because an NSG with inbound rules that allow HTTPS from any source and SSH only from the management subnet achieves the goal. Option B is wrong because Azure Firewall is more complex and costly than needed. Option C is wrong because a network security group attached to the subnet would affect all VMs.

Option D is wrong because Application Security Groups are used for grouping VMs, not for filtering traffic.

549
MCQmedium

A security team uses Microsoft Defender for Cloud to monitor Azure virtual machines. They want to automatically install a specific endpoint protection solution on all Windows VMs that are currently missing it, without manual intervention. The solution is not integrated natively with Defender for Cloud. Which feature should they use?

A.Enable the 'Endpoint protection' recommendation and use the 'Fix' option
B.Create an Azure Policy 'DeployIfNotExists' assignment that installs the endpoint protection extension on VMs missing it
C.Configure adaptive application controls to allow the endpoint protection software
D.Enable just-in-time VM access for the VMs
AnswerB

Azure Policy can evaluate compliance and automatically deploy extensions using the 'DeployIfNotExists' effect, even for non-native solutions, as long as there is a template for the extension.

Why this answer

Option B is correct because Azure Policy's 'DeployIfNotExists' effect can automatically deploy a custom endpoint protection extension to Windows VMs that are missing it, even if the solution is not natively integrated with Defender for Cloud. This allows the security team to enforce compliance by installing the specific third-party endpoint protection agent via a policy assignment, without manual intervention.

Exam trap

The trap here is that candidates often assume Defender for Cloud's 'Fix' option can deploy any endpoint protection solution, but it only supports solutions that are natively integrated and listed in the Defender for Cloud dashboard.

How to eliminate wrong answers

Option A is wrong because the 'Endpoint protection' recommendation in Defender for Cloud and its 'Fix' option only work with endpoint protection solutions that are natively integrated (e.g., Microsoft Defender Antivirus, Trend Micro, Symantec); it cannot deploy a non-integrated, custom solution. Option C is wrong because adaptive application controls are a whitelisting feature that controls which applications can run on a VM, not a mechanism to install or deploy software. Option D is wrong because just-in-time VM access manages network access to management ports (e.g., RDP, SSH) to reduce attack surface, not the installation of endpoint protection agents.

550
Multi-Selectmedium

Which TWO configurations are required to ensure that an Azure Storage account is accessible only via HTTPS and that access keys are not used?

Select 2 answers
A.Enable blob versioning
B.Set the 'Secure transfer required' property to Enabled
C.Enable diagnostic settings for the storage account
D.Configure the storage account firewall to allow only selected virtual networks
E.Set 'Allow storage account key access' to Disabled
AnswersB, E

Enforces HTTPS for all requests to the storage account.

Why this answer

Option A (secure transfer required) enforces HTTPS. Option D (disable shared key access) prevents use of access keys. Option B is incorrect because enabling firewall does not disable access keys.

Option C is incorrect because enabling logging does not enforce HTTPS or disable keys. Option E is incorrect because enabling versioning does not affect encryption or key usage.

551
MCQmedium

You are investigating a security incident in Microsoft Sentinel. The incident involves multiple alerts from different data sources. You need to correlate the alerts to determine the full attack chain. Which Microsoft Sentinel feature should you use?

A.Incident investigation
B.Analytics rules
C.Playbooks
D.Workbooks
AnswerA

Allows you to explore entities and alerts to understand the attack path.

Why this answer

Option B is correct because incident investigation allows you to visualize and correlate alerts, entities, and events. Option A is wrong because workbooks are for dashboards, not correlation. Option C is wrong because playbooks are for automated response.

Option D is wrong because analytics rules create alerts, but correlation is done via investigation.

552
MCQhard

You are troubleshooting connectivity between two Azure virtual machines in different VNets that are peered. VM1 (10.0.1.4) cannot reach VM2 (10.0.2.4) on port 80. Both VNets have NSGs allowing HTTP traffic from each other's IP ranges. The VNet peering is in 'Connected' state. You verify that the VMs' operating system firewalls allow HTTP. What is the most likely cause of the connectivity issue?

A.NSGs are not stateful and require explicit outbound rules.
B.The VNet peering status is disconnected.
C.Azure Firewall is blocking traffic between the VNets.
D.The NSG on VM2's subnet does not allow inbound traffic from VM1's VNet address space.
AnswerD

NSGs filter traffic even across peered VNets; you must allow the source IP range.

Why this answer

Option B is correct because VNet peering does not automatically allow traffic through the peer's NSG; you must explicitly configure NSG rules to allow traffic from the peered VNet's address space. Option A is wrong because the peering status is Connected, so it is not broken. Option C is wrong because NSGs are stateful, so return traffic is allowed automatically.

Option D is wrong because Azure Firewall might block traffic but is not mentioned in the scenario.

553
MCQhard

A financial services company uses Microsoft Sentinel to detect ransomware activity. They want to correlate alerts from multiple sources to reduce false positives. They have enabled Microsoft Defender for Cloud, Microsoft Defender XDR, and Azure Firewall logs. Which Sentinel feature should they use to create a single alert from multiple signals?

A.Near-real-time (NRT) rules
B.Fusion (machine learning) rules
C.Anomaly detection rules
D.Scheduled query rules
AnswerB

Fusion correlates alerts from multiple products to detect multi-stage attacks.

Why this answer

Option D is correct because Fusion is a machine learning-based correlation engine that combines alerts from multiple sources to detect multi-stage attacks like ransomware. Option A is wrong because Scheduled query rules are for single data source queries. Option B is wrong because NRT rules provide near real-time but not correlation.

Option C is wrong because Anomaly detection identifies unusual behavior but does not correlate across alerts.

554
MCQeasy

A security analyst needs to create a custom alert in Microsoft Defender for Cloud that triggers when a user creates a public IP address in the 'production' resource group. Which type of alert should they use?

A.Azure Sentinel analytics rule
B.Azure Activity Log alert
C.Custom alert rule in Defender for Cloud
D.Custom recommendation based on Azure Policy
AnswerD

Custom recommendations in Defender for Cloud are built on Azure Policy initiatives.

Why this answer

Option D is correct because custom alerts in Defender for Cloud are created using custom recommendations based on Azure Policy. Option A is wrong because Azure Activity Log alerts are in Azure Monitor, not Defender for Cloud. Option B is wrong because Azure Sentinel analytics rules are for Sentinel, not Defender for Cloud.

Option C is wrong because Microsoft Defender for Cloud does not have native custom alert rules via a portal wizard; it uses Azure Policy.

555
MCQhard

You are designing a secure Azure SQL Database deployment. The database must support real-time analytics and reporting without impacting the performance of the transactional workload. You need to ensure that the reporting queries have an isolated copy of the data that is automatically kept up to date. The solution must also encrypt the data at rest using a customer-managed key. What should you include in the design?

A.Hyperscale service tier with named replicas
B.Active geo-replication with a readable secondary
C.Serverless compute tier with auto-pause
D.Failover groups with automatic failover
AnswerA

Provides isolated read replicas for reporting, supports TDE with CMK.

Why this answer

Option C is correct because Azure SQL Database Hyperscale service tier with named replicas provides a scalable read-only replica for reporting, and it supports TDE with CMK. Geo-replication (A) is for disaster recovery, not reporting. Failover groups (B) are for high availability.

Serverless (D) is for compute scaling, not read replicas.

556
MCQmedium

A company deploys Azure Firewall in a hub VNet to inspect all outbound traffic from a spoke VNet. They enable VNet peering between the hub and spoke. They create a route table with a default route (0.0.0.0/0) pointing to the firewall's private IP as the next hop, and associate it with the spoke subnets. However, outbound traffic from the spoke subnets is still going directly to the internet, bypassing the firewall. What is the most likely cause?

A.The route table's next hop type is not set to 'Virtual appliance'
B.The route table is not associated with the subnet
C.The hub-spoke peering is not configured correctly
D.Azure Firewall is in a different resource group
AnswerA

For user-defined routes that point to a virtual appliance like Azure Firewall, the next hop type must be 'Virtual appliance'. Setting it to 'Internet' or any other type causes traffic to bypass the firewall.

Why this answer

The most likely cause is that the route table's next hop type is not set to 'Virtual appliance'. When creating a custom route in Azure, the next hop type must be explicitly set to 'Virtual appliance' and the next hop address must be the firewall's private IP. If the next hop type is left as 'Internet' or another value, Azure will ignore the custom route and use the default system route for 0.0.0.0/0, which sends traffic directly to the internet without inspection.

Exam trap

The trap here is that candidates assume any custom route with a firewall IP will work, but Azure requires the next hop type to be explicitly set to 'Virtual appliance' to override the default system route for 0.0.0.0/0.

How to eliminate wrong answers

Option B is wrong because if the route table were not associated with the subnet, the custom route would not apply at all, and traffic would use the default system route—but the question states the route table is associated with the spoke subnets, so this is not the issue. Option C is wrong because VNet peering is correctly enabled between hub and spoke; peering configuration does not affect the next hop type of a route table, and traffic can still flow through the firewall if the route is correct. Option D is wrong because Azure Firewall can be in a different resource group without impacting routing; resource group placement has no effect on network traffic flow or route table functionality.

557
MCQeasy

You need to ensure that all data at rest in an Azure Storage account is encrypted using a customer-managed key. Which feature should you enable?

A.Azure Disk Encryption
B.Azure Storage Service Encryption (SSE) with platform-managed key
C.Azure Storage Service Encryption with customer-managed key
D.Azure Information Protection
AnswerC

Allows you to use your own key from Azure Key Vault for encryption at rest.

Why this answer

Azure Storage Service Encryption with customer-managed keys allows you to use your own key stored in Azure Key Vault. Option B is correct because it uses CMK. Option A is incorrect because SSE with PMK uses Microsoft-managed keys.

Option C is incorrect because Azure Disk Encryption is for VMs. Option D is incorrect because Azure Information Protection is for classification and labeling.

558
MCQhard

You are designing a secure backup strategy for Azure Virtual Machines. The backup data must be encrypted at rest and in transit. Which combination should you use?

A.Azure Backup automatically encrypts data at rest using Azure Storage Service Encryption and in transit using HTTPS
B.Azure Storage Service Encryption and HTTPS
C.Azure Backup with customer-managed keys and enforce HTTPS
D.Azure Disk Encryption on the VMs and Azure Backup
AnswerA

Azure Backup encrypts backup data at rest with SSE and in transit with HTTPS without additional configuration.

Why this answer

Azure Backup uses SSE for encryption at rest and HTTPS for in-transit encryption. Option D is correct. Option A is wrong because Azure Disk Encryption encrypts VM disks but not backup data.

Option B is wrong because Azure Backup automatically uses SSE and HTTPS. Option C is wrong because Azure Storage Service Encryption is for storage accounts, but backup uses SSE already.

559
Multi-Selectmedium

You are designing a secure network for an e-commerce application in Azure. The application consists of web servers, application servers, and database servers. You need to ensure that inbound traffic is filtered at multiple layers. Which THREE Azure services should you use to implement defense in depth for network security?

Select 3 answers
A.Azure Application Gateway with WAF policy
B.Azure Front Door with WAF policy
C.Network Security Groups (NSGs)
D.Azure Bastion
E.Azure DNS
AnswersA, B, C

Provides application-layer filtering before web servers.

Why this answer

Option A is correct because Azure Front Door with WAF provides application-layer filtering at the edge. Option B is correct because Azure Application Gateway with WAF provides application-layer filtering before traffic reaches the web servers. Option C is correct because Network Security Groups (NSGs) provide network-layer filtering between tiers.

Option D is wrong because Azure Bastion is for management access, not traffic filtering. Option E is wrong because Azure DNS is for name resolution.

560
MCQmedium

Refer to the exhibit. A custom role definition is created with the JSON above. A user assigned this role in the Prod resource group attempts to restart a VM but receives an authorization error. What is the most likely cause?

A.The assignable scope should include the subscription
B.The role definition includes 'restart' but not 'start'
C.The role definition lacks the 'Microsoft.Compute/virtualMachines/read' action
D.The user is not assigned the role at the correct scope
AnswerC

The read action is required to perform start/restart operations.

Why this answer

The correct answer is A: The role definition is missing the 'Microsoft.Compute/virtualMachines/read' action. Without read, the user cannot see or interact with the VM, leading to authorization errors. Option B is wrong because the assignable scope is correct.

Option C is wrong because the user is assigned the role. Option D is wrong because the role is not missing the restart action.

561
MCQmedium

A company uses Azure Firewall to filter outbound traffic from a virtual network. The security team notices that traffic to a specific external IP address is being allowed despite a deny rule. What is the most likely cause?

A.The Azure Firewall policy is not associated with the correct virtual network.
B.A network rule with a higher priority allows the traffic.
C.An application rule allows the traffic, which overrides the network deny rule.
D.The deny rule is configured with the wrong protocol (UDP instead of TCP).
AnswerC

Application rules take precedence over network rules. If an application rule allows the traffic, it overrides a network deny rule.

Why this answer

Application rules take precedence over network rules when both match the traffic. If an application rule allows the traffic, it will be permitted even if a network rule denies it.

562
Multi-Selectmedium

Which TWO configurations are required to enable Azure Bastion to connect to a virtual machine without a public IP address?

Select 2 answers
A.The virtual machine must have a public IP address.
B.The virtual network must have a subnet named AzureBastionSubnet.
C.The Bastion host must have a public IP address assigned.
D.The virtual machine must be in a subnet with an NSG that allows RDP/SSH from the Bastion subnet.
E.The virtual machine must have a private IP address.
AnswersB, E

Azure Bastion requires a dedicated subnet with this name.

Why this answer

Options A and D are correct. Azure Bastion requires a dedicated subnet named AzureBastionSubnet and the VM must have a private IP. Option B is wrong because Bastion does not require a public IP for the VM.

Option C is wrong because Bastion does not require an NSG on the VM's subnet. Option E is wrong because Bastion does not require a public IP on the Bastion host.

563
MCQmedium

Your organization uses Azure Virtual WAN. You need to secure traffic between a spoke VNet and an on-premises site that connects via a Virtual WAN VPN gateway. What is the best way to inspect traffic?

A.Deploy Azure Firewall in the spoke VNet.
B.Deploy a third-party NVA in the spoke VNet.
C.Apply NSG rules on the spoke subnet.
D.Use Azure Firewall Manager to deploy a secured virtual hub.
AnswerD

Firewall Manager integrates with Virtual WAN.

Why this answer

Option D is correct because Azure Firewall Manager can be used in Virtual WAN to secure hub traffic. Option A is wrong because NSG is not in the path. Option B is wrong because a separate NVA would require complex routing.

Option C is wrong because Azure Firewall in a spoke is not in the path.

564
MCQhard

Refer to the exhibit. You have an Azure Firewall policy with the shown rules. Traffic from 10.0.0.0/8 to www.google.com on HTTPS (443) is being blocked. What is the most likely reason?

A.The network rule collection with priority 100 denies all traffic, and it is evaluated before the application rule collection.
B.The application rule collection has an action of Deny.
C.The source address 10.0.0.0/8 is not included in the application rule.
D.The application rule collection does not allow *.google.com.
AnswerA

Network rules have higher priority than application rules when the action is Deny.

Why this answer

Option A is correct because network rules are evaluated before application rules, and the network rule collection with priority 100 denies all traffic. The application rule collection with priority 200 is never evaluated because the network rule denies first. Option B is wrong because the application rule allows *.google.com, but it is not reached.

Option C is wrong because the rule action is Allow, not Deny. Option D is wrong because the source address includes 10.0.0.0/8.

565
MCQhard

A security operations team uses Microsoft Sentinel. They have a scheduled analytics rule that generates an incident when a user signs in from an unusual location. They want to automatically assign the incident to the 'Security Engineering' team and set its severity to 'High' when it is created. Which feature should they use?

A.Automation rules
B.Playbooks
C.Incident settings in analytics rule
D.Workbooks
AnswerA

Automation rules can automatically assign incidents to a team owner and change the severity at the time of incident creation.

Why this answer

Automation rules in Microsoft Sentinel allow you to centrally manage the automated handling of incidents, including assigning them to a specific team and setting their severity. When a scheduled analytics rule generates an incident, an automation rule can trigger on incident creation to perform these actions without requiring a playbook or manual intervention.

Exam trap

The trap here is that candidates often confuse playbooks with automation rules, thinking that playbooks are required for any automated action, when in fact automation rules are the native, simpler mechanism for assignment and severity changes without needing Logic Apps.

How to eliminate wrong answers

Option B is wrong because playbooks are collections of actions based on Azure Logic Apps that run in response to alerts or incidents, but they are typically used for more complex, multi-step orchestration and require additional configuration; automation rules are the simpler, built-in feature for direct assignment and severity changes. Option C is wrong because incident settings within an analytics rule only allow you to configure group-related settings (e.g., alert grouping) and entity mapping, not post-creation actions like assignment or severity override. Option D is wrong because workbooks are interactive dashboards for visualizing data and reports, not for automating incident response actions.

566
MCQhard

A company uses Azure Cosmos DB with SQL API to store user profiles. They need to ensure that only authorized applications can access the data, and that the data is encrypted in transit and at rest. Currently, the application uses a master key to connect. What should they implement to improve security?

A.Use resource tokens with permissions for each user
B.Enable private endpoint for Cosmos DB
C.Configure IP firewall rules on the Cosmos DB account
D.Enable managed identity for the application and grant it access to Cosmos DB via Azure RBAC
AnswerD

Eliminates master keys and uses Azure AD authentication for secure access.

Why this answer

Using managed identities for Azure resources eliminates the need for master keys by allowing the application to authenticate to Azure Cosmos DB via Azure AD. Option D is correct. Option A is incorrect because firewall restricts network access but does not address key management.

Option B is incorrect because private endpoints improve network security but still require authentication. Option C is incorrect because resource tokens are for granular user-level access, not application authentication.

567
MCQhard

You are deploying a multi-tier application on Azure Kubernetes Service (AKS). The application uses Azure Disks for persistent storage. You need to ensure that the disks are encrypted at rest using a customer-managed key stored in a Key Vault in a different region. What should you do?

A.Enable Azure Disk Encryption (ADE) using Azure Key Vault in the same region as AKS.
B.Use server-side encryption (SSE) with platform-managed keys.
C.Use Azure Storage Service Encryption (SSE) with customer-managed keys from the remote Key Vault.
D.Configure disk encryption set (DES) with a customer-managed key from a Key Vault in the same region as the disks.
AnswerD

DES requires same region; cross-region CMK is not supported for disks.

Why this answer

Azure Disk Encryption with customer-managed keys requires the Key Vault to be in the same region as the disks. Option D is correct. Server-side encryption with PMK does not use customer keys.

CMK must be in the same region. Azure Disk Encryption (ADE) with Key Vault also requires same region.

568
MCQeasy

Your security team has deployed Microsoft Sentinel. They need to create an analytics rule that uses a custom KQL query to detect failed logon attempts from a specific IP address range and automatically creates an incident with a severity of 'High'. Which rule type should they use?

A.Anomaly rule
B.NRT (Near-Real-Time) analytics rule
C.Fusion rule
D.Scheduled query rule
AnswerD

Scheduled rules allow custom KQL, scheduling, and incident creation with severity.

Why this answer

Option B is correct because a Scheduled query rule allows custom KQL and automatic incident creation. Option A is wrong because NRT rules are for near-real-time but require simpler queries. Option C is wrong because Anomaly rules are based on ML.

Option D is wrong because Fusion rules correlate multiple signals.

569
MCQeasy

A security team uses Microsoft Defender for Cloud to monitor the security posture of their Azure subscription. They want to ensure that whenever a new virtual machine is created, the Log Analytics agent is automatically installed to collect security events. Which feature should they configure in Defender for Cloud?

A.Automation rules
B.Auto-provisioning settings
C.Security contacts
D.Workflow automation
AnswerB

Correct. Auto-provisioning is designed to automatically deploy the Log Analytics agent on Azure VMs (and other supported resources) to enable security monitoring.

Why this answer

Auto-provisioning settings in Microsoft Defender for Cloud automatically deploy the Log Analytics agent to all supported Azure VMs and new ones as they are created. This ensures that security events are collected without manual intervention, directly addressing the requirement for automatic installation on new VMs.

Exam trap

The trap here is confusing 'Auto-provisioning settings' (which installs the agent) with 'Automation rules' (which automate responses in Sentinel), leading candidates to pick a feature from a different service.

How to eliminate wrong answers

Option A is wrong because Automation rules in Microsoft Sentinel (not Defender for Cloud) are used to automate incident response and remediation tasks, not to install agents on VMs. Option C is wrong because Security contacts are used to configure email notifications for security alerts and incidents, not to manage agent deployment. Option D is wrong because Workflow automation in Defender for Cloud triggers Logic Apps in response to security alerts or recommendations, but it does not handle the automatic installation of the Log Analytics agent on new VMs.

570
MCQhard

A healthcare organization stores sensitive patient data in Azure SQL Database. They need to encrypt specific columns containing medical history so that even database administrators with the 'sysadmin' role cannot view the plaintext data. Additionally, they need to support equality comparisons (WHERE clauses) on the encrypted columns. Which encryption technology should they implement?

A.Transparent Data Encryption (TDE)
B.Always Encrypted with randomized encryption
C.Always Encrypted with deterministic encryption
D.Dynamic Data Masking
AnswerC

Deterministic encryption allows equality searches by generating consistent ciphertext for a given plaintext, and keys are stored client-side, preventing DBAs from decrypting.

Why this answer

Always Encrypted with deterministic encryption is correct because it encrypts specific columns at the client side, ensuring that even database administrators with 'sysadmin' role cannot view plaintext data. Deterministic encryption generates the same ciphertext for identical plaintext values, which allows equality comparisons (WHERE clauses) on encrypted columns, meeting both requirements.

Exam trap

The trap here is that candidates confuse Dynamic Data Masking with encryption, thinking it prevents privileged users from seeing data, when in fact it only masks output and does not protect data at rest or from direct queries by sysadmins.

How to eliminate wrong answers

Option A is wrong because Transparent Data Encryption (TDE) encrypts the entire database at rest but does not protect data from database administrators who have access to the database engine; they can still query plaintext data. Option B is wrong because Always Encrypted with randomized encryption does not support equality comparisons (WHERE clauses) on encrypted columns, as it produces different ciphertext for the same plaintext each time. Option D is wrong because Dynamic Data Masking only obfuscates data at query result time but does not encrypt the underlying data, so administrators with 'sysadmin' role can still access plaintext by running queries without masking.

571
MCQmedium

Your company deploys a new Azure application gateway with WAF policy in prevention mode. After deployment, users report that legitimate traffic is being blocked. You need to identify which WAF rules are causing the blocks without affecting the security posture. What should you do?

A.Disable the WAF policy temporarily.
B.Create a custom rule to allow all traffic.
C.Set the WAF policy to custom rules only.
D.Change the WAF policy mode to detection.
AnswerD

Detection mode logs blocks without acting on them.

Why this answer

Option D is correct because switching to detection mode logs WAF events without blocking, allowing analysis. Option A is wrong because disabling WAF removes protection. Option B is wrong because changing to custom rules might not pinpoint the cause.

Option C is wrong because custom rules are not diagnostic.

572
MCQeasy

Your company uses Azure Files shares for user home directories. Security policy requires that all data be encrypted at rest and in transit. You have enabled encryption at rest using Azure Storage Service Encryption (SSE). For encryption in transit, you require SMB clients to use SMB 3.0 or later with encryption. You configure the storage account to require secure transfer. A user reports that they cannot mount the file share from a Windows 10 machine that is not domain-joined. The user can mount other file shares without issues. What is the most likely reason for the failure?

A.The storage account firewall is blocking the client's public IP address.
B.The user's machine is not domain-joined, so it cannot authenticate to Azure Files.
C.Azure Files only supports SMB 2.1, and the client is trying to use SMB 3.0.
D.The client machine does not support SMB 3.0 encryption, which is required when secure transfer is enabled.
AnswerD

Secure transfer enforces encryption; the client must support it.

Why this answer

Option B is correct: When secure transfer is required, SMB 3.0 with encryption is mandatory. If the client does not support SMB encryption (e.g., due to older OS or misconfiguration), the mount will fail. Option A: Azure Files supports SMB mount from non-domain-joined machines.

Option C: Azure Files supports both SMB protocols. Option D: DNS resolution is not the issue if they can mount other shares.

573
MCQeasy

A company uses Microsoft Defender for Cloud. They want to automatically implement a specific security recommendation (e.g., 'Enable encryption for Azure SQL Database') on all existing and future SQL Database instances in a subscription. Which feature should they use?

A.Security policy with a custom initiative.
B.Regulatory compliance dashboard.
C.Workload protection plans.
D.Vulnerability assessment.
AnswerA

Correct. Custom initiatives with policies that have 'DeployIfNotExists' or 'Modify' effects automate remediation across resources.

Why this answer

A custom initiative in a security policy allows you to define a set of security recommendations (e.g., 'Enable encryption for Azure SQL Database') and enforce them via Azure Policy. By assigning this initiative at the subscription scope with a 'DeployIfNotExists' or 'Modify' effect, you can automatically remediate non-compliant resources and ensure that all existing and future SQL Database instances have encryption enabled. This is the correct mechanism for automated, continuous compliance with custom security requirements.

Exam trap

The trap here is that candidates often confuse the Regulatory compliance dashboard (which only reports compliance) with the actual enforcement capability of custom initiatives, leading them to choose Option B.

How to eliminate wrong answers

Option B is wrong because the Regulatory compliance dashboard only provides visibility and tracking against built-in compliance standards (e.g., SOC 2, ISO 27001); it does not enforce or automatically implement specific recommendations. Option C is wrong because Workload protection plans (e.g., Defender for SQL) enable advanced threat detection and alerting but do not automatically apply configuration changes like enabling encryption. Option D is wrong because Vulnerability assessment scans databases for security weaknesses and generates reports, but it does not automatically remediate or enforce encryption settings.

574
MCQeasy

Your company has a hybrid environment with Azure resources and on-premises servers. You have deployed Microsoft Sentinel and connected it to Azure AD, Azure Activity Logs, and Windows Security Events from on-premises servers via the Log Analytics gateway. You need to create a workbook that shows the number of sign-ins from each country over the last 24 hours. The data source is the SigninLogs table. However, the workbook does not display any data. You verify that the Log Analytics workspace is receiving sign-in logs from Azure AD. Which of the following is the most likely reason the workbook shows no data?

A.The workbook uses a different visualization type that requires KQL.
B.The Log Analytics gateway is blocking the sign-in logs.
C.The workbook's time range filter is set to 'Last 7 days' but the query uses a 24-hour filter incorrectly.
D.The Log Analytics workspace is not receiving sign-in logs from Azure AD.
AnswerC

Workbook time range and query time filter must align; if query uses 'now-24h' but workbook sets last 7 days, it should still show data; more likely the query itself has an issue.

Why this answer

Option A is correct because workbook queries may have a time filter that defaults to a different range; the 'time' parameter in the query might be set incorrectly. Option B is wrong because the workspace is receiving logs. Option C is wrong because the gateway is for on-premises, not for Azure AD logs which go directly.

Option D is wrong because KQL is required for workbooks.

575
MCQmedium

A company stores sensitive data in Azure Blob Storage. They want to encrypt the data at rest using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, they want the key to be automatically rotated every 90 days without manual intervention. Which configuration should they implement?

A.Enable Azure Storage encryption with a CMK and configure a rotation policy on the storage account.
B.Enable Azure Storage encryption with a CMK and enable automatic key rotation in Azure Key Vault by creating a rotation policy.
C.Enable Azure Storage encryption with a CMK and manually rotate the key every 90 days.
D.Use Azure Storage service-side encryption with platform-managed keys and enforce rotation via Azure Policy.
AnswerB

Key Vault rotation policy handles automatic key version updates. The storage account can be configured to use the key URI without a specific version to pick up new versions automatically.

Why this answer

Option B is correct because Azure Key Vault supports automatic key rotation through a rotation policy, which can be configured to rotate a customer-managed key (CMK) every 90 days without manual intervention. When Azure Storage encryption uses a CMK stored in Key Vault, the storage account references the key version, and enabling a rotation policy in Key Vault automatically creates new key versions, which Azure Storage then uses for encryption. This satisfies the requirement for automated 90-day rotation without manual steps.

Exam trap

The trap here is that candidates confuse where the rotation policy is configured—thinking it is on the storage account (Option A) rather than in Azure Key Vault, or they assume platform-managed keys can be scheduled for rotation (Option D), which is not supported.

How to eliminate wrong answers

Option A is wrong because a rotation policy cannot be configured on the storage account itself; key rotation is managed in Azure Key Vault, not on the storage account resource. Option C is wrong because it requires manual rotation every 90 days, which contradicts the requirement for automatic rotation without manual intervention. Option D is wrong because platform-managed keys (PMK) cannot be rotated on a custom schedule; they are managed entirely by Microsoft, and Azure Policy cannot enforce a specific rotation interval for PMKs.

576
MCQeasy

You need to restrict access to an Azure Storage account so that only traffic from a specific virtual network (VNet) subnet is allowed. Which Azure Storage firewall setting should you configure?

A.Create a private endpoint for the storage account.
B.Enable service endpoints on the subnet and add an IP rule.
C.Add a firewall rule with the subnet's public IP address range.
D.Add a virtual network rule that references the VNet and subnet.
AnswerD

This allows traffic from that subnet.

Why this answer

Option B is correct because Storage firewall rules can restrict access to specific VNets and subnets by adding a 'Virtual Network' rule. Option A is wrong because IP rules allow specific public IPs, not VNets. Option C is wrong because Private Endpoint is a separate feature that uses private IPs but requires Private Link.

Option D is wrong because service endpoints are a prerequisite but the rule type is 'Virtual Network'.

577
MCQmedium

Your organization uses Microsoft Defender for Cloud to monitor Azure SQL databases. You receive an alert indicating a potential SQL injection attack. What is the most effective immediate action to validate and respond?

A.Enable Transparent Data Encryption (TDE) on the database
B.Run a vulnerability assessment on the database
C.Review the SQL database auditing logs to identify the source queries
D.Immediately block all IP addresses from the alert in the SQL firewall
AnswerC

Auditing logs provide detailed query information.

Why this answer

Option C is correct because the SQL database auditing records show the actual queries, allowing validation. Option A is wrong because enabling TDE does not help validate an attack. Option B is wrong because vulnerability assessments are not real-time.

Option D is wrong because firewall rules may block legitimate traffic.

578
MCQeasy

You need to enable Microsoft Defender for Cloud's enhanced security features for an Azure subscription. Which of the following is required?

A.Enable all Defender plans at once.
B.Enable 'Microsoft Defender for Cloud' at the subscription level.
C.Deploy a Log Analytics workspace in the same region.
D.Assign an Azure Policy to enforce Defender for Cloud.
AnswerB

Enhanced features are enabled per subscription.

Why this answer

Option B is correct because Enhanced security features (formerly Azure Defender) are enabled at the subscription level. Option A is wrong because Log Analytics is optional. Option C is wrong because you can enable individual plans.

Option D is wrong because Azure Policy is not a prerequisite.

579
MCQhard

A company has an Azure SQL Database with a private endpoint connection. The database is accessed from on-premises via ExpressRoute and from other Azure virtual networks (VNets) via VNet peering. The security team wants to ensure that all queries from both on-premises and peered VNets go through the private endpoint and NEVER use the public endpoint, even as a fallback. Which additional configuration is required to enforce this?

A.Configure a Network Security Group (NSG) on the subnet hosting the private endpoint to deny outbound traffic to the public endpoint's IP addresses.
B.Enable Azure SQL Auditing and configure a log analytics workspace to monitor for public endpoint calls, then manually block them.
C.Disable public network access on the Azure SQL server.
D.Configure a service endpoint for Azure SQL on the VNet and associate a firewall rule allowing only the VNet traffic.
AnswerC

Correct. Disabling public network access on the SQL server blocks all traffic from the public internet, leaving only the private endpoint as the entry point. This ensures all traffic from on-premises and peered VNets must use the private endpoint.

Why this answer

Option C is correct because disabling public network access on the Azure SQL server explicitly blocks all traffic that does not originate from a private endpoint. This setting ensures that even if a client attempts to connect using the public endpoint (e.g., via a misconfigured connection string or DNS resolution fallback), the server will reject the connection. This is the only configuration that enforces the requirement that all queries—from on-premises via ExpressRoute or from peered VNets—must go through the private endpoint and never use the public endpoint.

Exam trap

The trap here is that candidates often confuse 'private endpoint' with 'service endpoint' or think that NSGs or monitoring can enforce private-only access, when in fact the only way to guarantee that no traffic uses the public endpoint is to disable public network access at the server level.

How to eliminate wrong answers

Option A is wrong because NSGs are not supported on subnets hosting private endpoints; Azure blocks NSG association on private endpoint subnets, and even if applied, an NSG cannot block outbound traffic from the private endpoint to the public endpoint because the private endpoint itself does not route traffic to the public IP—the issue is client-side DNS resolution. Option B is wrong because auditing and monitoring only detect public endpoint usage after the fact; they do not prevent the connection from using the public endpoint as a fallback, which violates the 'never use' requirement. Option D is wrong because service endpoints allow traffic from the VNet to the Azure SQL public endpoint, which is exactly what the security team wants to avoid; service endpoints do not enforce private endpoint usage and would permit public endpoint access from peered VNets.

580
Multi-Selecthard

Your company uses ExpressRoute to connect on-premises to Azure. You need to ensure that only traffic from the on-premises network can reach a specific Azure App Service, and all other internet traffic to that App Service must be blocked. You also want to avoid exposing the App Service's public endpoint. Which THREE actions should you take?

Select 2 answers
A.Configure an IP restriction on the App Service to allow only the on-premises public IP range.
B.Configure the App Service with a Private Endpoint.
C.Configure a Service Endpoint for App Service on the on-premises-connected subnet.
D.Upload a trusted root certificate to App Service to enforce client certificate authentication for on-premises clients.
E.Set the App Service's 'Public network access' to 'Disabled'.
AnswersB, E

Private Endpoint provides a private IP for the App Service within your VNet, accessible from on-premises via ExpressRoute.

Why this answer

To restrict access to only on-premises traffic without using the public endpoint, you can use an App Service Environment (ASE) with an internal load balancer, or use Private Endpoint. The combination of Private Endpoint, disabling public access, and restricting access to the ExpressRoute gateway IP range ensures only on-premises traffic can reach the app via Private Link.

581
MCQhard

You are designing a Microsoft Sentinel solution for a multinational company. The company requires that security incidents be correlated across regions, but data residency mandates require logs to remain in their original region. What should you implement?

A.Deploy one Microsoft Sentinel workspace per region and use cross-workspace querying for correlation
B.Deploy a separate Log Analytics workspace per region, but only one Sentinel workspace
C.Deploy a single Microsoft Sentinel workspace in a central region and use Azure Lighthouse
D.Deploy a single Microsoft Sentinel workspace and use data collection rules to filter logs
AnswerA

Cross-workspace querying allows correlation while keeping data resident.

Why this answer

Option A is correct because one Sentinel workspace per region with cross-workspace querying allows correlation while keeping data resident. Option B is wrong because a single workspace would violate data residency. Option C is wrong because a single workspace with a different data collection rule does not solve residency.

Option D is wrong because a different log analytics workspace per region is not correlated.

582
MCQmedium

Your company uses Azure Storage to store sensitive customer data. You need to ensure that only authorized applications running on Azure VMs can access the storage account without using shared keys or SAS tokens. What should you configure?

A.Use Azure AD authentication with storage account access keys.
B.Enable Azure Storage firewall, deny access from all networks, and add a private endpoint. Then assign a managed identity to the VMs and grant it the necessary RBAC role.
C.Configure a storage account key and distribute it to the applications.
D.Generate a SAS token with IP restrictions and embed it in the application code.
AnswerB

This configuration ensures access only from authorized VMs using managed identity, eliminating shared keys.

Why this answer

Option B is correct because Azure Storage firewall with service endpoints or private endpoints, combined with managed identity, allows secure access without shared keys or SAS tokens. Option A (storage account key) is a shared key. Option C (SAS token) is a shared access signature.

Option D (access keys) are shared keys.

583
Multi-Selectmedium

Which THREE of the following are features of Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM)?

Select 3 answers
A.Vulnerability scanning of containers
B.Security recommendations for resources
C.Secure Score
D.Threat detection for VMs
E.Regulatory compliance assessments
AnswersB, C, E

CSPM generates recommendations to improve security.

Why this answer

Options A, B, and D are correct. Option A: Secure Score is a core CSPM feature. Option B: Regulatory compliance assessments are part of CSPM.

Option D: Security recommendations are a key output of CSPM. Option C is wrong because threat detection is part of Defender for Cloud's workload protection, not CSPM. Option E is wrong because vulnerability scanning is also a workload protection feature.

584
Multi-Selecthard

Which THREE are valid ways to trigger a playbook in Microsoft Sentinel? (Choose three.)

Select 3 answers
A.Manually from an incident by selecting 'Run playbook'.
B.From an automation rule when an incident is created.
C.From a watchlist item update.
D.From an entity page by clicking 'Investigate'.
E.From an automation rule when an alert is created.
AnswersA, B, E

Analysts can manually run playbooks from incidents.

Why this answer

Playbooks can be triggered automatically from alerts or incidents, and manually from incidents. Option A is wrong because playbooks cannot be triggered from watchlists. Option B is correct: automation rules can trigger playbooks on alert creation.

Option C is correct: automation rules can trigger on incident creation. Option D is correct: analysts can manually run a playbook from an incident. Option E is wrong because playbooks are not triggered from entity pages directly.

585
MCQhard

Your company is using Microsoft Defender for Cloud to monitor hybrid workloads that include on-premises servers and Azure VMs. You need to ensure that all servers are covered by the integrated vulnerability assessment solution (Microsoft Defender Vulnerability Management). What is the minimum requirement for on-premises servers?

A.They must have a site-to-site VPN connection to Azure and be registered in Azure Arc.
B.They must be part of an Active Directory domain and have the Log Analytics agent installed.
C.They must be connected to Azure via Azure Arc and have the Azure Monitor Agent installed.
D.They must be onboarded to Microsoft Defender for Cloud via Azure Arc and have the Microsoft Defender for Endpoint agent installed.
AnswerC

Azure Arc is required for hybrid servers, and Azure Monitor Agent enables vulnerability assessment.

Why this answer

Option D is correct because the integrated vulnerability assessment (Microsoft Defender Vulnerability Management) for on-premises servers requires that they are onboarded to Microsoft Defender for Cloud with Azure Arc and have the Azure Monitor Agent installed. Option A is wrong because Log Analytics agent is deprecated for Defender for Cloud. Option B is wrong because Defender for Cloud does not require a VPN.

Option C is wrong because Azure Arc is required for hybrid servers.

586
MCQhard

Your organization uses Microsoft Sentinel to detect threats across Azure, AWS, and on-premises environments. You need to create an analytics rule that will generate an incident when more than 10 failed logon attempts occur within 5 minutes from the same source IP. Which rule type should you use?

A.Near-real-time (NRT) rule
B.Fusion rule
C.ML Behavior Analytics rule
D.Scheduled query rule
AnswerA

NRT rules run every minute and are good for threshold alerts.

Why this answer

Option C is correct because NRT rules run near real-time and are ideal for threshold-based detection over short windows. Option A is wrong because scheduled rules have a delay and are not near real-time. Option B is wrong because ML Behavior Analytics uses machine learning, not static thresholds.

Option D is wrong because Fusion is for advanced multistage attacks.

587
MCQeasy

You need to ensure that all new blobs uploaded to an Azure Storage account are automatically encrypted at rest. What is the simplest way to achieve this?

A.Use Azure Disk Encryption on any VMs writing to storage.
B.Implement client-side encryption in the application.
C.Enable Azure Storage Service Encryption (SSE) on the storage account.
D.Configure a customer-managed key in Azure Key Vault.
AnswerC

SSE is enabled by default and encrypts all data.

Why this answer

Option A is correct because Azure Storage automatically encrypts all data at rest using Azure Storage Service Encryption (SSE). This is enabled by default and requires no configuration. Option B is wrong because customer-managed keys (CMK) are optional for additional control.

Option C is wrong because client-side encryption requires application changes. Option D is wrong because Azure Disk Encryption is for VM disks.

588
MCQmedium

You are deploying a new application on Azure VMs. The application must be encrypted at rest and during transmission. Which combination of features should you implement?

A.Azure Firewall and Azure Disk Encryption
B.Azure Disk Encryption and HTTPS
C.Azure Storage Service Encryption and SSL
D.Azure Disk Encryption and SSL
AnswerB

Disk Encryption secures data at rest; HTTPS secures data in transit.

Why this answer

Option C is correct because Azure Disk Encryption provides at-rest encryption for managed disks using BitLocker or DM-Crypt, while HTTPS ensures encryption in transit. Option A is wrong because Azure Storage Service Encryption only encrypts data in Azure Storage, not on VMs. Option B is wrong because SSL is for transit but Azure Disk Encryption is for at-rest.

Option D is wrong because Azure Firewall provides network security, not encryption.

589
MCQmedium

A company uses Azure Blob Storage to store archival data that is rarely accessed. The security policy requires that the data must be encrypted at rest using a unique Microsoft-managed key per storage account, and the data must be stored cost-effectively while allowing retrieval within 15 minutes. Which storage account type and encryption configuration should they choose?

A.BlockBlobStorage account with infrastructure encryption
B.BlobStorage account with Hot access tier and default encryption
C.General-purpose v2 account with Cool access tier and default encryption
D.General-purpose v1 account with Archive access tier and default encryption
AnswerC

GPv2 accounts support Cool tier (low cost, retrieval within minutes) and default SSE with unique Microsoft-managed keys.

Why this answer

Option C is correct because a General-purpose v2 (GPv2) storage account supports the Cool access tier, which is cost-effective for rarely accessed data, and uses default Microsoft-managed encryption keys (SSE) that are unique per storage account. The Cool tier allows data retrieval within minutes (typically under 15 minutes for blob rehydration), meeting the recovery time objective.

Exam trap

The trap here is that candidates often confuse the Archive tier's long retrieval time (up to 15 hours) with the Cool tier's near-instant access, or assume that a specialized account type like BlockBlobStorage is required for encryption features, when in fact default SSE on GPv2 meets the unique key requirement.

How to eliminate wrong answers

Option A is wrong because BlockBlobStorage accounts are optimized for high transaction rates and block blobs, not for archival data, and infrastructure encryption adds an extra layer of encryption but does not affect key uniqueness or cost-effectiveness. Option B is wrong because the Hot access tier is designed for frequently accessed data and incurs higher storage costs, making it unsuitable for rarely accessed archival data. Option D is wrong because General-purpose v1 accounts do not support access tiers (Hot/Cool/Archive) and the Archive tier has a retrieval time of up to 15 hours, which exceeds the 15-minute requirement.

590
MCQeasy

A company has established a site-to-site VPN connection between its on-premises network and an Azure virtual network using an Azure VPN gateway. The security team wants to confirm that all traffic crossing the VPN tunnel is encrypted. Which protocol does the Azure VPN gateway use to encrypt the data?

A.IPSec (Internet Protocol Security)
B.SSL (Secure Sockets Layer) / TLS (Transport Layer Security)
C.SSH (Secure Shell)
D.PGP (Pretty Good Privacy)
AnswerA

Azure VPN gateways use IPSec in tunnel mode with pre-shared key or certificate authentication to encrypt all traffic.

Why this answer

Azure VPN gateways use IPsec (Internet Protocol Security) in tunnel mode to encrypt all data traversing the site-to-site VPN tunnel. IPsec provides confidentiality, integrity, and authentication at the IP layer, ensuring that all traffic between the on-premises network and Azure virtual network is encrypted and secure.

Exam trap

The trap here is that candidates may confuse SSL/TLS-based VPNs (like OpenVPN) with IPsec-based site-to-site VPNs, but Azure VPN gateways exclusively use IPsec for site-to-site connections, not SSL/TLS.

How to eliminate wrong answers

Option B is wrong because SSL/TLS operates at the transport layer (Layer 4) and is used for securing web traffic (HTTPS), not for site-to-site VPN tunnels which require IP-layer encryption. Option C is wrong because SSH is a protocol for secure remote administration and file transfer, not for encrypting bulk network traffic across a VPN tunnel. Option D is wrong because PGP is an encryption program used for securing emails and files, not for network-layer VPN encryption.

591
MCQeasy

You are configuring security for an Azure App Service web app that connects to an Azure SQL Database. You need to ensure that the database connection string does not contain credentials in plaintext. What should you use?

A.Store the connection string in the web.config file with encryption.
B.Store the connection string in Azure Key Vault and use a Key Vault reference in the App Service application settings.
C.Store the connection string in Azure App Configuration with encryption.
D.Store the connection string in an App Service application setting without encryption.
AnswerB

This keeps credentials secure and managed centrally.

Why this answer

Option A is correct because Azure Key Vault securely stores secrets, and App Service can reference them via Key Vault references. Option B (App Service environment variable) can be seen in configuration. Option C (connection string in web.config) is plaintext.

Option D (App Configuration with encryption) is possible but Key Vault is the standard for secrets.

592
MCQhard

A compliance team wants evidence that Azure resources are evaluated against the Microsoft Cloud Security Benchmark. Which Defender for Cloud area should they use?

A.Regulatory compliance and security policy assignments
B.Microsoft Entra app consent settings
C.Azure Firewall DNAT rules
D.Log Analytics saved searches only
AnswerA

Correct for the stated requirement.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides continuous monitoring of Azure resources against the Microsoft Cloud Security Benchmark (MCSB). It maps built-in policy assignments to compliance controls, generates a compliance score, and offers remediation steps. This is the designated area for evidence of MCSB evaluation.

Exam trap

The trap here is that candidates may confuse the Regulatory compliance dashboard with general log querying or network security controls, overlooking that the MCSB is specifically enforced through Azure Policy initiatives within Defender for Cloud's compliance monitoring.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra app consent settings manage user consent for application permissions, not compliance evaluation against security benchmarks. Option C is wrong because Azure Firewall DNAT rules configure inbound network address translation for traffic, unrelated to compliance assessment. Option D is wrong because Log Analytics saved searches are used for querying log data, not for providing a structured compliance dashboard against the MCSB.

593
MCQhard

You have an Azure Kubernetes Service (AKS) cluster that needs to restrict egress traffic to specific Azure services (e.g., Azure Container Registry, Azure Monitor). You want a managed solution that allows you to define FQDN-based rules. Which Azure service should you use?

A.Azure Application Gateway
B.Azure Front Door
C.Network Security Groups (NSGs)
D.Azure Firewall
AnswerD

Azure Firewall supports FQDN-based rules for outbound traffic.

Why this answer

Option B is correct because Azure Firewall supports FQDN-based rules for outbound traffic, which can be used to restrict egress from AKS. Option A is wrong because NSGs only support IP-based rules, not FQDNs. Option C is wrong because Azure Application Gateway is for inbound traffic.

Option D is wrong because Azure Front Door is for global load balancing.

594
Multi-Selecthard

A security team uses Microsoft Defender for Cloud to centralize security alerts. They want to continuously export all security alerts to a Log Analytics workspace for long-term retention and custom analysis. Which two actions must be taken to achieve this? (Choose two that apply.)

Select 2 answers
A.Enable the continuous export feature in Microsoft Defender for Cloud.
B.Configure diagnostic settings for the subscription to export SecurityAlert logs to the Log Analytics workspace.
C.Create a Log Analytics workspace in the same region as the resources.
D.Assign an Azure Policy definition for 'Deploy export to Log Analytics workspace for Azure Security Center data'.
AnswersA, B

This feature must be turned on to stream alerts and recommendations to a destination like a Log Analytics workspace.

Why this answer

Option A is correct because Microsoft Defender for Cloud's continuous export feature allows you to stream security alerts and recommendations to a Log Analytics workspace or Event Hubs at the subscription or tenant level. This feature is designed specifically for ongoing export, supporting long-term retention and custom analysis without manual intervention.

Exam trap

The trap here is that candidates often confuse the continuous export feature with diagnostic settings for the subscription, but both are actually required—continuous export is the feature name, and diagnostic settings are the underlying mechanism—so the question expects you to recognize that enabling continuous export and configuring diagnostic settings are the same action described differently, making both A and B correct.

595
Multi-Selectmedium

Which TWO methods can be used to protect privileged accounts in Microsoft Entra ID? (Choose two.)

Select 2 answers
A.Enable external identities for guest users
B.Enable self-service password reset for all users
C.Register all devices with Azure AD
D.Create a Conditional Access policy that requires MFA for privileged roles
E.Configure Privileged Identity Management for just-in-time access
AnswersD, E

MFA adds protection for privileged accounts.

Why this answer

Option D is correct because requiring MFA for privileged roles via a Conditional Access policy adds a critical layer of security, ensuring that even if credentials are compromised, an attacker cannot authenticate without the second factor. This directly mitigates the risk of credential theft for high-privilege accounts. Option E is correct because Privileged Identity Management (PIM) provides just-in-time (JIT) access, reducing the attack surface by granting administrative roles only when needed and for a limited duration, with approval workflows and auditing.

Exam trap

The trap here is that candidates often confuse general security best practices (like SSPR or device registration) with specific privileged account protection mechanisms, overlooking that only MFA enforcement for privileged roles and JIT access via PIM directly reduce the standing privileges and credential exposure of high-value accounts.

596
MCQmedium

A security team uses Microsoft Sentinel. They want to automatically block a user's account in Azure AD when a high-severity incident is created in Sentinel indicating the user's credentials are compromised. Which automation feature should they use?

A.Create a playbook that uses the Azure AD connector to block the user, and associate it with an automation rule for high-severity incidents.
B.Configure the analytic rule for credential compromise to include a script that blocks the user as part of the rule.
C.Use a workbook to monitor incidents and manually block users.
D.Enable the 'User blocking' feature directly in the Microsoft Sentinel settings for all high-severity incidents.
AnswerA

Playbooks can automate response actions; automation rules trigger them based on incident properties.

Why this answer

Option A is correct because Microsoft Sentinel automation rules can trigger a playbook (an Azure Logic Apps workflow) when a high-severity incident is created. The playbook can use the Azure AD connector to call the Microsoft Graph API and block the user account, providing automated response to credential compromise without manual intervention.

Exam trap

The trap here is that candidates may think analytic rules can include scripts or that Sentinel has a native user-blocking toggle, but in reality, automated response requires a separate playbook triggered by an automation rule.

How to eliminate wrong answers

Option B is wrong because analytic rules in Sentinel define detection logic (KQL queries) and cannot contain scripts to perform actions like blocking users; actions are handled separately by automation rules and playbooks. Option C is wrong because workbooks are for visualization and reporting, not for automated response; they require manual monitoring and action, which does not meet the requirement for automatic blocking. Option D is wrong because Microsoft Sentinel does not have a built-in 'User blocking' feature in its settings; blocking users requires integration with Azure AD via a playbook or other external automation.

597
MCQeasy

You need to encrypt an Azure Storage account at rest using a customer-managed key stored in Azure Key Vault. Which feature should you enable?

A.Azure Information Protection
B.Azure Confidential Computing
C.Azure Disk Encryption
D.Azure Storage Service Encryption with customer-managed keys
AnswerD

SSE with CMK allows you to use your own Key Vault key for storage encryption.

Why this answer

Azure Storage Service Encryption (SSE) with customer-managed keys allows you to use your own keys from Key Vault. Option C is correct. Option A is wrong because Azure Disk Encryption is for VMs.

Option B is wrong because Azure Information Protection is for classification. Option D is wrong because Azure Confidential Computing protects data in use.

598
MCQmedium

Refer to the exhibit. You are configuring network access for an Azure Storage account. After applying this configuration, users report that they cannot access the storage account from their on-premises network (public IP: 198.51.100.50). What is the most likely reason?

A.The storage account is configured with a private endpoint
B.The bypass for AzureServices is not configured correctly
C.The virtual network rules are missing
D.The user's public IP address is not in the allowed IP rules
AnswerD

The IP rule only allows 203.0.113.0/24. The user's IP 198.51.100.50 is not allowed, so access is denied.

Why this answer

Option B is correct because the default action is Deny, and only the IP range 203.0.113.0/24 is allowed. The user's IP is 198.51.100.50, which is not in the allowed range. Option A is wrong because Azure Services bypass only affects trusted Azure services, not user IPs.

Option C is wrong because there are no virtual network rules. Option D is wrong because the storage account is not a private endpoint configuration.

599
Matchingmedium

Match each Azure AD Conditional Access component to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Context such as user, location, device, and risk

Criteria like user group, app, or sign-in risk

Require MFA, compliant device, or approved app

Limit user session within apps (e.g., app enforced restrictions)

Define trusted IP ranges or countries

Why these pairings

Conditional Access policies enforce access controls based on conditions.

600
MCQhard

You are the security architect for a large enterprise that uses Microsoft Entra ID with 50,000 users. The company recently adopted a cloud-first strategy and is migrating on-premises applications to Azure. You need to design a secure identity and access solution that meets the following requirements: - All access to cloud applications must be authenticated using modern authentication protocols. - Legacy authentication protocols (such as POP3, IMAP4, SMTP, and basic authentication) must be blocked. - Users must be required to use multi-factor authentication (MFA) when accessing any application from outside the corporate network. - Administrative access to Azure resources must be time-bound and require approval. - The solution must minimize user friction for internal users on the corporate network. - All sign-in risks must be detected and automatically remediated. You have deployed Microsoft Entra ID P2 licensing and configured Microsoft Defender for Cloud Apps. Which of the following is the most appropriate combination of actions to meet all requirements?

A.Enable Security defaults for all users and configure risk-based Conditional Access policies for admin roles. Use PIM for time-bound access.
B.Configure device compliance policies in Intune and require compliant devices for access. Use PIM with time-bound roles but without approval. Enable Identity Protection for risk detection.
C.Create a Conditional Access policy to require MFA for all cloud apps and allow legacy authentication for non-interactive service accounts. Use PIM without approval for admin roles.
D.Create a Conditional Access policy to block legacy authentication and require MFA for all users when accessing from outside the corporate network. Exclude trusted locations from MFA. Use PIM with approval for admin roles. Enable Identity Protection for risk detection and automatic remediation.
AnswerD

This meets all requirements: blocks legacy auth, requires MFA for external access, uses trusted locations to minimize friction for internal users, PIM with approval for time-bound admin access, and Identity Protection for risk remediation.

Why this answer

Option B is correct because it addresses all requirements: Conditional Access policies block legacy auth, require MFA from outside, and include trusted locations for no MFA. PIM provides time-bound admin access with approval. Identity Protection detects and remediates risks.

Option A is wrong because Security defaults would block legacy auth but enforce MFA globally, causing friction for internal users. Option C is wrong because allowing legacy auth for some users violates the requirement to block all legacy auth. Option D is wrong because device compliance does not block legacy auth, and PIM without approval does not meet the approval requirement.

Page 7

Page 8 of 14

Page 9