Microsoft Azure Security Engineer Associate AZ-500 (AZ-500) — Questions 601675

1000 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
Multi-Selecteasy

Which TWO of the following are authentication methods supported by Microsoft Entra ID?

Select 2 answers
A.Certificate-based authentication (CBA)
B.Security questions
C.Smart card with PIN
D.OAuth 2.0 authorization code flow
E.SMS-based one-time passcode
AnswersA, E

Supported for federated domains.

Why this answer

Certificate-based authentication (CBA) is a supported authentication method in Microsoft Entra ID that allows users to authenticate using X.509 certificates issued by a trusted Certificate Authority (CA). This method is commonly used for passwordless authentication, especially in hybrid environments where smart cards or device certificates are deployed. Entra ID validates the certificate chain and maps the certificate to a user object, enabling secure sign-in without a password.

Exam trap

The trap here is that candidates often confuse authentication methods with authorization protocols (like OAuth 2.0) or confuse legacy on-premises methods (like security questions) with cloud-supported methods in Entra ID, leading them to select options that are not actual authentication methods in the Microsoft Entra ID context.

602
Multi-Selectmedium

A security engineer needs to collect custom application logs from Azure VMs using Azure Monitor Agent for Sentinel analysis. Which two components are required?

Select 2 answers
A.A Data Collection Rule that defines the custom log collection
B.A storage account configured for static website hosting
C.Association of the Data Collection Rule with the target machines
D.A Conditional Access policy requiring MFA
AnswersA, C

Correct for the stated requirement.

Why this answer

A Data Collection Rule (DCR) is required to define the schema, transformation, and destination for custom log data ingested by Azure Monitor Agent. Without a DCR, the agent has no configuration for which custom logs to collect or how to process them.

Exam trap

The trap here is that candidates may confuse storage accounts (used for Azure Diagnostics extension or legacy agents) with the modern Azure Monitor Agent requirement, or mistakenly think Conditional Access policies are relevant to log ingestion.

603
MCQeasy

You need to ensure that an Azure Storage account's blob data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. What should you do first?

A.Generate a random 256-bit key and store it in the storage account.
B.Create an Azure Key Vault with soft-delete and purge protection enabled.
C.Create a system-assigned managed identity for the storage account.
D.Enable Azure Information Protection for the storage account.
AnswerB

These features are required for CMK support.

Why this answer

Option B is correct because to use CMK, you must first create a Key Vault with soft-delete and purge protection enabled. Then you can configure the storage account to use that key. Option A (random password) is not relevant.

Option C (system-assigned managed identity) is automatically created but must be granted access. Option D (Azure Information Protection) is for classification.

604
Multi-Selecteasy

Which TWO Azure services can be used to distribute incoming traffic across multiple virtual machines in a backend pool while providing layer 7 load balancing? (Choose two.)

Select 2 answers
A.Azure Load Balancer
B.Azure Application Gateway
C.Azure Traffic Manager
D.Azure VPN Gateway
E.Azure Front Door
AnswersB, E

Application Gateway is a layer 7 load balancer with HTTP/HTTPS support.

Why this answer

Azure Application Gateway is a layer 7 load balancer that can distribute incoming traffic across multiple virtual machines in a backend pool based on HTTP/HTTPS attributes such as URL path, host headers, and cookies. It also provides SSL termination, Web Application Firewall (WAF), and session affinity, making it suitable for web application traffic.

Exam trap

The trap here is that candidates often confuse Azure Load Balancer (layer 4) with Azure Application Gateway (layer 7), assuming both can perform HTTP-based routing, but only Application Gateway can inspect and route based on application-layer data.

605
MCQeasy

You are configuring Microsoft Defender for Cloud for a multi-subscription environment. You need to ensure that security alerts are aggregated in a central location and that a single team can manage recommendations across all subscriptions. What should you use?

A.Use a resource group to collect all security resources.
B.Use a single Log Analytics workspace for all subscriptions.
C.Assign a management group to aggregate security data.
D.Create a single subscription for all resources.
AnswerC

Management groups enable cross-subscription management and alert aggregation.

Why this answer

Option A is correct because a management group allows policy and alert aggregation across subscriptions. Option B is wrong because a Log Analytics workspace stores logs but doesn't aggregate alerts by default. Option C is wrong because a single subscription doesn't aggregate others.

Option D is wrong because a resource group is too granular.

606
Multi-Selecthard

You need to monitor network traffic to detect anomalies and potential security threats. Which THREE Azure services can you use to achieve this? (Choose three.)

Select 3 answers
A.Microsoft Sentinel
B.Azure Monitor Metrics
C.Azure Firewall logs
D.Azure Policy
E.Azure Network Watcher
AnswersA, C, E

Sentinel can analyze network logs for threats.

Why this answer

Options A, B, and D are correct. Network Watcher provides traffic capture and flow logs. Azure Sentinel (now Microsoft Sentinel) can ingest network logs for threat detection.

Azure Firewall logs can be used for monitoring. Option C is wrong because Azure Policy is for compliance, not monitoring. Option E is wrong because Azure Monitor Metrics can monitor performance, not network traffic anomalies.

607
Multi-Selectmedium

You need to protect Azure SQL Database from SQL injection attacks. Which TWO measures should you implement? (Choose TWO.)

Select 2 answers
A.Use Always Encrypted for sensitive columns.
B.Deploy Azure Web Application Firewall (WAF) in front of the application.
C.Enable Transparent Data Encryption (TDE).
D.Enable SQL Server auditing.
E.Use parameterized queries in application code.
AnswersB, E

WAF can inspect and block SQL injection attempts at the network edge.

Why this answer

Option A (parameterized queries) and Option D (web application firewall) are correct. Parameterized queries prevent SQL injection by separating data from code. WAF can detect and block SQL injection attempts.

Option B (TDE) encrypts at rest, not injection. Option C (Always Encrypted) protects sensitive columns but does not prevent injection. Option E (auditing) logs events but does not prevent.

608
MCQmedium

Your organization uses Microsoft Defender for Cloud to protect Azure VMs. You notice that some VMs are not reporting security data. You verify that the Log Analytics agent is installed and running. What is the most likely cause?

A.The VMs are using the legacy Log Analytics agent instead of the Azure Monitor Agent
B.Auto-provisioning is disabled for the subscription
C.The VMs are running an unsupported operating system
D.The VMs do not have network connectivity to the Log Analytics workspace
AnswerA

The legacy agent may not be fully supported.

Why this answer

Option B is correct because the Azure Monitor Agent (AMA) is the current agent and the Log Analytics agent (MMA) is deprecated. If AMA is not installed, data may not be collected. Option A is wrong because network connectivity would cause a different error.

Option C is wrong because the agent is running. Option D is wrong because auto-provisioning is a setting, not a cause if agent is installed.

609
Multi-Selecthard

Which THREE features are part of Microsoft Defender XDR (formerly Microsoft 365 Defender) integration with Microsoft Sentinel?

Select 3 answers
A.Integration with Microsoft Defender for Cloud Apps to block downloads.
B.Integration with Microsoft Purview for data classification.
C.Automatic triggering of Microsoft 365 Defender playbooks from Sentinel.
D.Correlation of alerts into incidents across Microsoft 365 Defender sources.
E.Ingestion of advanced hunting data from Microsoft 365 Defender into Sentinel.
AnswersC, D, E

Correct: playbooks can be triggered.

Why this answer

Option C is correct because Microsoft Sentinel can automatically trigger playbooks (automated response workflows) when incidents or alerts are generated by Microsoft 365 Defender. This integration allows security teams to respond to threats across email, endpoint, and identity without manual intervention, leveraging Sentinel's orchestration capabilities.

Exam trap

The trap here is that candidates may confuse general Microsoft 365 security features (like Purview classification or Defender for Cloud Apps blocking) with the specific integration capabilities between Microsoft Defender XDR and Microsoft Sentinel, which are limited to alert ingestion, incident correlation, and automated response via playbooks.

610
MCQmedium

Your organization uses Microsoft Defender for Cloud to secure a multi-subscription environment. You have a subscription named 'Prod' that hosts critical applications. The security team requires that any new resource group created in the Prod subscription must automatically be protected by Microsoft Defender for Cloud at the 'Defender for Servers' plan P2 level. You need to implement a solution that ensures this compliance without manual intervention. You consider using Azure Policy, Azure Blueprints, or management group settings. Which option should you choose?

A.Create an Azure Blueprint that includes the 'Defender for Servers' plan P2 assignment and assign it to the 'Prod' subscription.
B.Use Azure Resource Manager tags on resource groups to indicate 'ProtectionRequired', and configure a custom automation runbook to enable the plan.
C.Create an Azure Policy definition that deploys the 'Defender for Servers' plan P2 and assign it to the 'Prod' subscription with scope 'resource group'.
D.Use a management group structure where the 'Prod' subscription is under a 'Production' management group, and enable the 'Defender for Servers' plan P2 at the management group level.
AnswerD

Management group inheritance will automatically enable the plan for all subscriptions and resource groups within.

Why this answer

Option A is correct because management group inheritance applies to all subscriptions under that group; setting the plan at the management group level will apply to new subscriptions. Option B is wrong because Blueprints are deprecated in favor of deployment stacks and don't auto-apply to new resource groups. Option C is wrong because Azure Policy can enforce the plan but requires a policy definition that deploys the plan; however, the plan can be set at management group.

Option D is wrong because tagging does not enable defender plans.

611
MCQhard

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is in the same region and has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. However, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required to allow the SQL server to access the Key Vault for TDE operations?

A.Configure a private endpoint for the SQL server to the Key Vault.
B.Enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault.
C.Change the Key Vault firewall to allow all Azure services.
D.Create a VNet service endpoint for Microsoft.KeyVault on the SQL server's subnet.
AnswerB

This setting allows trusted Azure services, including Azure SQL Database, to access the Key Vault even when the firewall is enabled. Since the SQL server's managed identity already has the cryptographic role, this is the missing piece to allow TDE operations.

Why this answer

Option B is correct because when Azure Key Vault has a firewall that denies all public network access, the 'Allow trusted Microsoft services to bypass this firewall' setting is required for Azure SQL Database (a trusted Microsoft service) to authenticate using its system-assigned managed identity and access the customer-managed key for TDE. This setting allows the SQL server to reach the Key Vault over the Microsoft backbone network without requiring a private endpoint or VNet integration, as the service is explicitly trusted by Azure.

Exam trap

The trap here is that candidates often assume a private endpoint or VNet service endpoint is always required for Key Vault access when firewalls are enabled, but they overlook the 'Allow trusted Microsoft services' bypass which is specifically designed for Azure PaaS services like SQL Database to access Key Vault without additional network configuration.

How to eliminate wrong answers

Option A is wrong because configuring a private endpoint for the SQL server to the Key Vault would require the SQL server to be in a VNet with a private endpoint connection, but the SQL server is not VNet-injected by default and the question does not indicate VNet integration; additionally, the system-assigned managed identity and role assignment are already in place, so the issue is firewall bypass, not network connectivity. Option C is wrong because 'Allow all Azure services' is a legacy setting that is overly permissive and deprecated in favor of the more specific 'Allow trusted Microsoft services' option; it would also allow all Azure services, not just trusted ones, which violates least-privilege principles. Option D is wrong because a VNet service endpoint for Microsoft.KeyVault on the SQL server's subnet would only help if the SQL server were deployed in a VNet (which it is not by default for Azure SQL Database), and service endpoints do not bypass the Key Vault firewall's deny-all rule unless the firewall explicitly allows the specific VNet/subnet, which is not mentioned.

612
Multi-Selecteasy

You are configuring Azure DDoS Network Protection for your VNet. Which TWO benefits does enabling DDoS Protection Standard provide?

Select 2 answers
A.Integration with Azure Firewall for packet inspection.
B.Adaptive tuning to baseline traffic patterns.
C.Application-layer (Layer 7) protection via integrated WAF.
D.Vulnerability scanning for web applications.
E.Cost protection for scaled resources during an attack.
AnswersB, E

DDoS Protection Standard learns normal traffic patterns and adjusts thresholds automatically.

Why this answer

DDoS Protection Standard provides adaptive tuning based on traffic patterns and cost protection against scaled attacks. It does not offer a WAF (that's separate) nor does it monitor application-layer vulnerabilities; it focuses on network-layer DDoS attacks.

613
MCQmedium

You are investigating a security incident in Microsoft Sentinel. A KQL query returns results indicating that a user logged in from an IP address that is not in the organization's approved list. The user's account has been compromised. You need to automatically disable the user account in Microsoft Entra ID when such an alert is triggered. What should you configure?

A.Configure an Azure Policy that disables the user account.
B.Use Microsoft Defender for Cloud to automatically disable the account.
C.Create a Power Automate flow triggered by the Sentinel alert.
D.Create a playbook in Microsoft Sentinel with a Logic Apps connector to Microsoft Entra ID.
AnswerD

Correct. Playbooks can automate response actions like disabling a user.

Why this answer

Option D is correct because Microsoft Sentinel can use automation rules with playbooks (based on Azure Logic Apps) to trigger actions like disabling a user in Microsoft Entra ID. Option A is wrong because Azure Policy cannot disable user accounts. Option B is wrong because Microsoft Defender for Cloud does not manage Entra ID user accounts.

Option C is wrong because Power Automate is not natively integrated with Sentinel for this purpose.

614
MCQmedium

A company uses Microsoft Defender for Cloud to protect its hybrid workloads. Security administrators report that critical alerts for SQL servers are not appearing in the Defender for Cloud dashboard. The SQL servers are on-premises and have Azure Arc enabled. Which configuration step should be verified first?

A.Deploy the Log Analytics agent to the SQL servers
B.Configure Azure Firewall logs for SQL traffic
C.Assign the 'Configure Azure Defender for SQL agents on virtual machines' policy
D.Enable the 'SQL servers on machines' plan in Microsoft Defender for Cloud
AnswerD

The plan for SQL servers on machines must be enabled at the subscription level to start receiving alerts for on-premises SQL servers.

Why this answer

Option B is correct because for on-premises SQL servers with Azure Arc, the SQL servers must be registered as Azure Arc-enabled SQL Server instances and the Microsoft Defender for Cloud plan for SQL servers must be enabled at the subscription level. Option A is wrong because Azure Policy can enforce but doesn't directly cause missing alerts. Option C is wrong because Log Analytics workspace is used for data collection, but the core issue is plan enablement.

Option D is wrong because Azure Firewall logs are unrelated to SQL specific alerts.

615
MCQhard

Refer to the exhibit. You are evaluating an Azure Policy definition. What is the effect of this policy when assigned to a subscription?

A.It audits virtual networks to ensure they have a network security group attached.
B.It denies the creation of any virtual network because it always has subnets.
C.It denies virtual networks that have any subnet with a service endpoint.
D.It denies the creation of virtual networks that do not have subnets.
AnswerB

A virtual network must have at least one subnet, so this policy would deny all virtual network creation.

Why this answer

The policy denies any virtual network that has any subnet defined. It checks if the 'subnets' field exists and denies if true. It does not check for specific subnet configurations like NSGs or service endpoints.

616
MCQeasy

You are configuring Microsoft Defender for Cloud to protect your Azure virtual machines. You need to enable just-in-time (JIT) VM access to reduce the attack surface. What prerequisite must be met?

A.Configure Microsoft Defender for Cloud Apps with the VMs as connected.
B.Enable the Defender for Cloud 'JIT' plan.
C.Deploy Azure Bastion in the same virtual network.
D.Enable Microsoft Defender for Servers Plan 2.
AnswerD

JIT is available only with Defender for Servers Plan 2.

Why this answer

Option C is correct because JIT VM access requires Microsoft Defender for Servers Plan 2. Option A is wrong because there is no 'JIT' plan in Defender for Cloud. Option B is wrong because Azure Bastion is a separate service for secure remote access, not a prerequisite.

Option D is wrong because Microsoft Defender for Cloud Apps is for SaaS applications, not VMs.

617
MCQmedium

Your company deploys Microsoft Sentinel for security operations. You need to configure just-in-time (JIT) access for Azure VMs. Which Azure security feature should you integrate with Sentinel?

A.Microsoft Defender for Cloud
B.Azure Policy
C.Azure Firewall
D.Microsoft Entra Privileged Identity Management
AnswerA

Defender for Cloud includes JIT VM access that integrates with Sentinel.

Why this answer

Microsoft Defender for Cloud provides the just-in-time (JIT) VM access capability, which can be integrated with Microsoft Sentinel to enable automated threat response. When a security incident is detected in Sentinel, a playbook can trigger Defender for Cloud to lock down or open specific ports (e.g., RDP 3389, SSH 22) for a defined time window, reducing the attack surface. This integration relies on the Defender for Cloud's JIT policy applied at the subscription or VM level, not on external network controls or identity governance.

Exam trap

The trap here is that candidates confuse just-in-time network access (JIT VM access) with just-in-time privileged role activation (PIM), because both use the term 'just-in-time' but operate at completely different layers—network vs. identity.

How to eliminate wrong answers

Option B (Azure Policy) is wrong because Azure Policy enforces compliance rules (e.g., requiring JIT to be enabled) but does not itself grant or manage time-bound network access; it is a governance tool, not an access control mechanism. Option C (Azure Firewall) is wrong because Azure Firewall is a managed network firewall that filters traffic at the perimeter, but JIT access is a VM-level network security group (NSG) feature that dynamically modifies NSG rules, not a firewall rule. Option D (Microsoft Entra Privileged Identity Management) is wrong because PIM manages just-in-time privileged role activation for Azure AD roles and Azure resource roles (e.g., Contributor), not network-level access to VM ports; it controls who can administer resources, not how traffic reaches the VM.

618
MCQmedium

A security analyst reports that a high-priority alert in Microsoft Sentinel for 'Malware detected on VM' was closed without investigation. You need to ensure that all alerts of severity High and above cannot be closed without adding a comment. What should you configure in Sentinel?

A.Modify the 'Analytics rule settings' to require a closing comment for high severity.
B.Enable UEBA (User and Entity Behavior Analytics) to track closure patterns.
C.Create an automation rule that sets the incident severity and requires a comment when closing.
D.Configure a playbook that checks for comments before closing.
AnswerA

Sentinel analytics rules have a setting to require closing comments for specified severity levels.

Why this answer

Sentinel allows setting a 'minimum severity level' for closing comments in the analytics rule settings or via automation rules. Option B is wrong because playbooks automate response, not enforce comments. Option C is wrong because watchlists are for enrichment.

Option D is wrong because user and entity analytics is for UEBA.

619
MCQmedium

What is the primary purpose of this KQL query?

A.Check for alerts that have been automatically resolved
B.Identify alerts with high false positive rates over the last 7 days
C.Correlate alerts with Microsoft Defender for Cloud incidents
D.Identify the most common alert types by severity over the last week
AnswerD

The query counts alerts by name and severity and sorts by count.

Why this answer

The query summarizes alerts by AlertName and Severity and orders by count, which helps identify the most common alerts. Option B is correct. Option A is wrong because it does not analyze trends over time.

Option C is wrong because it does not correlate with incidents. Option D is wrong because it does not check for false positives.

620
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Sentinel's UEBA (User and Entity Behavior Analytics) feature? (Choose two.)

Select 2 answers
A.Block sign-ins from anonymous IP addresses
B.Run KQL queries to find threats across multiple data sources
C.Automatically disable compromised user accounts
D.Detect anomalous behavior based on historical user activity
E.Identify users whose activities are anomalous compared to their peers
AnswersD, E

UEBA uses machine learning to detect anomalies in user behavior.

Why this answer

UEBA in Sentinel provides anomaly detection and peer comparison. Option A (anomaly detection) and Option D (peer anomaly scoring) are correct. Option B is a feature of Defender for Cloud Apps, not Sentinel UEBA.

Option C is not a UEBA feature. Option E is for hunting, not UEBA.

621
MCQhard

A company is migrating a sensitive database to Azure SQL Managed Instance. The security team requires that the managed instance is not accessible from the public internet and that only specific Azure services, such as Azure Data Factory, can connect. Which configuration should the team implement to meet these requirements?

A.Configure a private endpoint for the Azure SQL Managed Instance.
B.Use a virtual network service endpoint and disable public network access.
C.Configure firewall rules to allow only the IP ranges of Azure Data Factory and deny all other traffic.
D.Apply a service tag for Azure SQL Managed Instance in the virtual network NSG.
AnswerA

A private endpoint gives the managed instance a private IP in your VNet, eliminating public endpoint exposure. Only services with connectivity to that VNet (e.g., via peering or VPN) can connect, meeting both requirements.

Why this answer

Option A is correct because configuring a private endpoint for Azure SQL Managed Instance places the instance within a virtual network, making it inaccessible from the public internet. Private endpoints use a private IP address from the VNet, and by combining this with disabling public network access, only traffic from within the VNet or from peered networks can reach the instance. To allow specific Azure services like Azure Data Factory to connect, you can use a managed private endpoint in Data Factory that targets the SQL Managed Instance's private endpoint, ensuring secure, private connectivity without exposing the instance to the internet.

Exam trap

The trap here is that candidates often confuse service endpoints or NSG service tags with private endpoints, not realizing that SQL Managed Instance requires a private endpoint to fully remove public internet access while still allowing specific Azure services to connect securely.

How to eliminate wrong answers

Option B is wrong because virtual network service endpoints do not apply to Azure SQL Managed Instance; service endpoints are used for Azure SQL Database and other PaaS services, but SQL Managed Instance always runs inside a VNet and uses a different connectivity model. Option C is wrong because firewall rules based on IP ranges cannot reliably identify Azure Data Factory traffic, as Data Factory uses dynamic public IP addresses that change over time, and allowing all Azure service IP ranges would still expose the instance to the public internet. Option D is wrong because service tags in an NSG control inbound/outbound traffic to Azure services at the subnet or NIC level, but they do not restrict public internet access to the SQL Managed Instance itself; the instance's public endpoint would still be reachable unless explicitly disabled, and service tags do not provide the private connectivity required.

622
MCQhard

A company has Azure AD Conditional Access policies that require multi-factor authentication (MFA) for all users accessing sensitive cloud apps. The security team wants to extend this protection by monitoring and controlling user activities within those applications (e.g., preventing data exfiltration during a session). Which Conditional Access session control should they implement?

A.Grant control: Require MFA
B.Session control: Use app enforced restrictions
C.Session control: Sign-in frequency
D.Session control: Conditional Access Application Control
AnswerD

This control allows administrators to monitor and control user sessions in real time, including blocking downloads or applying data protection policies.

Why this answer

Option D is correct because Conditional Access Application Control (also known as Microsoft Defender for Cloud Apps session control) allows real-time monitoring and control of user activities within cloud apps, such as blocking downloads or preventing data exfiltration. This session control works by redirecting user traffic through Microsoft Defender for Cloud Apps as a reverse proxy, enabling granular policy enforcement during the session. The requirement specifically asks for monitoring and controlling activities inside the app, which goes beyond just requiring MFA at sign-in.

Exam trap

The trap here is that candidates confuse session controls that manage sign-in frequency or app-enforced restrictions with the more advanced session monitoring and data exfiltration prevention capabilities provided by Conditional Access Application Control, which is the only option that offers real-time in-app activity control.

How to eliminate wrong answers

Option A is wrong because Grant control: Require MFA is an access control that enforces multi-factor authentication at sign-in, but it does not provide any monitoring or control of user activities once the session is established. Option B is wrong because Session control: Use app enforced restrictions relies on the cloud app itself to enforce its own controls (e.g., SharePoint IP-based restrictions), but it does not offer the real-time session monitoring or data exfiltration prevention that Microsoft Defender for Cloud Apps provides. Option C is wrong because Session control: Sign-in frequency controls how often a user must reauthenticate during a session, which is a session lifetime control, not a mechanism to monitor or control in-app activities like downloads or copy-paste.

623
MCQeasy

You need to block outbound internet access from all VMs in a VNet except for specific allowed destinations (e.g., Microsoft updates). You cannot use a third-party NVA. Which Azure service should you use to meet this requirement?

A.Azure Bastion
B.Azure Firewall
C.Network Security Groups (NSGs)
D.Azure Virtual Network NAT
AnswerB

Azure Firewall provides outbound traffic filtering with application and network rules, and supports FQDNs.

Why this answer

Azure Firewall can inspect and control outbound traffic with application rules (FQDN-based) and network rules. You can allow specific destinations and deny all else. Azure Firewall is a managed, cloud-native service that fits the requirement.

624
MCQmedium

A security operations team uses Microsoft Sentinel for security monitoring. They want to automatically create an incident and send an email to the on-call security engineer when a specific event occurs in Azure Activity Log, such as someone disabling a key vault firewall. Which automation feature should they configure?

A.Automation rules
B.Playbooks (Azure Logic Apps)
C.Scheduled analytics rules
D.Livestream
AnswerB

Playbooks are automated workflows that can send emails, create tickets, and perform custom actions. They can be triggered by automation rules or directly from incidents, and combined with an analytics rule, they can create incidents and send notifications.

Why this answer

Playbooks (Azure Logic Apps) are the correct automation feature because they allow you to define a workflow that triggers on an Azure Sentinel alert or incident, such as when a Key Vault firewall is disabled. This workflow can include sending an email to the on-call security engineer via connectors like Office 365 Outlook. Automation rules can trigger playbooks but cannot directly send emails or perform complex actions; they rely on playbooks for such tasks.

Exam trap

The trap here is that candidates often confuse automation rules with playbooks, thinking automation rules can directly send emails, but they only orchestrate incident management actions and must invoke a playbook for external communication.

How to eliminate wrong answers

Option A is wrong because automation rules are used to automate incident management tasks like assigning, tagging, or changing severity, but they cannot directly send emails or execute custom workflows; they require a playbook to perform those actions. Option C is wrong because scheduled analytics rules are designed to query log data on a recurring schedule to generate alerts, not to react to real-time Azure Activity Log events or send emails. Option D is wrong because Livestream is a feature for real-time monitoring and debugging of log streams, not for automated incident creation or email notification.

625
MCQhard

A company plans to enable Azure Disk Encryption (ADE) on their Windows virtual machines. They will use a Key Encryption Key (KEK) stored in Azure Key Vault. What additional configuration must be made in the Key Vault to allow the Azure platform to access the KEK for encrypting the VM disks?

A.Grant the Azure Disk Encryption service principal 'Reader' role on the key vault.
B.Set the key vault's 'enabledForDiskEncryption' property to true.
C.Grant the virtual machine's managed identity 'Contributor' role on the key vault.
D.Configure soft-delete and purge protection on the key vault.
AnswerB

This property allows the Azure Disk Encryption service to access the keys and secrets in the vault, which is a standard prerequisite for ADE.

Why this answer

Option B is correct because Azure Disk Encryption requires the key vault's 'enabledForDiskEncryption' property to be set to true. This property explicitly authorizes the Azure platform (specifically the Azure Disk Encryption service) to access the Key Encryption Key (KEK) stored in the vault for encrypting VM disks. Without this flag, the platform cannot retrieve the KEK, even if other permissions exist.

Exam trap

The trap here is that candidates often confuse the 'enabledForDiskEncryption' property with RBAC roles or managed identity permissions, assuming that granting a role to the VM or service principal is sufficient, when in fact the platform requires this specific vault-level flag to be enabled.

How to eliminate wrong answers

Option A is wrong because granting the Azure Disk Encryption service principal the 'Reader' role on the key vault is unnecessary; the platform uses the 'enabledForDiskEncryption' property, not an RBAC role, to authorize access. Option C is wrong because granting the VM's managed identity 'Contributor' role on the key vault is not required; ADE does not use the VM's identity to access the KEK—it uses the platform's identity authorized by the vault property. Option D is wrong because soft-delete and purge protection are important for recovery and compliance but are not required for the platform to access the KEK during encryption; they are separate prerequisites for some scenarios but not the specific configuration needed here.

626
MCQhard

A security operations team uses Microsoft Sentinel. They have created a playbook that sends an email notification to the security team when a high-severity incident is created by a specific analytics rule named 'CriticalRDPAccess'. They want the playbook to trigger automatically only when the incident has severity 'High' AND the incident was created by the rule named 'CriticalRDPAccess'. Which automation rule configuration should they use?

A.Condition: Incident severity equals High; AND Incident rule name contains 'CriticalRDPAccess'. Action: Run playbook.
B.Condition: Incident severity equals High; OR Incident rule name equals 'CriticalRDPAccess'. Action: Run playbook.
C.Condition: Incident severity equals High; AND Incident rule name equals 'CriticalRDPAccess'. Action: Run playbook.
D.Condition: Incident severity in ['High', 'Critical']; AND Incident rule name equals 'CriticalRDPAccess'. Action: Run playbook.
AnswerC

This correctly uses AND with exact match for both conditions.

Why this answer

Option C is correct because the automation rule must use the AND operator to require both conditions—incident severity equals 'High' AND incident rule name equals 'CriticalRDPAccess'—to trigger the playbook. This ensures the playbook runs only when both criteria are met, matching the requirement exactly. Using 'contains' instead of 'equals' (as in Option A) would incorrectly match rules with 'CriticalRDPAccess' as a substring, potentially triggering on unintended rules.

Exam trap

The trap here is that candidates may confuse 'contains' with 'equals' for rule name matching, or incorrectly use OR instead of AND, leading to unintended playbook triggers for similar rule names or unrelated high-severity incidents.

How to eliminate wrong answers

Option A is wrong because 'Incident rule name contains' uses a substring match, which would trigger the playbook for any rule whose name includes 'CriticalRDPAccess' (e.g., 'CriticalRDPAccessV2'), not just the exact rule name. Option B is wrong because the OR operator means the playbook would trigger if either condition is true—e.g., any high-severity incident or any incident from the rule—violating the requirement for both conditions to be true. Option D is wrong because it includes 'Critical' in the severity list, which would trigger the playbook for critical-severity incidents as well, not just high-severity incidents as specified.

627
MCQeasy

A company uses Microsoft Defender for Cloud to manage the security posture of their Azure workloads. The compliance officer needs to generate a report that shows the current compliance status against the SOC 2 standard, including the pass/fail status of each control. Which feature in Defender for Cloud should they use?

A.Regulatory compliance dashboard
B.Inventory
C.Secure Score
D.Workbooks
AnswerA

The regulatory compliance dashboard provides a comprehensive view of compliance against chosen standards, including SOC 2, showing control status and recommendations.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides a pre-built, continuously updated view of compliance posture against standards like SOC 2. It maps Azure Policy initiatives to specific controls and shows the pass/fail status for each control, enabling the compliance officer to generate the required report directly.

Exam trap

The trap here is that candidates often confuse the Secure Score (which measures overall security posture) with regulatory compliance reporting, not realizing that Secure Score does not map to specific standard controls like SOC 2.

How to eliminate wrong answers

Option B (Inventory) is wrong because it lists Azure resources and their configurations, but does not evaluate or report compliance against specific regulatory standards like SOC 2. Option C (Secure Score) is wrong because it aggregates security recommendations into a single score based on best practices, not a control-by-control pass/fail report for a specific compliance standard. Option D (Workbooks) is wrong because while Workbooks can create custom visualizations from Azure Monitor data, they are not a pre-built feature for regulatory compliance reporting and require manual configuration to map controls.

628
Multi-Selectmedium

A company uses Defender for Servers Plan 2. Which two capabilities are included compared with a basic posture-only configuration?

Select 2 answers
A.Azure Cost Management budget alerts
B.File integrity monitoring or equivalent advanced server protection capabilities
C.Endpoint detection and response integration through Microsoft Defender for Endpoint
D.Microsoft 365 message trace
AnswersB, C

Correct for the stated requirement.

Why this answer

Defender for Servers Plan 2 includes advanced server protection capabilities such as file integrity monitoring (FIM), which tracks changes to critical system files and registry keys, and endpoint detection and response (EDR) integration through Microsoft Defender for Endpoint. These capabilities go beyond the basic posture-only configuration, which only provides vulnerability assessment and security recommendations without real-time threat detection or file change monitoring.

Exam trap

The trap here is that candidates often confuse basic posture-only features (like vulnerability assessment and secure score) with advanced capabilities like FIM and EDR, assuming all Defender for Servers tiers include endpoint detection, when only Plan 2 adds these specific protections.

629
MCQeasy

Refer to the exhibit. You run the KQL query in Microsoft Sentinel to investigate denied application rule traffic through Azure Firewall. The query returns no results, but you know that application rules are being applied and some traffic is being denied. What is the most likely cause?

A.The time range is too short and the denied events are older.
B.The firewall is not configured to log denied traffic.
C.The query should use the 'AzureFirewallNetworkRule' category for denied traffic.
D.The query filters on the wrong OperationName; denied hits use 'AzureFirewallApplicationRuleDeny'.
AnswerD

Denied application rule hits are logged with OperationName 'AzureFirewallApplicationRuleDeny', not 'AzureFirewallApplicationRuleHit'.

Why this answer

The query filters on Category == 'AzureFirewallApplicationRule' and OperationName == 'AzureFirewallApplicationRuleHit'. However, denied traffic is logged under Category == 'AzureFirewallApplicationRule' with OperationName == 'AzureFirewallApplicationRuleDeny'. The query uses 'AzureFirewallApplicationRuleHit' which may log only allowed hits, not denies.

Alternatively, the logs might be in a different table or property. The most direct fix: the correct OperationName for denies is 'AzureFirewallApplicationRuleDeny'.

630
MCQmedium

A company has an Azure SQL Database that contains sensitive financial data. They want to audit all successful and failed login attempts for the database. What should they configure?

A.Azure SQL Database auditing
B.SQL Vulnerability Assessment
C.Microsoft Defender for Cloud alerts
D.Azure AD sign-in logs
AnswerA

Captures database events including successful and failed logins.

Why this answer

Azure SQL Database auditing tracks database events, including successful and failed logins, to an audit log in Azure Storage, Log Analytics, or Event Hubs. Option C is correct. Option A is incorrect because Azure AD audit logs track identity events, not SQL login attempts.

Option B is incorrect because SQL Vulnerability Assessment checks for security misconfigurations. Option D is incorrect because Microsoft Defender for Cloud alerts on threats but does not provide detailed login audit trails.

631
MCQeasy

You have an Azure virtual machine that runs a line-of-business application. You need to ensure that the disks attached to the VM are encrypted at rest using platform-managed keys. What should you do?

A.Configure a disk encryption set with a customer-managed key
B.Enable encryption at host on the VM
C.Enable Azure Disk Encryption on the VM
D.Enable Storage Service Encryption (SSE) on the storage account
AnswerC

Azure Disk Encryption uses platform-managed keys to encrypt OS and data disks via DM-Crypt or BitLocker.

Why this answer

Option B is correct because Azure Disk Encryption uses DM-Crypt (Linux) or BitLocker (Windows) to encrypt disks with platform-managed keys by default. Option A is wrong because enabling encryption at host requires additional configuration. Option C is wrong because SSE with PMK is for storage accounts, not VM disks.

Option D is wrong because Azure Disk Encryption with KEK requires a key encryption key from Key Vault, which is customer-managed.

632
MCQhard

Your organization has multiple Azure subscriptions and uses Microsoft Defender for Cloud. You need to ensure that all subscriptions have a consistent security policy applied. You create a management group containing all subscriptions. What should you do next to assign a Defender for Cloud initiative to all subscriptions?

A.Use Azure Blueprints to define the initiative and assign it to the management group.
B.Assign the initiative as an Azure Policy at the management group scope.
C.Create a custom RBAC role that includes the initiative and assign it to the management group.
D.Assign the initiative to each subscription individually using the Defender for Cloud interface.
AnswerB

Correct: Policy assignment at management group scope applies to all subscriptions under it.

Why this answer

Option C is correct because Azure Policy can be assigned at the management group level to inherit to all child subscriptions. Option A is wrong because Defender for Cloud initiatives are not assigned per subscription manually. Option B is wrong because Azure Blueprints are deprecated.

Option D is wrong because assigning at the tenant root would apply to all tenants, not recommended.

633
Multi-Selectmedium

Your organization has enabled Microsoft Defender for Cloud on all subscriptions. You need to ensure that the security score is improved by implementing recommendations. Which TWO actions would directly improve the secure score?

Select 2 answers
A.Enable Just-In-Time VM access on all virtual machines
B.Configure email notifications for high-severity alerts
C.Remediate a high-severity recommendation for a SQL database
D.Assign a custom Azure Policy initiative
E.Enable automatic provisioning of the Log Analytics agent
AnswersC, E

Remediating recommendations improves the secure score.

Why this answer

Options A and E are correct because remediating a high-severity recommendation increases the secure score, and enabling automatic provisioning of the Log Analytics agent is a recommendation that, when implemented, increases the score. Option B is wrong because enabling Just-In-Time VM access is a security control but does not directly affect the score; it may be a recommendation, but not all controls are scored. Option C is wrong because assigning Azure Policy does not directly improve the score; the score improves when resources comply.

Option D is wrong because configuring email notifications does not affect the score.

634
MCQmedium

Your organization uses Microsoft Entra ID and wants to provide external partners with access to a specific SharePoint Online site. You need to ensure that partners authenticate using their own corporate credentials (SAML/WS-Fed) and that access is automatically revoked when the partner's account is disabled. Which solution should you use?

A.Azure AD B2C
B.Microsoft Entra B2B collaboration with cross-tenant access settings
C.Direct federation
D.SharePoint external sharing
AnswerB

B2B with cross-tenant access settings enables partners to use their own credentials and automatic revocation.

Why this answer

Microsoft Entra B2B collaboration with cross-tenant access settings is the correct solution because it allows external partners to authenticate using their own corporate identity provider via SAML/WS-Fed, and it automatically revokes access when the partner's account is disabled in their home tenant. This is achieved through inbound trust settings that honor the partner tenant's user lifecycle, ensuring that access tokens are invalidated when the external user account is disabled or deleted.

Exam trap

The trap here is that candidates often confuse Azure AD B2C with B2B collaboration, assuming B2C is for any external user, but B2C is specifically for customer identities, not partner federation with automatic lifecycle revocation.

How to eliminate wrong answers

Option A is wrong because Azure AD B2C is designed for customer-facing identity management with social or local accounts, not for B2B partner scenarios requiring SAML/WS-Fed federation with corporate credentials. Option C is wrong because direct federation is a legacy configuration that requires manual setup of federation trusts and does not automatically revoke access when a partner's account is disabled; it lacks the automated lifecycle management provided by cross-tenant access settings. Option D is wrong because SharePoint external sharing only controls sharing links and guest invitations at the site level, not the authentication method or automatic revocation based on the partner's account status.

635
MCQmedium

A company uses Azure SQL Database and wants to protect sensitive data (e.g., credit card numbers) from database administrators. They require that the data is encrypted at rest and in transit, and only a client application using a specific driver can decrypt it. Which technology should they implement?

A.Transparent Data Encryption (TDE)
B.Always Encrypted
C.Dynamic Data Masking (DDM)
D.Row-Level Security (RLS)
AnswerB

Always Encrypted encrypts sensitive columns at the client side, ensuring that the data is never exposed in plaintext to the server or DBAs. Only the client application with the column master key can decrypt the data.

Why this answer

Always Encrypted is the correct choice because it ensures that sensitive data (e.g., credit card numbers) is encrypted both at rest and in transit, and the encryption keys are never exposed to the database engine. Only a client application using the Always Encrypted-enabled driver (e.g., ADO.NET with Column Encryption Setting=enabled) can decrypt the data, protecting it from database administrators or any unauthorized access to the database server.

Exam trap

The trap here is that candidates often confuse Transparent Data Encryption (TDE) with Always Encrypted because both involve encryption, but TDE does not protect data from database administrators or encrypt data in transit, which is the core requirement in this scenario.

How to eliminate wrong answers

Option A is wrong because Transparent Data Encryption (TDE) encrypts data at rest but does not protect data in transit, and the database engine has access to the encryption keys, so DBAs can still see plaintext data. Option C is wrong because Dynamic Data Masking (DDM) only obfuscates data at query results for unauthorized users, but the underlying data remains unencrypted in storage and in transit, and DBAs can bypass masking. Option D is wrong because Row-Level Security (RLS) controls access to rows based on user context but does not encrypt data at rest or in transit, and DBAs with elevated permissions can still read all data.

636
MCQeasy

You need to configure Microsoft Defender for Cloud to automatically remediate misconfigurations in Azure resources. Which feature should you enable?

A.Configure security contacts to receive alert emails.
B.Enable 'Remediate' on a built-in or custom policy initiative.
C.Create a workflow automation to run a Logic App on alerts.
D.Use the regulatory compliance dashboard to enforce standards.
AnswerB

Remediation tasks auto-fix misconfigurations.

Why this answer

Option A is correct because the 'Remediate' action in a security policy initiative automatically applies remediation tasks. Option B is wrong because Workflow automation triggers notifications, not remediation. Option C is wrong because Regulatory compliance dashboard shows compliance status.

Option D is wrong because Security contacts are for alert notifications.

637
MCQmedium

Your company uses Microsoft Sentinel to monitor security events. You need to detect brute-force attacks against Azure VMs that are not yet onboarded to Sentinel. What should you do?

A.Use the Office 365 connector to collect sign-in logs.
B.Use the Windows Security Events connector via Azure Monitor Agent.
C.Use the Common Event Format connector to forward syslog.
D.Use the Azure Activity connector to collect sign-in logs.
AnswerB

This connector collects OS-level sign-in events from VMs.

Why this answer

Option C is correct because Windows and Linux VMs can be connected to Sentinel via the Azure Monitor Agent to stream security events. Option A is wrong because the connector for Azure Activity logs captures management plane events, not OS-level sign-in attempts. Option B is wrong because the Office 365 connector is for Microsoft 365 logs.

Option D is wrong because the Common Event Format connector is for on-premises appliances, not Azure VMs.

638
Multi-Selectmedium

Which two actions should you take to secure Azure Storage accounts against data exfiltration?

Select 2 answers
A.Use Azure Private Endpoints for storage accounts.
B.Enable shared access key authentication.
C.Configure firewall and virtual network service endpoints.
D.Enable soft delete for blobs.
E.Configure CORS rules to allow all origins.
AnswersA, C

Private endpoints ensure traffic stays within Microsoft backbone.

Why this answer

Correct: A and C. Firewall and virtual network service endpoints restrict network access, and private endpoints provide secure connectivity. Option B (shared access keys) does not prevent exfiltration.

Option D (soft delete) helps recovery but not prevention. Option E (CORS) controls cross-origin requests, not exfiltration.

639
MCQeasy

You have an Azure virtual machine that hosts a web application on port 443 and a management interface on port 8443. You need to allow inbound HTTPS traffic from the internet to port 443, and allow inbound traffic on port 8443 only from the company's office public IP range (203.0.113.0/24). You want to use a managed service that provides basic DDoS protection at no additional cost. What should you use?

A.Azure Application Gateway with WAF
B.Azure Front Door
C.Azure Firewall
D.Network Security Group (NSG)
AnswerD

An NSG can be associated with the VM's subnet or network interface. You can create rules to allow inbound HTTPS on port 443 from any source, and allow inbound on port 8443 only from the office IP range. NSGs are free and the default DDoS Protection Basic is included at no additional cost.

Why this answer

A Network Security Group (NSG) is the correct choice because it is a free, managed Azure service that provides basic DDoS protection at no additional cost. NSGs allow you to define inbound security rules to permit HTTPS traffic (port 443) from any source and restrict management traffic (port 8443) to a specific public IP range (203.113.0.0/24). This meets all requirements without incurring extra charges for advanced services.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing a paid, advanced service (like Application Gateway or Azure Firewall) when a simple, free NSG with basic DDoS protection fully satisfies the requirements, especially since the question explicitly states 'at no additional cost'.

How to eliminate wrong answers

Option A is wrong because Azure Application Gateway with WAF is a layer-7 load balancer that incurs additional cost and does not provide basic DDoS protection at no extra cost; its WAF SKU is billed separately. Option B is wrong because Azure Front Door is a global layer-7 CDN and load balancer that also has additional cost and is not a free managed service for basic DDoS protection. Option C is wrong because Azure Firewall is a paid, stateful firewall service that provides advanced filtering but is not free and does not include basic DDoS protection as a built-in feature at no cost.

640
MCQeasy

You need to ensure that Azure SQL Database automatically detects and alerts on potential SQL injection attacks. Which Microsoft Defender for Cloud plan should you enable?

A.Microsoft Defender for SQL
B.Microsoft Defender for Storage
C.Microsoft Defender for Cloud (free tier)
D.Microsoft Defender for App Service
AnswerA

Provides advanced threat protection for Azure SQL Database, including SQL injection detection.

Why this answer

Microsoft Defender for SQL includes advanced threat protection that detects SQL injection and other anomalous activities. Option B is correct. Option A is incorrect because Defender for Cloud (free) only provides basic security assessments.

Option C is incorrect because Defender for Storage protects storage accounts. Option D is incorrect because Defender for App Service protects web apps.

641
MCQhard

You run the above Kusto query in Azure Monitor Logs for an Azure Storage account. The query returns results showing multiple failed attempts to access PDF blobs with 403 errors from various IP addresses. What is the most likely cause of these failures?

A.Anonymous public access is enabled, but the blobs are not marked as public.
B.The PDF blobs have been deleted or moved to a different container.
C.The storage account firewall is blocking requests from these IP addresses.
D.The shared access signatures (SAS) used to access the blobs have expired.
AnswerC

403 errors with multiple IP addresses typically indicate that the requests are being blocked by the firewall.

Why this answer

403 Forbidden errors indicate that the request was denied due to authorization failure. The most likely cause is that the IP addresses are not allowed by the storage account firewall. Option C is correct.

Option A (blob not found) returns 404. Option B (SAS expiration) could be a cause but the query shows multiple IPs, suggesting a firewall issue. Option D (anonymous access) would return 401 or 403 if anonymous access is disabled.

642
MCQmedium

Your company runs a critical application on Azure Virtual Machines. You need to ensure that the OS disks and data disks are encrypted to meet compliance requirements. The solution must use Azure Key Vault to store encryption keys and support automated backup. What should you implement?

A.Azure Disk Encryption (ADE)
B.Azure Backup with encryption using platform-managed keys
C.Azure Confidential Computing
D.Azure Storage Service Encryption (SSE)
AnswerA

ADE encrypts VM disks using Key Vault and supports backup.

Why this answer

Option C is correct because Azure Disk Encryption uses BitLocker (Windows) or DM-Crypt (Linux) to encrypt disks and integrates with Azure Key Vault. Option A is wrong because Azure Storage Service Encryption encrypts data at rest in storage accounts, not VM disks. Option B is wrong because Azure Backup does not provide encryption itself.

Option D is wrong because Azure Confidential Computing is a different technology for protecting data in use.

643
MCQmedium

You have an Azure subscription with a virtual network (VNet1) that hosts a SQL Managed Instance. You need to connect from an on-premises application to the SQL Managed Instance using a private IP address, with minimal latency and without traversing the public internet. The on-premises network has a high-speed ExpressRoute connection to Microsoft. What should you configure?

A.Connect the on-premises network to Azure via ExpressRoute private peering and ensure the SQL Managed Instance subnet is reachable.
B.Configure a public endpoint on the SQL Managed Instance and allow the on-premises public IP.
C.Use Azure Private Link Service and connect via a VPN.
D.Create a site-to-site VPN connection and enable forced tunneling.
AnswerA

ExpressRoute private peering provides a private, low-latency connection from on-premises to Azure VNets, allowing direct access to the SQL Managed Instance subnet.

Why this answer

Option D is correct because SQL Managed Instance is deployed in a dedicated subnet and requires a private endpoint or direct connectivity. ExpressRoute with private peering is the best option for low latency and private connectivity.

644
Multi-Selectmedium

You need to ensure that Azure Disk Encryption (ADE) is enabled on all Azure VMs in a subscription. Which THREE actions are required to implement ADE? (Choose THREE.)

Select 3 answers
A.Run the Set-AzVMDiskEncryptionExtension cmdlet on each VM.
B.Create an Azure Key Vault with soft-delete and purge protection enabled.
C.Turn off the VMs before enabling encryption.
D.Configure Azure Backup for the VMs.
E.Grant the Azure Disk Encryption service (Microsoft.Azure.Security) the Key Vault Contributor role.
AnswersA, B, E

This actually enables encryption on the VM.

Why this answer

Option A (Key Vault with soft-delete and purge protection), Option C (assign Key Vault Contributor role to Azure Disk Encryption service), and Option D (enable encryption on each VM using Set-AzVMDiskEncryptionExtension) are required. Option B (Backup) is not required for encryption. Option E (turning off VM) is not needed; encryption can be done online.

645
Multi-Selecteasy

You are designing a hub-and-spoke network topology with Azure Firewall in the hub VNet. Which TWO components are essential for routing traffic from spoke VNets through the firewall? (Choose two.)

Select 2 answers
A.Azure Private DNS zones
B.Azure Bastion host in the hub VNet
C.VPN gateway in each spoke VNet
D.VNet peering between spoke and hub VNets
E.Route tables with default route to Azure Firewall private IP
AnswersD, E

Peering enables connectivity between VNets.

Why this answer

Options B and C are correct. VNet peering connects spoke VNets to the hub. User-Defined Routes (UDRs) direct traffic to the firewall's private IP.

Option A is wrong because a VPN gateway is not required for hub-and-spoke. Option D is wrong because Azure Bastion is for remote access. Option E is wrong because Azure DNS is for name resolution, not routing.

646
MCQhard

Your company uses Microsoft Defender for Cloud to protect Azure resources. You notice that some Azure VMs are not showing any security recommendations. You verify that the VMs are running and have network connectivity. What is the most likely cause?

A.The Log Analytics agent is not installed on the VMs
B.The VMs are in a resource group that lacks the required Azure RBAC role
C.The VMs have a resource lock preventing policy evaluation
D.The VMs are in the Free tier of Defender for Cloud
AnswerA

Defender for Cloud relies on the agent to collect security data for recommendations.

Why this answer

Option C is correct because if the Log Analytics agent (or Azure Monitor Agent) is not installed, Defender for Cloud cannot collect data and thus cannot generate recommendations. Option A is wrong because pricing tier affects available features but not recommendations entirely; even Free tier provides some recommendations. Option B is wrong because Defender for Cloud uses Azure Policy, not Azure RBAC, to evaluate resources.

Option D is wrong because resource locks do not prevent security assessments.

647
Multi-Selectmedium

You have an Azure Cosmos DB account that stores sensitive data. You need to ensure that all data in transit between the client application and Cosmos DB is encrypted using TLS 1.2 or higher. Additionally, you want to enforce that only Azure services within the same region can access the Cosmos DB account. What two configurations should you implement? (Choose two.)

Select 2 answers
A.Enable service endpoints for the Cosmos DB account
B.Configure a private endpoint
C.Set the minimum TLS version to 1.2
D.Disable public network access
E.Configure firewall rules to allow only Azure services
AnswersB, C

Ensures traffic stays within Azure backbone and region.

Why this answer

Option B is correct because setting the minimum TLS version to 1.2 enforces encryption in transit. Option D is correct because using private endpoints ensures traffic stays within the Azure backbone and the same region. Option A (firewall with IP rules) allows traffic from specified IPs but not necessarily from Azure services.

Option C (public network access disabled) is a prerequisite for private endpoints but not sufficient alone. Option E (service endpoint) does not enforce regional restriction.

648
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Defender for Cloud's 'Security Alerts' page?

Select 2 answers
A.View the kill chain of an alert.
B.Suppress a specific alert for a defined time period.
C.Run a remediation script against the affected resource.
D.Create an automation rule to trigger a playbook.
E.Modify the security policy of the subscription.
AnswersA, B

Correct: kill chain view is available.

Why this answer

Option A is correct because you can suppress alerts. Option C is correct because you can view the kill chain. Option B (remediation script) is not a direct feature; Option D (modify policy) is done via Azure Policy; Option E (create automation) is done in Sentinel.

649
Multi-Selectmedium

Your organization uses Microsoft Entra ID. You need to recommend solutions to reduce the risk of privileged role abuse. Which TWO actions should you recommend? (Choose two.)

Select 2 answers
A.Assign privileged roles permanently to reduce friction.
B.Configure access reviews for privileged roles to run quarterly.
C.Disable sign-in logs for privileged users to reduce noise.
D.Use Privileged Identity Management (PIM) to require approval for role activation.
E.Require all users to use MFA for all applications.
AnswersB, D

Access reviews ensure role assignments are still necessary.

Why this answer

Option B is correct because PIM provides just-in-time access and approval workflows. Option D is correct because access reviews can periodically verify that role assignments are still needed. Option A is wrong because permanent role assignment increases risk.

Option C is wrong because requiring MFA for all users does not target privileged roles. Option E is wrong because disabling sign-in logs reduces visibility.

650
MCQmedium

Your company uses Microsoft Defender for Cloud with the default auto-provisioning configuration. A security engineer reports that critical vulnerabilities in Azure Virtual Machines are being detected but not automatically remediated. The engineer wants to enable automatic remediation for all supported findings. What should the engineer configure?

A.Configure an Azure Policy initiative with the 'Deploy if not exist' effect to automatically deploy the Log Analytics agent.
B.Enable Just-in-Time VM access for the affected virtual machines.
C.Create a Microsoft Sentinel playbook triggered by 'SecurityAlert' to run remediation commands.
D.Enable the 'Auto-provision vulnerability assessment' setting and configure an automation rule with a 'Remediate' action.
AnswerD

Correct: auto-remediation via vulnerability assessment.

Why this answer

Option B is correct because Defender for Cloud can automatically remediate vulnerabilities using a vulnerability assessment solution (like Qualys or Microsoft Defender Vulnerability Management) and an associated 'Automation' rule with a 'Remediate' action. Option A (Azure Policy 'Deploy if not exist' initiative) is used to deploy agents but not to auto-remediate findings. Option C (Just-in-Time VM access) controls network access, not vulnerability remediation.

Option D (Microsoft Sentinel playbook) can remediate but requires custom automation, not automatic out-of-the-box.

651
MCQhard

A healthcare company stores sensitive patient data in Azure SQL Database. They want to encrypt specific columns containing Personally Identifiable Information (PII) so that even database administrators cannot view the data. The security team also needs to perform equality searches (e.g., WHERE SSN = '123-45-6789') on the encrypted columns. Which encryption technology should they implement?

A.Always Encrypted with randomized encryption.
B.Always Encrypted with deterministic encryption.
C.Always Encrypted with secure enclaves.
D.Transparent Data Encryption (TDE).
AnswerC

Secure enclaves allow computations on encrypted data inside a protected memory region. This supports equality searches and other operations while keeping the data encrypted from the database engine and administrators.

Why this answer

Always Encrypted with secure enclaves is the correct choice because it supports rich computations (including equality searches) on encrypted columns while ensuring that the data remains encrypted even from database administrators. The secure enclave technology allows operations like equality comparisons to be performed inside a trusted execution environment, preventing the database engine from seeing the plaintext data.

Exam trap

The trap here is that candidates often confuse deterministic encryption (which supports equality searches but not data protection from DBAs) with secure enclaves (which provides both equality search capability and full data protection from DBAs), leading them to select option B instead of C.

How to eliminate wrong answers

Option A is wrong because randomized encryption does not support equality searches; it produces different ciphertexts for the same plaintext, making equality comparisons impossible. Option B is wrong because deterministic encryption does support equality searches, but it does not protect data from database administrators who have access to the column encryption keys or can observe the deterministic ciphertext patterns. Option D is wrong because Transparent Data Encryption (TDE) encrypts the entire database at rest but does not protect data from database administrators or support column-level encryption for equality searches.

652
MCQmedium

A company uses Azure SQL Database with Azure Active Directory authentication. To meet compliance requirements, they need to audit all failed login attempts and store the audit logs in a storage account located in a different Azure region for disaster recovery. What should they configure?

A.Enable SQL Auditing and set the destination to a Log Analytics workspace in a different region.
B.Enable SQL Auditing and set the destination to an Event Hub namespace in the same region.
C.Enable SQL Auditing and set the destination to an Azure Storage account in a different region.
D.Enable Advanced Threat Protection for Azure SQL Database and configure email notifications.
AnswerC

Azure Storage accounts can be configured with geo-redundant storage (GRS) and can be placed in a different region. This provides a durable, long-term audit log storage with cross-region disaster recovery.

Why this answer

Option C is correct because Azure SQL Database auditing can be configured to write audit logs directly to an Azure Storage account. Storing the logs in a storage account located in a different Azure region meets the disaster recovery requirement by ensuring logs survive a regional outage. The audit logs capture all database events, including failed login attempts, which satisfies the compliance need.

Exam trap

The trap here is that candidates often confuse auditing with threat detection or choose a Log Analytics workspace for centralized logging, overlooking the explicit requirement for durable, cross-region storage for compliance and disaster recovery.

How to eliminate wrong answers

Option A is wrong because a Log Analytics workspace does not provide geo-redundant storage for disaster recovery; it is primarily for log analytics and monitoring, not for long-term archival in a different region. Option B is wrong because an Event Hub namespace is a real-time streaming service, not a durable storage destination for audit logs, and it is specified to be in the same region, which fails the disaster recovery requirement. Option D is wrong because Advanced Threat Protection (ATP) detects suspicious activities and sends email notifications, but it does not audit or store failed login attempts in a storage account for compliance purposes.

653
Multi-Selectmedium

Which THREE are valid ways to ingest data into Microsoft Sentinel? (Choose three.)

Select 3 answers
A.Uploading a CSV file manually via the Azure portal.
B.Using the Azure Activity Log connector to stream subscription-level events.
C.Using Azure Policy to assign initiatives that send compliance data to Sentinel.
D.Using the Common Event Format (CEF) connector to ingest logs from security appliances.
E.Using a Syslog connector to forward logs from on-premises firewalls.
AnswersB, D, E

Azure Activity Log connector is built-in.

Why this answer

Options A, B, and D are valid ingestion methods. Option C is wrong because Azure Policy is used for governance, not direct data ingestion. Option E is wrong because manual CSV upload is not a standard ingestion method; Sentinel uses connectors for structured data.

654
MCQhard

You are troubleshooting connectivity issues from an Azure VM to an on-premises server. The VM is in a VNet that uses a custom DNS server. The on-premises network is connected via ExpressRoute. You can ping the on-premises server by IP address but not by name. What is the most likely cause?

A.The ExpressRoute circuit is not configured for DNS forwarding.
B.The custom DNS server does not have a conditional forwarder to the on-premises DNS.
C.The Azure Private DNS zone does not include the on-premises hostname.
D.An NSG rule is blocking DNS traffic.
AnswerB

Custom DNS servers must forward queries to on-premises DNS for name resolution.

Why this answer

Option B is correct because the custom DNS server is likely not configured to resolve on-premises hostnames. Option A is wrong because ExpressRoute circuits do not have DNS settings. Option C is wrong because Azure Private DNS zones are for Azure resources, not on-premises.

Option D is wrong because NSG rules block traffic by IP or port, not by name resolution.

655
MCQeasy

A company has an Azure virtual network with two subnets: Frontend and Backend. They deploy a network virtual appliance (NVA) in a subnet named NVA_Subnet. They want to route all traffic from the Frontend subnet to the Backend subnet through the NVA for inspection. What is the minimum number of route tables required to achieve this traffic steering?

A.1
B.2
C.3
D.4
AnswerA

One route table on the Frontend subnet with a route for the Backend subnet address space pointing to the NVA is sufficient to steer traffic from Frontend to Backend through the NVA.

Why this answer

A single route table can be associated with the Frontend subnet and configured with a user-defined route (UDR) that has the NVA's private IP as the next hop for traffic destined to the Backend subnet. This ensures all traffic from Frontend to Backend is forwarded to the NVA for inspection. No additional route tables are needed because the NVA itself handles the routing decision after inspection, and the Backend subnet does not require a specific route to return traffic unless asymmetric routing is a concern.

Exam trap

The trap here is that candidates often assume each subnet requires its own route table, or that the NVA subnet itself needs a custom route, but Azure's default routing handles the return path unless asymmetric routing is explicitly required.

How to eliminate wrong answers

Option B is wrong because two route tables would be unnecessary; the requirement is only to steer traffic from Frontend to Backend through the NVA, which can be achieved with a single route table associated with the Frontend subnet. Option C is wrong because three route tables imply a misconception that each subnet or the NVA subnet requires its own route table, but the NVA subnet does not need a custom route for this scenario. Option D is wrong because four route tables would be excessive and suggests a misunderstanding of how Azure routing works; the default system routes handle intra-VNet traffic unless overridden, and only the source subnet (Frontend) needs a custom route.

656
Multi-Selecteasy

Which TWO services can be used to filter traffic between virtual networks in Azure? (Choose two.)

Select 2 answers
A.Azure Front Door.
B.Azure VPN Gateway.
C.Azure Traffic Manager.
D.Azure Firewall.
E.Network security groups (NSGs).
AnswersD, E

Azure Firewall can centrally inspect and filter traffic between VNets.

Why this answer

Azure Firewall is a managed, cloud-based network security service that can filter both inbound and outbound traffic between virtual networks (VNets) using stateful inspection, application rules, and network rules. It can be deployed in a hub VNet and enforce traffic filtering between spoke VNets via forced tunneling or routing, making it a correct choice for filtering inter-VNet traffic.

Exam trap

The trap here is that candidates often confuse Azure Firewall with Azure VPN Gateway or Azure Front Door, mistakenly thinking that any network appliance or load balancer can filter traffic between VNets, when in fact only stateful firewall services (Azure Firewall) and stateless/stateful packet filters (NSGs) are designed for that purpose.

657
Multi-Selecteasy

Which TWO types of data can Microsoft Sentinel ingest from Microsoft Defender XDR?

Select 2 answers
A.Raw Windows event logs from endpoints.
B.Incidents from Microsoft Defender XDR.
C.Alerts from Microsoft Defender for Endpoint.
D.Azure AD sign-in logs.
E.Microsoft 365 audit logs.
AnswersB, C

Incidents are part of Defender XDR data.

Why this answer

Options A and E are correct. Defender XDR provides alerts and incidents. Option B is wrong because raw logs are not directly ingested; alerts are.

Option C is wrong because Microsoft 365 audit logs come from Microsoft Purview, not Defender XDR. Option D is wrong because Azure AD sign-in logs come from Entra ID.

658
Multi-Selecthard

Which TWO of the following are required to implement a successful Just-In-Time (JIT) access strategy using Microsoft Entra Privileged Identity Management (PIM) for Azure resources?

Select 2 answers
A.Enable Azure Multi-Factor Authentication for all users in the tenant
B.Create custom RBAC roles for the JIT access
C.Configure role settings to specify activation duration and require approval if needed
D.Assign users as eligible for the roles they need to activate
E.Assign users as permanently active for the roles they need
AnswersC, D

Role settings define the JIT parameters such as maximum activation duration and approval requirements.

Why this answer

Option C is correct because configuring role settings in Microsoft Entra PIM, such as activation duration and requiring approval, is essential to control how and when eligible users activate their JIT access. These settings enforce security policies like time-bound activation and multi-step approval, which are core to a successful JIT strategy.

Exam trap

The trap here is that candidates often confuse enabling MFA tenant-wide (Option A) with PIM's ability to require MFA at activation time, which is a separate setting within the role activation policy, not a prerequisite.

659
MCQmedium

You have a Microsoft Sentinel workspace that ingests data from multiple sources, including Azure Activity, Microsoft Entra ID, and Azure Firewall. You need to create a custom analytics rule that detects when a user signs in from an IP address that has been flagged as malicious in a threat intelligence feed. You have already imported threat intelligence indicators into Sentinel using the 'Threat Intelligence - TAXII' data connector. The threat intelligence indicators are stored in the 'ThreatIntelligenceIndicator' table. Which KQL function should you use in the analytics rule to match sign-in logs against the threat indicators?

A.threat_intelligence_check_url
B.threat_intelligence_check_hash
C.ipv4_lookup
D.threat_intelligence_check_ip
AnswerD

This function matches IP addresses against threat intelligence indicators.

Why this answer

The function that matches IP addresses against threat intelligence indicators is 'threat_intelligence_check_ip'. Option C is correct. Option A is for matching URLs.

Option B is not a valid function. Option D checks for IP matches but is not specific to threat intelligence.

660
MCQmedium

Security analysts in your company use Microsoft Sentinel to manage incidents. They want to automatically assign any incident with a severity of 'High' or 'Critical' to the senior analyst on duty. Which Microsoft Sentinel feature should they configure to accomplish this?

A.Automation rules
B.Playbooks
C.Workbooks
D.Analytics rules
AnswerA

Automation rules can be configured to trigger on incident creation and set the owner to a specific user or group. This is the simplest way to automate incident assignment.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically assign incidents to specific users or groups based on conditions such as severity. By creating an automation rule that triggers when an incident is created with a severity of 'High' or 'Critical', you can set the owner to the senior analyst on duty, fulfilling the requirement without manual intervention.

Exam trap

The trap here is that candidates often confuse automation rules with playbooks, assuming that any automated response requires a playbook, but Microsoft Sentinel's automation rules natively support direct incident assignment without needing a separate playbook workflow.

How to eliminate wrong answers

Option B is wrong because playbooks are automated workflows (often based on Azure Logic Apps) that perform complex response actions like sending emails or blocking IPs, but they cannot directly assign incident ownership; assignment is a property managed by automation rules. Option C is wrong because workbooks are visualization tools for creating dashboards and reports from Sentinel data, not for automating incident assignment. Option D is wrong because analytics rules are used to generate alerts and incidents from data sources (e.g., scheduled queries or Microsoft Security alerts), but they do not handle post-creation actions like assignment.

661
Multi-Selecthard

Which THREE are valid methods to ingest data into Microsoft Sentinel? (Select three.)

Select 3 answers
A.Microsoft Sentinel Data Collector API
B.Azure CLI
C.Common Event Format (CEF) over Syslog
D.Azure Data Factory
E.Azure Monitor Agent
AnswersA, C, E

The API allows custom log sources to send data to Sentinel.

Why this answer

Options B, C, and E are correct. Common Event Format (CEF) is a standard for log ingestion via syslog. Azure Monitor Agent can be used to collect logs from Windows and Linux machines.

The Microsoft Sentinel Data Collector API allows custom logs to be ingested. Option A is wrong because Azure CLI is a command-line tool, not a data ingestion method. Option D is wrong because Azure Data Factory is an ETL service, not a direct ingestion method for Sentinel (though it can be used indirectly).

662
MCQmedium

A company has a hub-spoke network topology in Azure. The hub virtual network contains an Azure Firewall. Spoke virtual networks are peered to the hub. The security team wants to inspect all traffic between virtual machines in different spoke virtual networks. What is the minimum configuration required?

A.Enable VNet peering gateway transit and allow forwarded traffic.
B.Deploy a VPN gateway in each spoke and configure site-to-site VPNs to the hub.
C.Define user-defined routes (UDRs) in each spoke that direct inter-spoke traffic to the Azure Firewall in the hub.
D.Configure network security groups (NSGs) on each spoke subnet.
AnswerC

UDRs force traffic through the firewall for inspection.

Why this answer

Option B is correct because Azure Firewall can route traffic through user-defined routes (UDRs) to inspect inter-spoke traffic. Option A is wrong because network security groups cannot inspect traffic between virtual networks. Option C is wrong because VNet peering does not provide traffic inspection.

Option D is wrong because Azure VPN Gateway is for site-to-site connectivity, not inspection.

663
MCQmedium

An organization has deployed Microsoft Sentinel as their SIEM. They need to ingest audit logs from their Amazon Web Services (AWS) environment, including CloudTrail logs. Which data connector should they use in Microsoft Sentinel to collect these logs?

A.Amazon Web Services connector
B.AWS S3 connector
C.Azure Sentinel to AWS connector
D.CloudTrail connector
AnswerA

The Amazon Web Services connector in Sentinel is specifically designed to ingest CloudTrail logs and other AWS audit logs.

Why this answer

The Amazon Web Services connector is the correct data connector in Microsoft Sentinel for ingesting AWS audit logs, including CloudTrail logs. It establishes a connection to AWS by requiring a role ARN and external ID, enabling Sentinel to pull CloudTrail events via the AWS API. This connector specifically supports CloudTrail management and data events, making it the appropriate choice for audit log ingestion.

Exam trap

The trap here is that candidates may confuse the generic 'AWS S3 connector' with CloudTrail log ingestion, but CloudTrail logs are ingested via the dedicated 'Amazon Web Services' connector, not through direct S3 bucket access.

How to eliminate wrong answers

Option B is wrong because the AWS S3 connector is designed to ingest logs from S3 buckets (e.g., VPC Flow Logs, ELB logs), not specifically CloudTrail audit logs, and requires additional configuration like SQS for event-driven ingestion. Option C is wrong because there is no data connector named 'Azure Sentinel to AWS connector'; the official connector is called 'Amazon Web Services' in the Sentinel data connectors gallery. Option D is wrong because there is no standalone 'CloudTrail connector' in Microsoft Sentinel; CloudTrail logs are ingested through the Amazon Web Services connector, which handles the CloudTrail integration.

664
MCQmedium

Refer to the exhibit. You are evaluating an Azure Policy definition that enables Defender for Cloud on a subscription. The policy uses 'DeployIfNotExists' effect. Which role must be assigned to the managed identity used by this policy to successfully deploy the pricing resource?

A.Owner
B.Reader
C.Contributor
D.Security Admin
AnswerD

Correct: Security Admin role includes permissions to write Microsoft.Security/pricings.

Why this answer

Option A is correct because to create or update Microsoft.Security/pricings resources, the managed identity needs 'Security Admin' role (which includes Microsoft.Security/pricings/write). Option B is wrong because Contributor has broader permissions but not specifically the needed security write. Option C is wrong because Reader cannot write.

Option D is wrong because Owner is too broad and not best practice.

665
MCQhard

Your company uses Azure SQL Database with Microsoft Entra ID authentication. You need to restrict a user to only view data from the 'Sales' schema, without granting permissions to other schemas. What should you do?

A.Add the user to the db_datareader role in the database.
B.Use a DENY statement on all other schemas for the user.
C.Create a user mapped to the Entra ID user and grant SELECT on the Sales schema only.
D.Create a contained database user with password and assign to db_datareader.
AnswerC

This grants precisely the required permissions.

Why this answer

Creating a user in the database mapped to the Entra ID user and granting SELECT only on the Sales schema meets the requirement. Option A is wrong because roles at the server level grant broader permissions. Option B is wrong because denying permissions is less secure and can be overridden.

Option D is wrong because contained database users do not use Entra ID.

666
MCQeasy

Refer to the exhibit. This is an excerpt from an Azure Policy assignment. What is the effect of the 'notScopes' property?

A.The policy will apply only to the VM-Sensitive virtual machine.
B.The policy will apply to all resources in RG-Prod except the entire resource group.
C.The policy will apply to all resources in RG-Prod except the VM-Sensitive virtual machine.
D.The policy will apply to the subscription but not to RG-Prod.
AnswerC

notScopes specifies resources to exclude.

Why this answer

Option C is correct because 'notScopes' excludes specific sub-scopes from the policy assignment. In this case, the policy applies to all resources in 'RG-Prod' except the VM named 'VM-Sensitive'. Option A is wrong because 'notScopes' do not add resources.

Option B is wrong because it does not remove the entire resource group. Option D is wrong because it does not affect subscription-level exclusions.

667
Multi-Selecteasy

You need to restrict access to a storage account containing sensitive financial data. The storage account is used by multiple Azure VMs and Azure App Service web apps. Only authorized applications and users should be able to access the storage account. Which TWO options should you implement?

Select 2 answers
A.Grant Azure AD user delegation permissions for each user accessing the storage account.
B.Use managed identities for Azure resources to authenticate from App Service and VMs to the storage account.
C.Enable Azure Storage firewall and virtual network service endpoints to restrict access to specific virtual networks and subnets.
D.Configure shared access signature (SAS) tokens with a long expiration time for all applications.
E.Distribute storage account access keys to all application developers.
AnswersB, C

Managed identities provide secure, passwordless authentication for Azure services to storage.

Why this answer

Option A: Storage service endpoints restrict access to the storage account from specific VNets. Option C: Managed identities allow App Service to authenticate to storage without storing credentials. Option B (shared access keys) is broad and not recommended for fine-grained control.

Option D (storage account keys) is even broader. Option E (Azure AD user delegation) is for user-level access, not service access.

668
MCQmedium

A company uses Microsoft Defender for Cloud to protect Azure resources. The security team wants to automatically remediate certain recommendations without manual intervention. They decide to use Azure Policy to enforce secure configurations. Which feature in Defender for Cloud allows them to create policy assignments directly from the recommendation?

A.Remediate
B.View policy definition
C.Enforce
D.Quick fix
AnswerC

The Enforce button creates a policy assignment that enforces the recommendation.

Why this answer

Option C is correct because the 'Enforce' button on a recommendation allows creating a policy assignment that enforces the recommendation via Azure Policy. Option A is wrong because 'Quick fix' remediates a single resource, not enforces policy. Option B is wrong because 'Assign policy' button directly does this; 'View policy definition' only shows the definition.

Option D is wrong because 'Remediate' triggers a remediation task on existing resources, not enforcing policy on new resources.

669
MCQhard

Your organization uses Azure Files shares with Azure AD DS authentication. You need to ensure that users can access the file share from on-premises Windows clients using their on-premises AD credentials, without exposing the storage account to the internet. The on-premises network is connected to Azure via a site-to-site VPN. What should you configure?

A.Enable AD DS authentication and configure a private endpoint for the storage account
B.Enable AD DS authentication and configure a virtual network service endpoint
C.Enable AD DS authentication and configure a firewall rule to allow the on-premises VPN gateway public IP
D.Enable Azure AD DS authentication and configure a service endpoint
AnswerA

Private endpoint provides a private IP in the virtual network, accessible via VPN, and AD DS authentication allows on-premises AD credentials.

Why this answer

Option D is correct because to use on-premises AD credentials, you need to enable AD DS authentication on the storage account, and use a private endpoint for connectivity. Option A is wrong because Azure AD DS uses cloud-only identities, not on-premises AD. Option B is wrong because firewall rules with IP expose the storage account to the internet.

Option C is wrong because service endpoints still use a public endpoint.

670
MCQeasy

A small business has a single Azure subscription with one virtual network containing two subnets: 'Frontend' for web servers and 'Backend' for database servers. The web servers need to access the internet to download updates, but the database servers must not have any outbound internet access. The business also needs to allow remote administration of the web servers from the internet via RDP (port 3389) but only from the IT department's public IP range (203.0.113.0/24). You need to configure network security to meet these requirements using Azure-native services. What should you do?

A.Use a network virtual appliance (NVA) for outbound inspection and configure RDP access via a jump box.
B.Create an NSG for the Frontend subnet with an inbound rule allowing RDP from 203.0.113.0/24, and a default deny for outbound. Then create an NSG for the Backend subnet with a default deny outbound rule.
C.Create a site-to-site VPN from the IT department to Azure and use Azure Bastion for RDP access.
D.Deploy Azure Firewall in the virtual network and configure DNAT rules for RDP and outbound rules for internet access.
AnswerB

NSGs can control inbound and outbound traffic at the subnet level.

Why this answer

Option A is correct because an NSG on the Frontend subnet can allow outbound internet (implicit allow) and restrict inbound RDP to the IT IP range. Another NSG on the Backend subnet can deny all outbound internet. Option B is wrong because Azure Firewall is overkill for this simple scenario.

Option C is wrong because network virtual appliances add complexity. Option D is wrong because a VPN does not provide outbound internet control.

671
Multi-Selecteasy

Which TWO of the following data connectors are available by default in Microsoft Sentinel?

Select 2 answers
A.Palo Alto Networks
B.ServiceNow
C.Microsoft Entra ID
D.Azure Activity
E.Amazon Web Services (AWS)
AnswersC, D

Microsoft Entra ID connector is included by default.

Why this answer

Options C and D are correct. Option C: Azure Activity connector is built-in. Option D: Microsoft Entra ID (formerly Azure AD) connector is also built-in.

Option A is wrong because ServiceNow connector is a premium connector. Option B is wrong because Amazon Web Services (AWS) connector is a premium connector. Option E is wrong because Palo Alto Networks connector is also premium.

672
Multi-Selecthard

Which THREE Microsoft Entra ID roles can be assigned to a user to manage Microsoft Defender XDR (formerly Microsoft 365 Defender) incidents? (Choose three.)

Select 3 answers
A.Exchange Administrator
B.Security Administrator
C.Global Reader
D.Security Operator
E.Global Administrator
AnswersB, D, E

Security Administrator can manage security policies and incidents.

Why this answer

The Security Administrator role (Option B) can manage Microsoft Defender XDR incidents because it grants full access to security features, including the ability to view, investigate, and respond to incidents in the Microsoft 365 Defender portal. This role is designed for users who need to manage security policies and incidents without having full administrative control over the tenant.

Exam trap

The trap here is that candidates often confuse the Security Reader role with the Security Operator role, or assume that Global Reader (which can view security settings) is sufficient to manage incidents, but only roles with write permissions like Security Administrator, Security Operator, or Global Administrator can actually manage Defender XDR incidents.

673
MCQeasy

You are designing network security for a multi-tier application. The web tier must be accessible from the internet, but the database tier must only be accessible from the web tier. Both tiers are in the same virtual network. Which Azure service should you use to restrict traffic between the tiers?

A.Route table
B.Network Security Group (NSG)
C.Azure Firewall
D.Application Security Groups (ASGs)
AnswerB

NSGs provide simple, stateless filtering based on source/destination IP, port, and protocol.

Why this answer

Option C is correct because a Network Security Group (NSG) can be associated with the subnet or NIC of the database tier to allow only inbound traffic from the web tier's private IP addresses or subnet. Option A is wrong because Application Security Groups (ASGs) are used to group VMs but still require NSG rules. Option B is wrong because Azure Firewall is a managed firewall, but it's overkill and costlier than an NSG for simple subnet-to-subnet filtering.

Option D is wrong because a route table controls routing, not filtering.

674
MCQmedium

You are a security engineer for a large enterprise that uses Azure Virtual WAN with multiple ExpressRoute circuits connecting on-premises data centers to Azure. The company has recently acquired a subsidiary that uses a different Azure tenant. The subsidiary has its own virtual networks and wants to connect to the parent company's Azure Virtual WAN to share resources. The security requirement is that traffic must be encrypted over the public internet, and the connection must be established without any on-premises hardware. You need to recommend a solution to securely connect the subsidiary's Azure virtual network to the parent's Virtual WAN. The solution should minimize administrative overhead and use Azure-native services.

A.Deploy a VPN gateway in the subsidiary's virtual network and connect it to the parent's Virtual WAN VPN gateway using site-to-site VPN.
B.Deploy Azure Bastion in both VNets and use it to route traffic between them.
C.Use Virtual WAN's built-in VNet-to-VNet transitive routing by peering the subsidiary's VNet to the parent's VNet.
D.Establish an ExpressRoute circuit from the subsidiary's Azure region to the parent's region.
AnswerA

This provides encrypted connectivity over the internet without on-premises hardware.

Why this answer

Option B is correct. A VPN gateway can be deployed in the subsidiary's virtual network and connected to the Virtual WAN's VPN gateway over the internet using IPsec, meeting the encryption requirement and without any on-premises hardware. Option A is wrong because ExpressRoute is a private connection that does not traverse the public internet and requires on-premises equipment.

Option C is wrong because Virtual WAN supports transitive routing, but the subsidiary's VNet must be connected via a VPN gateway or ExpressRoute; VNet peering alone does not provide encryption. Option D is wrong because Azure Bastion is for RDP/SSH access, not for network connectivity.

675
MCQmedium

A company uses Azure Firewall to inspect traffic between a spoke VNet hosting a web application and a hub VNet hosting a SQL database. The web application fails to connect to the database after a recent network topology change. You verify that the Azure Firewall rules allow the traffic. Which Azure Network Watcher feature should you use to identify the root cause?

A.Connection troubleshoot
B.Next hop
C.Network Performance Monitor
D.IP flow verify
AnswerD

IP flow verify checks if a packet is allowed or denied to/from a VM, evaluating all security rules along the path.

Why this answer

IP flow verify checks if a packet is allowed or denied to/from a VM based on security rules. Since firewall rules are correct, the issue might be other security rules (NSGs, ASGs) or routing. IP flow verify can test connectivity end-to-end, highlighting where the packet is dropped.

Page 8

Page 9 of 14

Page 10