Manage identity and access

A company uses Azure AD Identity Protection. They want to automatically block sign-ins that have a high user risk level, but only for users in the 'Finance' department. They also want to require MFA for medium user risk level for all users (including Finance) when sign-in risk is not blocked. They have already created a Conditional Access policy for the Finance department that has a condition of 'User risk level: High' and a grant control of 'Block access'. What additional configuration is needed to also require MFA for all users with medium user risk?

A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure AD roles. They want to require that users who activate the Global Administrator role must get approval from their manager before activation, and that the approval must be time-bound (maximum 8 hours). Which two PIM configurations should they set?

A company uses Azure AD Privileged Identity Management (PIM) to manage the Global Administrator role. They want to require that when a user activates the role, they must be using a device that is compliant with Intune policies (e.g., compliant device) and must provide a justification. The company already has Conditional Access policies in place for regular access. How should they enforce the device compliance requirement specifically during PIM activation?

A company uses Azure AD Privileged Identity Management (PIM) for the Global Administrator role. They have configured the role activation to require approval from a specific security group. When a user attempts to activate the role, they are immediately approved without any approval request being sent. The user is a member of the same security group that is configured as the approver. What is the most likely cause?

A company has a partner organization in another Azure AD tenant. They want to allow users from the partner tenant to access their Azure resources through Azure AD B2B collaboration. They also want the partner's Multi-Factor Authentication (MFA) claims to be trusted when partner users access their resources, so that they do not need to perform MFA again. Which configuration in cross-tenant access settings should they enable?

A company has an on-premises web application that they want to expose to external users over the internet without requiring a VPN. External users must authenticate with Modern Authentication (e.g., using Azure Multi-Factor Authentication) and access policies must be enforced via Conditional Access. The application does not support SAML or OAuth. Which Azure service should they use to publish this application securely?

A company uses Azure AD Identity Protection and Conditional Access. A user is detected with a 'High' user risk level due to suspicious activity. The security team wants to automatically block sign-ins for this user, but only when the sign-in originates from a location that is not in the company's list of trusted IPs. They have created a Conditional Access policy targeting all users. Which configuration should they add to the policy to achieve this?

A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. The security policy requires that when a user activates the Security Administrator role, they must: 1) Provide a justification, 2) Get approval from a designated security group, and 3) The activation must last a maximum of 4 hours. Which combination of PIM settings should they configure?

A company uses Azure AD Privileged Identity Management (PIM) to manage access to critical roles. They want to require that users who are eligible for the 'Security Administrator' role must provide a support ticket number in the justification when activating the role. Additionally, they want to set a maximum activation duration of 4 hours. Which PIM role setting should they configure?

A company has Azure AD Conditional Access policies that require multi-factor authentication (MFA) for all users accessing sensitive cloud apps. The security team wants to extend this protection by monitoring and controlling user activities within those applications (e.g., preventing data exfiltration during a session). Which Conditional Access session control should they implement?

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Global Administrator' role. The security team wants to ensure that when a user activates the role, they must provide a justification, and the activation request must be approved by a specific group of security administrators. They have already configured the role for activation with a maximum duration of 8 hours. Which additional PIM settings should they configure?

A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. They have configured the role activation to require Azure Multi-Factor Authentication and a support ticket number. However, users are reporting that they can activate the role without entering a ticket number. What is the most likely cause?

A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. They want the activation of this role to require approval from a specific group of senior security engineers before the role becomes active. They also want the approvers to receive an email notification when an activation request is submitted. Which PIM configuration must be set?

A company uses Azure Active Directory (Azure AD) and has a conditional access policy that requires multi-factor authentication (MFA) for all external users accessing SharePoint Online. However, the security team wants to enforce that external users must re-authenticate every 30 minutes when accessing SharePoint. Which control should they configure in a new conditional access policy targeting SharePoint Online?

A company manages Azure AD roles with Privileged Identity Management (PIM). They want to enforce that when a user activates the Global Administrator role, they must provide a justification and also use Multi-Factor Authentication. Which PIM settings should they configure? (Choose two.)

A company uses Azure AD B2B collaboration to invite external partner users to collaborate on a project. The security team wants to ensure that when a partner user's account is disabled in their home Azure AD tenant, the user should immediately lose access to the company's resources, even if the user had a valid session token. Which configuration should they implement in cross-tenant access settings?

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want to ensure that when a user activates the role, they must provide a ticket number as justification, and the activation must be approved by a designated approver group. The role activation duration should be limited to 4 hours. Which PIM settings should be configured?

A company uses Azure AD Identity Protection. They have detected a user with a 'High' user risk level due to suspicious activity. The security team wants to automatically block sign-ins for this user only when the sign-in comes from a location that is not in the company's list of trusted IPs. They have created a Conditional Access policy. Which configuration should they use?

A company uses Azure AD B2B collaboration to invite external partner users. The security policy requires that guest users who have not signed in for more than 90 days should have their access automatically reviewed and, if not approved, removed. The company has Azure AD Premium P2 licenses. Which Azure AD feature should they configure to meet this requirement?

A company uses Azure AD Privileged Identity Management (PIM) for the Global Administrator role. They want to ensure that when a user activates the role, the activation request must be approved by a member of the 'Global Admin Approvers' group, and the activation should be time-bound with a maximum of 4 hours. Which PIM settings should they configure?

A company has Azure AD Identity Protection enabled. The security team wants to automatically block sign-ins that are detected as coming from a known malicious IP address. They have created a Conditional Access policy and assigned it to all users. Which configuration should they add to the policy to trigger the block based on Identity Protection risk?

A company uses Azure AD Privileged Identity Management (PIM) to manage access to the 'Security Administrator' role. They want a specific user to be able to activate the role only when needed, rather than having standing access. The user should not have the role active at all times. Which type of assignment should they configure for this user in PIM?

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want to require that when a user activates this role, they must provide a support ticket number and a brief justification. Additionally, the activation should have a maximum duration of 4 hours. Which PIM role setting should they configure?

A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure resources. They want to enforce that when a user activates the Contributor role for a specific resource group, they must provide a ticket number as justification and the activation is limited to 4 hours. Which PIM settings should they configure?

A company uses Azure AD with Premium P2 licenses. They want to require that all new users register for Azure Multi-Factor Authentication (MFA) within 14 days of their first sign-in. If they do not register, they should be denied access to all cloud applications until registration is completed. Which Azure AD feature should they configure?

A company uses Azure AD Privileged Identity Management (PIM) for Azure AD roles. They want to require that when a user activates the Security Administrator role, they must provide a justification and the activation must be approved by a member of a specific security group. Which PIM setting should they configure?

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want users who activate this role to provide a justification and a support ticket number, and they want the activation to expire after a maximum of 4 hours. Which PIM role settings should they configure?

A company uses Azure AD Identity Protection. They want to automatically block sign-ins that are detected as having a high sign-in risk. They have created a Conditional Access policy and assigned it to all users. Which configuration should they add to the policy to trigger the block based on the sign-in risk?

A company uses Azure AD B2B collaboration to invite external vendors. They want to restrict the vendors to only be able to access a specific application, and prevent them from discovering other users or applications in the directory. Which configuration should they apply to the external users?

A company wants to ensure that users can only access Microsoft 365 services (e.g., Exchange Online, SharePoint Online) from devices that are confirmed to be compliant with corporate security policies (e.g., encryption enabled, antivirus active). Which Azure AD policy type should they create?

A company has a subscription with Azure Active Directory (Azure AD). They want to enable a conditional access policy that requires all users to use multi-factor authentication (MFA) when accessing the Azure portal. The policy should only apply to users who are members of a group called 'AllUsers'. Which assignment should they configure in the policy?

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want to require that activation of this role must be approved by a designated group of security engineers before it becomes active. Which PIM role setting should they configure?

A company uses Azure AD. They want to ensure that all users enroll in Azure Multi-Factor Authentication (MFA) within 14 days of their first sign-in. After 14 days, any user who has not enrolled must be blocked from accessing applications. Which configuration should they implement?

A company uses Azure Active Directory and has guest users invited via B2B collaboration. The security team wants to require that all guest users from specific external organizations must complete multi-factor authentication (MFA) when accessing the company's SaaS applications. Which Conditional Access policy configuration should they use?

A company uses Azure AD Identity Protection and Conditional Access. They want to automatically block user access to cloud applications when Identity Protection detects that a user's sign-in risk level is high. Which configuration should they use in a Conditional Access policy?

A company uses Azure AD Conditional Access. They want to require multi-factor authentication (MFA) for all users accessing the Azure portal, but only when the sign-in risk level is medium or above. Which configuration should they use in the Conditional Access policy?

A company uses Azure AD Privileged Identity Management (PIM) for the 'Security Administrator' role. They want to ensure that when a user activates the role, they must provide a justification, and the activation requires approval from a designated security group. Which PIM role settings should they configure?

A company wants to allow external business partners to access specific SharePoint Online sites using their own corporate credentials. They do not want to manage partner accounts in their own Azure AD tenant. Which Azure AD feature should they use?

A company uses Azure Active Directory (Azure AD) and wants to regularly review the membership of a group that grants access to a critical application. Each member must attest their continued need for access. Which Azure AD feature should they use?

A company has Azure AD with Premium P2 licenses. They want to enforce Azure Multi-Factor Authentication (MFA) for all users accessing the Azure portal from untrusted networks, but only after the user has successfully entered their password. Which Conditional Access grant control should they configure?

A company develops a web application that runs on Azure App Service. The application needs to access Azure Key Vault to retrieve secrets. The security team wants to avoid using service principals or connection strings. Which identity should they assign to the App Service to authenticate to Key Vault?

A company uses Azure AD Conditional Access. They need to restrict access to a cloud application such that users with unmanaged devices can only view data but cannot download it. Which Conditional Access session control should they enable?

A company uses Azure AD Conditional Access. They want to block sign-ins from countries where the company does not have offices. They have a list of allowed countries. Which condition should they configure in the Conditional Access policy?

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want a user to be able to activate this role for a maximum of 2 hours per activation. Which PIM setting should they configure?

A company wants to require that users perform multi-factor authentication (MFA) when accessing a critical enterprise application, but only when they are outside the corporate network. They have Azure Active Directory Premium P1 licenses. Which feature should they use to enforce this requirement?

A company uses Azure AD Privileged Identity Management (PIM) for Azure AD roles. They want to require that users must perform multi-factor authentication (MFA) when activating a role. Which PIM setting should they configure?

A company uses Microsoft Defender for Cloud's Just-In-Time (JIT) VM access to manage RDP connections to a critical jump-box virtual machine. The company has a CI/CD pipeline running on Azure DevOps agent pools that needs to periodically RDP into this VM to deploy software. The agent pool's source IP addresses are dynamic and change frequently. They want the pipeline to automatically request JIT access before each deployment without manual intervention. Which approach should they implement?

A security team uses Microsoft Defender for Cloud to centralize security alerts. They want to continuously export all security alerts to a Log Analytics workspace for long-term retention and custom analysis. Which two actions must be taken to achieve this? (Choose two that apply.)

A security operations team uses Microsoft Sentinel. They have created a playbook that sends an email notification to the security team when a high-severity incident is created by a specific analytics rule named 'CriticalRDPAccess'. They want the playbook to trigger automatically only when the incident has severity 'High' AND the incident was created by the rule named 'CriticalRDPAccess'. Which automation rule configuration should they use?

A security operations team uses Microsoft Sentinel. They create a playbook that changes the severity of an incident from 'Medium' to 'High' when a specific indicator of compromise (IOC) is detected within the incident's entities. The team wants this playbook to run automatically as soon as the incident is created, without manual intervention. Which type of automation rule trigger should they configure to invoke the playbook?

A security team uses Microsoft Sentinel. They create a scheduled analytics rule that queries Azure Activity Logs to detect virtual machines deployed in non-approved regions. The rule generates an incident. The team wants the incident to be automatically assigned to the 'Infrastructure' team and its severity set to 'High' when it is created. Which automation feature should they use?

A security team uses Microsoft Defender for Cloud. They have assigned a custom regulatory compliance initiative that includes policies to enforce encryption on storage accounts and SQL databases. They want to automatically remediate any non-compliant resources as soon as they are created, without manual intervention. Which feature should they configure?

A company uses Microsoft Defender for Cloud. They have assigned a custom regulatory compliance initiative that includes policies to enforce encryption on storage accounts and SQL databases. They want to automatically remediate any non-compliant resources that are discovered, without manual intervention. Which feature should they configure?

A security team uses Microsoft Sentinel. They want to create a custom detection rule that identifies a potential data exfiltration scenario: when a user signs in from an unusual location and then, within 30 minutes, performs a large download from Azure Blob Storage. They need to correlate sign-in logs from Azure AD with storage diagnostic logs. Which type of analytics rule should they create in Microsoft Sentinel?

A security team uses Microsoft Defender for Cloud to protect Azure virtual machines. They want to implement application allowlisting to prevent execution of unauthorized software on a set of Windows Server VMs. They need to create a baseline of allowed applications and then enforce the allowlist. Which Defender for Cloud feature should they enable?

A security team uses Microsoft Defender for Cloud. They want to ensure that all Azure virtual machines have the guest configuration extension installed to apply a security baseline automatically. They need to remediate non-compliant VMs without manual intervention. Which Defender for Cloud feature should be configured?

A security team uses Microsoft Defender for Cloud to monitor the security posture of a hybrid environment that includes on-premises servers connected via Azure Arc. They want to enable a vulnerability assessment solution that automatically scans all servers (both Azure VMs and on-premises Arc-enabled servers) for OS vulnerabilities. Which solution should they enable directly from Defender for Cloud?

A security team wants to use Microsoft Sentinel to detect potential data exfiltration events from Azure Blob Storage. Which two logs should they ingest to best identify unauthorized read access and data transfer activities? (Choose two.)

A security analyst uses Microsoft Defender for Cloud. They need to continuously monitor the security posture of their Azure subscription against the Microsoft cloud security benchmark (MCSB). They want to see the current compliance score and specific recommendations for failing controls. Which Defender for Cloud feature should they use?

A company uses Microsoft Defender for Cloud to monitor its security posture. The compliance team wants to receive email notifications immediately when a control in the ISO 27001 regulatory compliance standard fails. They want to be alerted only when specific controls change from 'compliant' to 'non-compliant'. Which feature should they configure?

A security operations team uses Microsoft Sentinel. They are investigating a security incident that involves multiple alerts from different Azure resources. They need to see the entire attack timeline and all related entities (such as user accounts, IP addresses, and hosts) in a single, visual graph to understand the scope of the attack. Which Microsoft Sentinel feature should they use?

A security operations team uses Microsoft Sentinel. They have a scheduled analytics rule that generates an incident when a user signs in from an unusual location. They want to automatically assign the incident to the 'Security Engineering' team and set its severity to 'High' when it is created. Which feature should they use?

A security operations team uses Microsoft Sentinel. They want to create an automation that automatically changes the severity of an incident from 'Medium' to 'High' when a specific indicator of compromise (IOC) is observed in the incident's entities. The playbook should run immediately when the incident is created. Which type of automation rule trigger should they configure?

A security team uses Microsoft Defender for Cloud to monitor Azure virtual machines. They want to automatically install a specific endpoint protection solution on all Windows VMs that are currently missing it, without manual intervention. The solution is not integrated natively with Defender for Cloud. Which feature should they use?

A security team uses Microsoft Sentinel. They want to detect a potential privilege escalation scenario: when a user is added to the Global Administrator role in Azure AD (audit log) and within 10 minutes that user signs in from a suspicious location (sign-in log). Which type of analytics rule should they create to correlate these two different log sources?

An organization uses Microsoft Defender for Cloud. They want to implement just-in-time (JIT) VM access for a set of production VMs. However, the security team needs to ensure that JIT access requests are always approved by a manager before opening ports. Which configuration should they use?

A security team uses Microsoft Sentinel. They have created a playbook that isolates a virtual machine by modifying a network security group rule. They want this playbook to execute automatically whenever a new incident of type 'Suspicious VM activity' is created. Which Microsoft Sentinel feature should they use to trigger the playbook?

A security analyst is using Microsoft Sentinel to investigate a security incident. The analyst needs to view all related events, alerts, and entities (users, IPs, hosts) in a single, interactive graph to understand the full scope of the attack. Which Microsoft Sentinel feature should they use?

A security team uses Microsoft Defender for Cloud to monitor the security posture of their Azure environment. They want to ensure that the Log Analytics agent is automatically installed on all new Azure virtual machines as soon as they are provisioned, to collect security logs. Which feature should they enable in Defender for Cloud?

A company uses Microsoft Defender for Cloud to manage its security posture. The compliance team wants to monitor the subscription's compliance with the Payment Card Industry Data Security Standard (PCI DSS). They need to view a detailed compliance report and track progress over time. What should they do in Defender for Cloud?

A security team uses Microsoft Sentinel. They want to automatically isolate a compromised virtual machine by applying a network security group (NSG) rule. They have created a playbook in Azure Logic Apps that modifies the NSG. How should they trigger this playbook when an incident of type 'Suspicious VM activity' is created?

A security operations team uses Microsoft Sentinel. They want to create a rule that generates an incident when an Azure virtual machine is deployed with a public IP address that is not in a predefined approved list. The rule should run every hour and query Azure Activity logs. Which type of analytics rule should they create?

An organization uses Microsoft Defender for Cloud. They want to allow specific administrators to temporarily open RDP (port 3389) to a virtual machine only when needed, and for a limited time, while minimizing management overhead. Which Defender for Cloud feature should they use?

A company uses Microsoft Defender for Cloud to manage security posture. The security team wants to receive alerts when a virtual machine has a vulnerability rated as 'Critical' by the integrated vulnerability assessment solution. Which Defender for Cloud plan must be enabled for the subscription to receive these alerts?

A company uses Microsoft Defender for Cloud to monitor security alerts. They receive an alert about a compromised virtual machine and want to automatically execute a playbook that isolates the VM by modifying the network security group. Which Defender for Cloud feature should they use to create this automated response?

A security operations team uses Microsoft Sentinel for security monitoring. They want to automatically create an incident and send an email to the on-call security engineer when a specific event occurs in Azure Activity Log, such as someone disabling a key vault firewall. Which automation feature should they configure?

A security team uses Microsoft Defender for Cloud. They have enabled the integrated vulnerability assessment (VA) solution on their Azure virtual machines. They want to receive alerts when a VM has a vulnerability rated 'Critical' by the VA solution. Which Defender for Cloud plan must be enabled on the subscription?

A security operations team uses Microsoft Sentinel to centralize security monitoring across their hybrid environment. They need to ingest AWS CloudTrail logs from an Amazon Web Services account to detect suspicious activities in their AWS environment. Which data connector should they configure in Microsoft Sentinel?

A security team uses Microsoft Sentinel. They want to create a custom analytics rule that generates an incident whenever a user from a list of known malicious IP addresses attempts to sign in to any Azure AD app. They have imported the IP list into Sentinel using Threat Intelligence. Which rule type should they use?

A security team uses Microsoft Sentinel. They want to automatically assign a severity level and an owner to every incident that is created from a specific analytics rule. The owner should be a specific security operations group. Which Microsoft Sentinel feature should they configure to achieve this automation?

A security analyst is using Microsoft Sentinel to detect multi-stage attacks. They want to create an analytics rule that correlates a user sign-in from an unusual location with a subsequent data exfiltration attempt from Azure Blob Storage within one hour. Which type of analytics rule should they use?

A company wants to use Microsoft Defender for Cloud to continuously assess their Azure resources against the Microsoft cloud security benchmark (MCSB). They need to view the current compliance score and specific recommendations for failing controls. Which feature in Defender for Cloud should they use?

A company uses Microsoft Defender for Cloud to protect their Azure virtual machines. They have enabled the integrated vulnerability assessment (VA) solution on all VMs. The security team wants to receive an alert when a VM is found to have a vulnerability rated as 'Critical' by the VA solution. Which Defender for Cloud plan must be enabled on the subscription?

An organization is required to comply with the Health Insurance Portability and Accountability Act (HIPAA). They use Microsoft Defender for Cloud to manage their Azure security posture. Which feature in Defender for Cloud should they use to view their current compliance status against HIPAA controls?

A security team uses Microsoft Sentinel. They have created a playbook in Azure Logic Apps that automatically isolates a compromised VM by modifying a network security group. They want the playbook to run automatically whenever an incident of type 'VM Isolation' is created. Which Microsoft Sentinel feature should they use to trigger the playbook automatically?

A security analyst uses Microsoft Sentinel. They want to create a scheduled analytics rule that runs every hour and queries Azure Activity logs to detect deployment of VMs in non-approved regions. They want to generate an incident automatically when suspicious activity is found. Which configuration is required to automatically create an incident?

A security analyst uses Microsoft Defender for Cloud. They need to automatically apply a specific remediation action (e.g., enable audit logging) to a set of Azure SQL servers that are found to be non-compliant with a security policy. Which Defender for Cloud feature should they use?

A company uses Microsoft Defender for Cloud. They want to automatically apply a security recommendation (such as enabling encryption on storage accounts) to all existing resources that are found to be non-compliant without manual intervention. Which Defender for Cloud feature should they configure?

A company uses Microsoft Defender for Cloud. The security team wants to receive a weekly email digest that includes the current Secure Score, the number of healthy and unhealthy resources, and a list of top recommendations. Which Defender for Cloud feature should they configure?

A security analyst uses Microsoft Sentinel. They have created a playbook that tags Azure VMs as 'isolated' when a high-severity malware alert is triggered. They want this playbook to run automatically whenever a related alert is generated. Which feature should they configure?

A security team uses Microsoft Defender for Cloud to improve their security posture across multiple subscriptions. They want to quickly identify which security recommendations have the highest potential to improve their security score if remediated. Which dashboard or feature should they use?

A security analyst uses Microsoft Sentinel. They want to create a rule that triggers an incident when a user is added to a highly privileged Azure AD role (e.g., Global Administrator). The data source is Azure AD audit logs. Which type of analytics rule should they create?

Security analysts in your company use Microsoft Sentinel to manage incidents. They want to automatically assign any incident with a severity of 'High' or 'Critical' to the senior analyst on duty. Which Microsoft Sentinel feature should they configure to accomplish this?

A security team uses Microsoft Sentinel. They want to create a custom analytic rule that triggers an incident when more than 10 failed Azure Active Directory sign-ins occur from the same source IP address within any 5-minute window. Which type of rule should they use?

A security team uses Microsoft Sentinel. They want to create a custom analytics rule that detects when a user account is created in Azure AD and then within 5 minutes attempts to access a sensitive SharePoint site. What should they use to correlate these two events?

A security analyst uses Microsoft Defender for Cloud. They need to assess their Azure environment's compliance against the Payment Card Industry Data Security Standard (PCI DSS). Which dashboard in Defender for Cloud should they use to view the compliance status?

A company needs to demonstrate compliance with the Payment Card Industry Data Security Standard (PCI DSS) for their Azure workloads. They use Microsoft Defender for Cloud for security management. Which feature should they use to view their current compliance status against PCI DSS controls and track progress over time?

A company uses Microsoft Defender for Cloud to manage the security posture of their Azure workloads. The compliance officer needs to generate a report that shows the current compliance status against the SOC 2 standard, including the pass/fail status of each control. Which feature in Defender for Cloud should they use?

A security team has a list of known malicious IP addresses from an external threat intelligence feed in CSV format. They want to import this list into Microsoft Sentinel and use it in analytics rules to detect incoming attacks. Which feature should they use?

A security team uses Microsoft Defender for Cloud to monitor the security posture of their Azure subscription. They want to ensure that whenever a new virtual machine is created, the Log Analytics agent is automatically installed to collect security events. Which feature should they configure in Defender for Cloud?

A security team uses Microsoft Defender for Cloud. They want to automatically enable the 'vulnerability assessment' solution on all existing and future Azure SQL Database servers that are not already configured. Which Defender for Cloud feature should they use to enforce this configuration across the subscription?

An organization has deployed Microsoft Sentinel as their SIEM. They need to ingest audit logs from their Amazon Web Services (AWS) environment, including CloudTrail logs. Which data connector should they use in Microsoft Sentinel to collect these logs?

A security team uses Microsoft Sentinel. They want to automatically block a user's account in Azure AD when a high-severity incident is created in Sentinel indicating the user's credentials are compromised. Which automation feature should they use?

A security operations team uses Microsoft Sentinel. They want to create a custom analytics rule that detects when an Azure virtual machine is created with a public IP address that is not in an approved list. Which type of rule should they use?

An organization is deploying Microsoft Sentinel to centrally collect and analyze security events. They need to ingest logs from multiple on-premises Windows servers located behind a firewall. Which agent should they deploy on those servers?

A security analyst uses Microsoft Defender for Cloud to monitor the security posture of their Azure subscription. They want to receive an email notification whenever a high-severity security alert is generated for any of their Azure resources. What should they configure in Defender for Cloud?

A security team uses Microsoft Sentinel. They want to create a playbook that automatically adds a tag 'isolated' to any Azure virtual machine that triggers a high-severity security alert. How should they configure the automation?

A security team uses Microsoft Defender for Cloud. They want to receive a weekly email summary of the Secure Score, top recommendations, and new alerts for their subscription. Which feature should they configure?

A security operations team uses Microsoft Sentinel. They want to automatically assign incidents to different tiers of analysts based on severity when incidents are created. Which feature should they configure?

A company uses Microsoft Defender for Cloud. They want to automatically implement a specific security recommendation (e.g., 'Enable encryption for Azure SQL Database') on all existing and future SQL Database instances in a subscription. Which feature should they use?

A security operations team uses Microsoft Sentinel. They need to collect Syslog messages from on-premises Linux servers for analysis. Which data connector should they use to ingest these logs into Sentinel?

A security team wants to receive a weekly email summary of the security posture of all their Azure subscriptions, including the Secure Score, top recommendations, and the number of healthy resources. Which Microsoft Defender for Cloud feature should they configure?

A security analyst uses Microsoft Defender for Cloud. They need to view the current compliance status of their Azure subscription against the Payment Card Industry Data Security Standard (PCI DSS). Which feature in Defender for Cloud should they use?

An organization uses Microsoft Defender for Cloud. They want to receive alerts when Azure virtual machines do not have disk encryption enabled. What should they configure to achieve this?

A security operations team uses Microsoft Sentinel. They want to enable User and Entity Behavior Analytics (UEBA) to detect anomalous user activities. Which configuration is required?

A company uses Microsoft Defender for Cloud. They want to receive alerts when a virtual machine has a vulnerability that is rated 'Critical' by the integrated vulnerability assessment solution. Which Defender for Cloud plan must be enabled?

A company uses Microsoft Defender for Cloud. They want to receive email notifications when a high-severity security alert is generated for any resource in the subscription. Which configuration should they make in Defender for Cloud?

A security analyst uses Microsoft Defender for Cloud. They want to view a list of all security recommendations for their Azure subscription, prioritized by their potential impact. Which Defender for Cloud dashboard should they use?

A security engineer connects Azure virtual machines to Microsoft Defender for Cloud. The team wants vulnerability findings without installing a vulnerability scanner extension on each VM. Which capability should be enabled?

A Sentinel analytics rule creates a new incident every time the same brute-force activity is detected for the same account within an hour. The SOC wants one incident that continues to group related alerts. What should be changed?

A KQL query in Microsoft Sentinel detects impossible travel but returns many false positives from known VPN egress IP addresses. Which two changes would best reduce noise while preserving useful detections?

A company wants Defender for Cloud to automatically open a Logic App when a high-severity alert is generated for a subscription. Which feature should be configured?

A Sentinel playbook fails to update incidents even though the Logic App runs successfully. The playbook uses a managed identity. What is the most likely missing configuration?

An organization wants to export Defender for Cloud recommendations and alerts into a central Log Analytics workspace for retention and hunting. Which feature should they use?

A SOC analyst needs a Sentinel query that detects multiple failed sign-ins followed by a successful sign-in for the same user. Which table is the best primary source?

A cloud security team wants Defender for Cloud to assess AWS accounts and GCP projects from the same portal used for Azure posture management. What should they configure?

A Defender for Cloud recommendation is valid for most subscriptions but not for a legacy subscription with an approved exception. The team wants secure score to reflect the exception without disabling the recommendation everywhere. What should they do?

A team enables Microsoft Defender for Storage. Which two threats can the plan help detect?

A Sentinel scheduled rule runs every 5 minutes and looks back 1 hour. Analysts see repeated alerts for the same event. Which change best prevents duplicate detections without missing late-arriving logs?

A company wants to detect exposed internet-facing assets that are not yet known in its Azure inventory. Which Microsoft Defender capability is most relevant?

A Sentinel data connector based on Azure Monitor Agent stops collecting Windows Security Events after migration from the legacy agent. What should the engineer verify first?

A team wants to automatically deploy Defender for Cloud settings across new subscriptions under a management group. Which Azure capability should they use?

A SOC wants a Sentinel rule to include account, host, and IP entities so analysts can pivot during investigation. What should be configured in the analytics rule?

A company uses Defender for Servers Plan 2. Which two capabilities are included compared with a basic posture-only configuration?

An analyst creates a Sentinel automation rule and a playbook. The playbook should run only when incidents are created from a specific analytics rule and severity is High. Where should this filtering be configured?

A security team wants to visualize MITRE ATT&CK coverage for Microsoft Sentinel analytics rules. Which Sentinel experience should they use?

A KQL hunting query joins SecurityIncident with SecurityAlert but returns duplicate rows for incidents with multiple alerts. What KQL approach best preserves one row per incident while summarizing alert details?

A DevOps team wants Defender for Cloud to identify secrets exposed in GitHub repositories. What should be configured?

A team wants Sentinel to ingest firewall logs from an appliance that emits Common Event Format over Syslog. Which connector pattern is most appropriate?

A Defender for Cloud secure score recommendation says storage accounts allow public blob access. What remediation best addresses the root issue?

An organization wants to detect when a privileged Azure role assignment is created outside the approved change window. Which log source should a Sentinel rule query?

A company wants Defender for Cloud to recommend fixes for container image vulnerabilities stored in Azure Container Registry. Which capability is most relevant?

A Sentinel analyst needs to preserve investigation notes, related entities, and ownership while escalating a case to another analyst. Which object should be updated?

A security engineer needs to collect custom application logs from Azure VMs using Azure Monitor Agent for Sentinel analysis. Which two components are required?

A Microsoft Sentinel rule should run with minimal delay against supported data sources and produce alerts close to event time. Which rule type should be considered?

A Defender for Cloud recommendation requires enabling private endpoints for a storage account. Which security risk is primarily reduced?

A Sentinel watchlist contains high-value administrator accounts. Which KQL pattern best uses it in a detection rule?

A company wants to identify excessive permissions across Azure, AWS, and GCP identities. Which Microsoft security capability is designed for cloud infrastructure entitlement management?

An analyst investigates a Defender for Cloud alert for suspicious process execution on a VM. Which next step best preserves evidence while enabling deeper endpoint investigation?

A team wants Sentinel incidents to automatically assign to the Tier 2 queue when severity is High and the product name is Microsoft Defender for Endpoint. What should they configure?

A compliance team wants evidence that Azure resources are evaluated against the Microsoft Cloud Security Benchmark. Which Defender for Cloud area should they use?

A security engineer wants Defender for Cloud to detect threats against Azure SQL Database and SQL Server on Azure VMs. Which plan should be enabled?

A Sentinel rule using a threat intelligence table fires on stale indicators that expired last week. What should be added to the query?

A custom Azure role should allow operators to restart virtual machines but not delete them or change networking. Which permission design is most appropriate?

An application hosted on an Azure VM needs to read secrets from Key Vault without storing credentials. Which identity pattern should be used?

An enterprise app requests tenant-wide admin consent for Microsoft Graph permissions. Security wants to prevent unreviewed user consent while allowing approved apps. Which two controls help meet this requirement?

A privileged administrator should activate the Security Administrator role only for approved work and for a limited time. What should be configured?

A Conditional Access policy requiring compliant devices does not apply to Azure PowerShell access. Sign-in logs show the cloud app is excluded. What should be changed?

A Conditional Access policy should reduce account takeover risk for administrators without blocking normal low-risk access. Which two signals or controls are most appropriate?

A managed identity is used by an Azure Function to access Key Vault. Which two configurations are required?

A security team is reviewing risky OAuth applications in Microsoft Entra ID. Which two actions reduce future consent risk?

A Sentinel detection should enrich alerts with business-critical asset context. Which two mechanisms are appropriate?

A team wants to deploy Sentinel content consistently across workspaces. Which two approaches are appropriate?

A Defender for Cloud alert indicates possible credential theft on a VM. Which two response actions are sensible early containment steps?