CCNA Manage identity and access Questions

27 of 177 questions · Page 3/3 · Manage identity and access · Answers revealed

151
MCQmedium

A security team uses Microsoft Sentinel. They want to create a custom detection rule that identifies a potential data exfiltration scenario: when a user signs in from an unusual location and then, within 30 minutes, performs a large download from Azure Blob Storage. They need to correlate sign-in logs from Azure AD with storage diagnostic logs. Which type of analytics rule should they create in Microsoft Sentinel?

A.A scheduled query rule using KQL
B.An NRT (near-real-time) rule
C.A fusion rule
D.A machine learning-based analytics rule
AnswerA

Scheduled rules can run KQL queries that join multiple tables (e.g., SigninLogs and StorageBlobLogs) to correlate events and trigger alerts when the pattern is detected.

Why this answer

A scheduled query rule is correct because it allows you to write a KQL query that joins Azure AD sign-in logs (SigninLogs) with Azure Storage diagnostic logs (StorageBlobLogs) based on a user identifier, and then uses a time window (e.g., 30 minutes) to correlate the two events. This is the only rule type that supports custom KQL logic for multi-table joins and time-based correlation, which is essential for detecting the described exfiltration pattern.

Exam trap

The trap here is that candidates often confuse NRT rules with scheduled queries, assuming NRT's low latency is better for time-sensitive correlations, but NRT rules cannot handle multi-table joins or extended time windows, making scheduled queries the only viable option for this scenario.

How to eliminate wrong answers

Option B is wrong because NRT (near-real-time) rules run every minute with a 1-minute lookback and cannot perform complex joins across multiple tables or use time windows longer than a few minutes, making them unsuitable for correlating sign-in and storage logs over a 30-minute window. Option C is wrong because fusion rules are based on Microsoft's built-in machine learning models that correlate alerts from multiple products, not custom KQL queries; they cannot be tailored to join specific Azure AD sign-in logs with storage diagnostic logs. Option D is wrong because ML-based analytics rules use pre-built anomaly detection models (e.g., for unusual sign-in patterns) and do not support custom correlation logic across different data sources like sign-in logs and storage logs.

152
MCQmedium

A security team uses Microsoft Sentinel. They want to create a custom analytic rule that triggers an incident when more than 10 failed Azure Active Directory sign-ins occur from the same source IP address within any 5-minute window. Which type of rule should they use?

A.Scheduled query rule
B.Near-Real-Time (NRT) rule
C.Fusion rule
D.Anomaly rule
AnswerA

Scheduled query rules run on a schedule (e.g., every 5 minutes) and support aggregation over time windows. They are ideal for counting events and setting thresholds.

Why this answer

A scheduled query rule is correct because it allows you to define a KQL query that counts failed Azure AD sign-ins grouped by source IP address within a 5-minute sliding window, and then triggers an incident when the count exceeds 10. This rule type supports custom aggregation and threshold-based alerting, which is exactly what the scenario requires.

Exam trap

The trap here is that candidates often confuse NRT rules with scheduled queries, assuming NRT rules can handle aggregation over time windows, but NRT rules only evaluate individual events in near real-time and cannot perform the required 5-minute grouping or threshold counting.

How to eliminate wrong answers

Option B is wrong because Near-Real-Time (NRT) rules run every minute and process events as they arrive, but they cannot perform aggregation over a 5-minute window or set a threshold like 'more than 10' — they are designed for single-event pattern matching with minimal latency. Option C is wrong because Fusion rules use machine learning to correlate multiple low-fidelity alerts across different products into a single high-fidelity incident, not for counting sign-in failures from a single IP. Option D is wrong because Anomaly rules detect deviations from baseline behavior using machine learning models, not static thresholds like 'more than 10 failed sign-ins'.

153
Drag & Dropmedium

Drag and drop the steps to configure Azure Application Gateway with SSL termination using a Key Vault certificate into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SSL termination requires a certificate from Key Vault, configured on the listener.

154
MCQmedium

A company uses Azure AD Conditional Access. They want to block sign-ins from countries where the company does not have offices. They have a list of allowed countries. Which condition should they configure in the Conditional Access policy?

A.Device platforms
B.Locations
C.Client apps
D.Sign-in risk
AnswerB

The Locations condition allows you to specify named locations by IP ranges or countries, and can be used to block or allow based on geographic region.

Why this answer

The Locations condition in Azure AD Conditional Access allows you to define named locations by IP address ranges or country/region. By configuring a policy with the Locations condition set to 'All trusted locations' or a specific list of allowed countries, you can block access from all other countries. This directly meets the requirement to block sign-ins from countries without company offices.

Exam trap

The trap here is that candidates may confuse 'Locations' with 'Sign-in risk' because both involve IP addresses, but Sign-in risk evaluates behavioral anomalies (e.g., impossible travel) rather than allowing or blocking specific countries.

How to eliminate wrong answers

Option A is wrong because Device platforms condition filters based on the operating system of the device (e.g., Windows, iOS, Android), not geographic location. Option C is wrong because Client apps condition controls access based on the application type (e.g., browser, mobile app, legacy authentication), not the country of origin. Option D is wrong because Sign-in risk condition uses Azure AD Identity Protection to detect risky sign-in behavior (e.g., anonymous IP, atypical travel), not to block specific countries.

155
MCQhard

A company uses Azure AD Privileged Identity Management (PIM) for the Global Administrator role. They have configured the role activation to require approval from a specific security group. When a user attempts to activate the role, they are immediately approved without any approval request being sent. The user is a member of the same security group that is configured as the approver. What is the most likely cause?

A.The activation approval requirement is not supported for the Global Administrator role
B.The user is a member of the approver group and is self-approving the request
C.The PIM policy has not been activated for the Global Administrator role
D.The role activation duration is set to zero, causing immediate activation
AnswerB

PIM allows approvers to approve their own activation requests unless the 'Disable approver approval' policy setting is enabled. Since the user is in the approver group, they can self-approve.

Why this answer

Option B is correct because when a user is a member of the approver security group in Azure AD PIM, they can approve their own activation request. PIM does not prevent self-approval by default; the approval workflow sends the request to all members of the approver group, and if the requesting user is also a member, they can approve it themselves, resulting in immediate activation without any external approval.

Exam trap

The trap here is that candidates assume PIM automatically prevents self-approval, but Azure AD PIM does not enforce separation of duties between requesters and approvers unless explicitly configured with separate groups or conditional access policies.

How to eliminate wrong answers

Option A is wrong because the Global Administrator role fully supports activation approval in PIM; it is one of the most common roles for which approval is configured. Option C is wrong because the PIM policy is already active (the user can activate the role), but the issue is the approval bypass due to self-approval, not a policy activation failure. Option D is wrong because the role activation duration cannot be set to zero; the minimum duration is 30 minutes, and a zero duration would not cause immediate activation—it would be invalid.

156
Multi-Selecthard

A KQL query in Microsoft Sentinel detects impossible travel but returns many false positives from known VPN egress IP addresses. Which two changes would best reduce noise while preserving useful detections?

Select 2 answers
A.Join or filter against a watchlist of approved VPN egress IPs
B.Disable the SigninLogs connector for the tenant
C.Exclude events where the source IP is in the approved network list
D.Raise the query frequency from 1 hour to 24 hours
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because integrating a watchlist of known VPN egress IPs allows the KQL query to filter out these trusted IPs, reducing false positives from impossible travel detections. Option C is also correct because excluding events where the source IP is in an approved network list directly removes noise from legitimate VPN traffic, preserving detection of truly anomalous sign-ins. Both approaches leverage Sentinel's watchlist or allowlist capabilities to maintain detection fidelity while minimizing alert fatigue.

Exam trap

The trap here is that candidates may confuse reducing alert frequency (Option D) with reducing false positives, or think disabling a data connector (Option B) is a valid noise-reduction technique, when in fact both actions cripple detection capability rather than refining it.

157
MCQhard

A security analyst uses Microsoft Defender for Cloud. They need to continuously monitor the security posture of their Azure subscription against the Microsoft cloud security benchmark (MCSB). They want to see the current compliance score and specific recommendations for failing controls. Which Defender for Cloud feature should they use?

A.Regulatory compliance dashboard
B.Security posture
C.Workbooks
D.Advanced hunting
AnswerA

Correct. The Regulatory compliance dashboard provides a view of compliance against selected standards like MCSB, showing scores and detailed recommendations for non-compliant controls.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud is specifically designed to track compliance against standards like the Microsoft cloud security benchmark (MCSB). It provides a current compliance score and lists specific recommendations for failing controls, enabling continuous monitoring and remediation tracking. This dashboard aggregates assessment results from the secure score and maps them to the controls defined in the selected regulatory standard.

Exam trap

The trap here is that candidates often confuse the 'Security posture' feature (which shows a general secure score) with the 'Regulatory compliance dashboard' (which maps that score to a specific regulatory standard like MCSB), leading them to choose the wrong option because they overlook the requirement for standard-specific compliance tracking.

How to eliminate wrong answers

Option B (Security posture) is wrong because the Security posture feature focuses on the overall secure score and security recommendations based on best practices, not on mapping to a specific regulatory standard like MCSB. Option C (Workbooks) is wrong because Workbooks are customizable Azure Monitor dashboards that can visualize data from multiple sources, but they do not natively provide the out-of-the-box compliance score and control mapping against MCSB. Option D (Advanced hunting) is wrong because Advanced hunting is a query-based threat hunting tool in Microsoft 365 Defender for investigating security incidents, not for monitoring compliance posture or regulatory benchmarks.

158
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) for the Global Administrator role. They want to ensure that when a user activates the role, the activation request must be approved by a member of the 'Global Admin Approvers' group, and the activation should be time-bound with a maximum of 4 hours. Which PIM settings should they configure?

A.Set the activation maximum duration to 4 hours and require approval from the 'Global Admin Approvers' group.
B.Set the activation maximum duration to 4 hours and enable MFA on activation.
C.Set the activation to require a ticket number justification and set the maximum duration to 8 hours.
D.Set the role to be permanently active but with a just-in-time approval workflow.
AnswerA

This directly configures the required duration and an approval workflow with the designated group.

Why this answer

Option A is correct because Azure AD PIM allows you to configure role activation settings, including an activation maximum duration (which can be set to 4 hours) and requiring approval from a specified group (in this case, 'Global Admin Approvers'). These settings directly meet the requirement for time-bound activation with approval.

Exam trap

The trap here is that candidates may confuse 'require approval' with 'require MFA' or 'require justification', not realizing that approval is a distinct setting that must be explicitly configured to meet the requirement for a designated approver group.

How to eliminate wrong answers

Option B is wrong because enabling MFA on activation does not satisfy the requirement for approval from the 'Global Admin Approvers' group; MFA is an additional security measure, not a substitute for approval. Option C is wrong because requiring a ticket number justification does not enforce approval, and setting the maximum duration to 8 hours exceeds the required 4-hour limit. Option D is wrong because setting the role to be permanently active contradicts the requirement for time-bound activation, and just-in-time approval workflow does not enforce a maximum duration.

159
MCQmedium

A security engineer wants Defender for Cloud to detect threats against Azure SQL Database and SQL Server on Azure VMs. Which plan should be enabled?

A.Defender for Storage
B.Defender for Databases or Defender for SQL coverage as presented in the portal
C.Defender for App Service only
D.Defender External Attack Surface Management
AnswerB

Correct for the stated requirement.

Why this answer

Defender for Databases (or the Defender for SQL coverage option in the portal) is the correct plan because it provides threat detection specifically for Azure SQL Database and SQL Server on Azure VMs. This plan monitors anomalous activities such as SQL injection, brute-force attacks, and unusual access patterns using Microsoft's threat intelligence and machine learning models. It is the only plan that directly covers both PaaS and IaaS SQL workloads as described.

Exam trap

The trap here is that candidates may confuse 'Defender for Storage' with protecting SQL databases because SQL databases store data, but Defender for Storage is specifically for blob, file, and data lake storage, not for relational database engines like SQL Server or Azure SQL Database.

How to eliminate wrong answers

Option A is wrong because Defender for Storage is designed to detect threats against Azure Blob Storage, Azure Files, and Data Lake Storage, not against SQL databases or SQL Server instances. Option C is wrong because Defender for App Service only protects web applications running on Azure App Service, not SQL databases or SQL Server on VMs. Option D is wrong because Defender External Attack Surface Management focuses on discovering and monitoring an organization's external internet-facing assets and attack surfaces, not on detecting threats within Azure SQL Database or SQL Server on VMs.

160
MCQmedium

A company uses Azure Active Directory (Azure AD) and wants to regularly review the membership of a group that grants access to a critical application. Each member must attest their continued need for access. Which Azure AD feature should they use?

A.Azure AD Identity Governance access reviews
B.Azure AD Privileged Identity Management (PIM)
C.Azure AD Conditional Access
D.Azure AD Identity Protection
AnswerA

Access reviews enable periodic membership attestation and automate the review process.

Why this answer

Azure AD Identity Governance access reviews enable administrators to create recurring reviews of group memberships, requiring each member to attest their continued need for access. This directly addresses the requirement for regular attestation of group membership for a critical application, as it automates the review process and ensures compliance.

Exam trap

The trap here is that candidates often confuse Privileged Identity Management (PIM) with access reviews, but PIM is for privileged roles (e.g., Global Administrator) while access reviews are for any group or application access, including non-privileged memberships.

How to eliminate wrong answers

Option B is wrong because Azure AD Privileged Identity Management (PIM) is designed for just-in-time privileged role activation and oversight, not for regular attestation of standard group membership access. Option C is wrong because Azure AD Conditional Access enforces access policies based on conditions like location or device state, but does not provide a mechanism for users to attest their need for access. Option D is wrong because Azure AD Identity Protection focuses on detecting and responding to identity risks (e.g., compromised credentials), not on periodic membership attestation.

161
MCQmedium

A team wants Sentinel incidents to automatically assign to the Tier 2 queue when severity is High and the product name is Microsoft Defender for Endpoint. What should they configure?

A.A workbook with a dropdown filter
B.A watchlist containing Tier 2 users only
C.An automation rule that updates owner/status based on conditions
D.A data retention policy
AnswerC

Correct for the stated requirement.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically assign incidents to specific owners or queues based on conditions like severity and product name. By configuring an automation rule with a condition that triggers when severity equals 'High' and the product name is 'Microsoft Defender for Endpoint', you can set the incident owner to a specific user or group (e.g., Tier 2 queue) and optionally update the status. This directly meets the requirement without manual intervention.

Exam trap

The trap here is that candidates confuse watchlists or workbooks with operational automation, thinking they can be used for real-time incident routing, when in fact they are designed for data enrichment and visualization, not for triggering actions on incidents.

How to eliminate wrong answers

Option A is wrong because a workbook with a dropdown filter is a visualization tool for querying and displaying data, not for automating incident assignment or ownership changes. Option B is wrong because a watchlist is a static list of values used for correlation or enrichment in analytics rules, not for dynamically assigning incidents to users or queues. Option D is wrong because a data retention policy controls how long log data is stored, not how incidents are routed or assigned.

162
Drag & Dropmedium

Drag and drop the steps to assign an Azure RBAC role to a user at the resource group scope into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

IAM is used for RBAC, and you add a role assignment by selecting the role and assigning it to a user.

163
MCQmedium

A company uses Azure AD Identity Protection and Conditional Access. A user is detected with a 'High' user risk level due to suspicious activity. The security team wants to automatically block sign-ins for this user, but only when the sign-in originates from a location that is not in the company's list of trusted IPs. They have created a Conditional Access policy targeting all users. Which configuration should they add to the policy to achieve this?

A.Add a condition for 'User risk' set to 'High', and a condition for 'Sign-in risk' set to 'High', then grant 'Block access'.
B.Add a condition for 'User risk' set to 'High' and exclude 'All trusted locations' under the 'Locations' condition, then grant 'Block access'.
C.Add a condition for 'User risk' set to 'High', and under 'Grant', select 'Require multi-factor authentication' and 'Block access'.
D.Add a condition for 'Locations' set to 'Any location' and under 'Grant', select 'Block access' for all users.
AnswerB

This configuration correctly combines the user risk condition with a location exclusion for trusted IPs, so the block only applies when both conditions are met.

Why this answer

Option B is correct because it combines a condition for 'User risk' set to 'High' with an exclusion of 'All trusted locations' under the 'Locations' condition, then grants 'Block access'. This ensures that the block only applies when the sign-in originates from an untrusted location, meeting the requirement to automatically block sign-ins for high-risk users only from locations not in the company's trusted IP list.

Exam trap

The trap here is that candidates often confuse 'User risk' with 'Sign-in risk' or incorrectly combine 'Block access' with other grant controls, failing to realize that 'Block access' must be the sole grant control and that excluding trusted locations is the correct way to scope the policy to untrusted locations only.

How to eliminate wrong answers

Option A is wrong because it adds a condition for 'Sign-in risk' set to 'High', which is unnecessary and not required; the requirement only specifies 'User risk', and adding 'Sign-in risk' would narrow the policy to only block when both risks are high, potentially missing the intended scenario. Option C is wrong because it selects 'Require multi-factor authentication' alongside 'Block access' under Grant; 'Block access' cannot be combined with other grant controls, and MFA would not block access but instead require additional verification, which does not achieve the automatic block goal. Option D is wrong because it sets 'Locations' to 'Any location' without excluding trusted locations, and grants 'Block access' for all users; this would block all sign-ins from any location, ignoring the requirement to only block when the location is not trusted.

164
MCQeasy

A company develops a web application that runs on Azure App Service. The application needs to access Azure Key Vault to retrieve secrets. The security team wants to avoid using service principals or connection strings. Which identity should they assign to the App Service to authenticate to Key Vault?

A.System-assigned managed identity
B.User-assigned managed identity
C.Azure AD application registration with a client secret
D.Azure AD service principal with certificate-based authentication
AnswerA

A system-assigned managed identity is automatically provisioned for the App Service and is tied to the resource's lifecycle. It can be granted access to Key Vault via RBAC or access policies, and the application code uses Azure SDK to obtain tokens without handling secrets.

Why this answer

A system-assigned managed identity is the correct choice because it provides an automatically managed identity in Azure AD, directly tied to the App Service resource, without requiring any credentials to be stored or rotated. This allows the App Service to authenticate to Key Vault using Azure AD tokens, eliminating the need for service principals or connection strings. The security team's requirement to avoid service principals or connection strings is fully met, as the identity is managed entirely by Azure.

Exam trap

The trap here is that candidates often confuse user-assigned managed identities (Option B) as the only managed identity option, overlooking that system-assigned managed identities are simpler and fully meet the requirement to avoid service principals or connection strings without additional resource management.

How to eliminate wrong answers

Option B is wrong because a user-assigned managed identity, while also avoiding service principals and connection strings, is a standalone resource that must be explicitly created and assigned to the App Service, adding management overhead that the security team's requirement to avoid service principals or connection strings does not necessitate; the simpler system-assigned identity suffices. Option C is wrong because an Azure AD application registration with a client secret is a form of service principal that requires storing and rotating a secret, directly violating the security team's directive to avoid service principals or connection strings. Option D is wrong because an Azure AD service principal with certificate-based authentication is still a service principal, requiring certificate management and lifecycle, which contradicts the requirement to avoid service principals entirely.

165
Multi-Selectmedium

A managed identity is used by an Azure Function to access Key Vault. Which two configurations are required?

Select 2 answers
A.A client secret stored in the function app settings
B.A system-assigned or user-assigned managed identity enabled on the function app
C.A public IP address on the function app
D.Key Vault permissions granted to that managed identity
AnswersB, D

Correct for the stated requirement.

Why this answer

Option B is correct because a managed identity (either system-assigned or user-assigned) provides an Azure AD-authenticated identity for the function app, eliminating the need for credentials like client secrets. This identity is used to obtain an Azure AD access token for authenticating to Key Vault. Option D is also required because the managed identity must be granted explicit Key Vault permissions (e.g., via an access policy or RBAC role) to read secrets; without these permissions, token-based authentication will fail with a 403 Forbidden error.

Exam trap

The trap here is that candidates often assume a client secret (Option A) is required for any Azure AD authentication, failing to recognize that managed identities provide a passwordless, credential-free authentication mechanism via Azure AD tokens.

166
MCQmedium

A security team has a list of known malicious IP addresses from an external threat intelligence feed in CSV format. They want to import this list into Microsoft Sentinel and use it in analytics rules to detect incoming attacks. Which feature should they use?

A.Watchlists
B.Threat intelligence indicators
C.Bookmark
D.User and Entity Behavior Analytics (UEBA)
AnswerA

Watchlists enable importing CSV lists and referencing them in analytics rules to match against incoming events.

Why this answer

Watchlists in Microsoft Sentinel allow you to import external data sources, such as CSV files containing known malicious IP addresses, and use them directly in analytics rules for detection. This feature is designed for lightweight, custom threat intelligence that doesn't require the full threat intelligence indicator (TI) lifecycle, making it ideal for ad-hoc lists from CSV feeds.

Exam trap

The trap here is confusing Watchlists with Threat intelligence indicators, as both can handle IP lists, but TI indicators require a formal TI platform integration and STIX/TAXII protocols, whereas Watchlists are the correct choice for simple CSV imports without additional infrastructure.

How to eliminate wrong answers

Option B is wrong because Threat intelligence indicators are used for structured, normalized threat data (e.g., STIX format) and require integration with a TI platform or API, not direct CSV import. Option C is wrong because Bookmarks are used to preserve specific search results or investigation states for later review, not to import external threat data for rule-based detection. Option D is wrong because User and Entity Behavior Analytics (UEBA) is a behavioral analytics feature that profiles user and entity activities to detect anomalies, not a mechanism for importing static IP lists.

167
Matchingmedium

Match each Azure Security Center tier to its capabilities.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Continuous assessment and security recommendations

Advanced threat protection for hybrid workloads

Just-in-time VM access, file integrity monitoring

Vulnerability assessment and threat detection

Detect unusual access patterns and threats

Why these pairings

Azure Security Center tiers offer different levels of protection.

168
MCQmedium

A security operations team uses Microsoft Sentinel to centralize security monitoring across their hybrid environment. They need to ingest AWS CloudTrail logs from an Amazon Web Services account to detect suspicious activities in their AWS environment. Which data connector should they configure in Microsoft Sentinel?

A.Azure Activity log connector
B.AWS CloudTrail connector
C.Syslog connector
D.Common Event Format (CEF) connector
AnswerB

This connector is specifically designed to ingest AWS CloudTrail management and data events into Microsoft Sentinel for security analysis.

Why this answer

The AWS CloudTrail connector is the correct data connector for ingesting AWS CloudTrail logs into Microsoft Sentinel. It requires configuring an S3 bucket in AWS to receive CloudTrail logs and then connecting that bucket to Sentinel via the connector, enabling the detection of suspicious activities such as unauthorized API calls or privilege escalations in the AWS environment.

Exam trap

The trap here is that candidates may confuse the Azure Activity log connector with a generic cloud activity log connector, but it only works for Azure, not for AWS CloudTrail.

How to eliminate wrong answers

Option A is wrong because the Azure Activity log connector is designed to ingest logs from Azure subscription-level events, not from external cloud providers like AWS. Option C is wrong because the Syslog connector is used to collect logs from on-premises or network devices using the syslog protocol (UDP/TCP), not from AWS CloudTrail. Option D is wrong because the Common Event Format (CEF) connector is used to ingest logs from security appliances that forward CEF-formatted syslog messages, such as firewalls or IDS/IPS, not from AWS CloudTrail.

169
MCQhard

A custom Azure role should allow operators to restart virtual machines but not delete them or change networking. Which permission design is most appropriate?

A.Assign Contributor at the resource group scope
B.Create a custom role with Microsoft.Compute/virtualMachines/restart/action and required read permissions at the narrowest scope
C.Assign Virtual Machine Contributor at subscription scope
D.Assign Reader and ask operators to use Run Command
AnswerB

Correct for the stated requirement.

Why this answer

Option B is correct because it grants the specific 'restart/action' permission on virtual machines while excluding destructive actions like delete or network changes. Custom roles in Azure RBAC allow fine-grained control by including only the required data actions and read permissions, ensuring operators can restart VMs without the ability to delete them or modify networking.

Exam trap

The trap here is that candidates often confuse built-in roles like Contributor or Virtual Machine Contributor with the ability to restrict actions, not realizing these roles include delete and network write permissions that exceed the narrow restart-only requirement.

How to eliminate wrong answers

Option A is wrong because the Contributor role at any scope includes full management rights, allowing deletion and network changes, which violates the requirement. Option C is wrong because Virtual Machine Contributor at subscription scope includes permissions to delete VMs and modify networking (e.g., Microsoft.Network/*), exceeding the allowed actions. Option D is wrong because Reader only provides read access and does not include the restart action; Run Command is a separate feature that requires additional permissions and does not grant the restart capability.

170
MCQmedium

A security engineer connects Azure virtual machines to Microsoft Defender for Cloud. The team wants vulnerability findings without installing a vulnerability scanner extension on each VM. Which capability should be enabled?

A.Agentless vulnerability assessment for machines in Defender for Servers
B.Microsoft Sentinel User and Entity Behavior Analytics
C.Azure Firewall threat intelligence mode
D.Microsoft Entra Identity Protection sign-in risk
AnswerA

Correct for the stated requirement.

Why this answer

Agentless vulnerability assessment for machines in Defender for Servers is the correct capability because it uses Microsoft Defender for Cloud's built-in scanning engine to assess VMs for vulnerabilities without requiring any agent or extension installation. This feature leverages the VM's existing configuration and cloud APIs to perform scans, meeting the team's requirement to avoid installing a vulnerability scanner extension on each VM.

Exam trap

The trap here is that candidates often assume vulnerability scanning always requires an agent or extension, but Microsoft Defender for Cloud offers an agentless option that uses cloud-native APIs and OS-level data to perform assessments without any local software.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel User and Entity Behavior Analytics (UEBA) is a security analytics feature that detects anomalous user and entity behavior, not a vulnerability assessment tool for VMs. Option C is wrong because Azure Firewall threat intelligence mode filters traffic based on known malicious IPs and domains, but it does not scan VMs for vulnerabilities. Option D is wrong because Microsoft Entra Identity Protection sign-in risk evaluates sign-in risks for user identities, not vulnerabilities on Azure virtual machines.

171
MCQeasy

A security team uses Microsoft Defender for Cloud to improve their security posture across multiple subscriptions. They want to quickly identify which security recommendations have the highest potential to improve their security score if remediated. Which dashboard or feature should they use?

A.Regulatory Compliance dashboard
B.Security Alerts dashboard
C.Secure Score dashboard
D.Inventory dashboard
AnswerC

The Secure Score dashboard lists all recommendations with their impact on the score, allowing the team to prioritize high-impact recommendations.

Why this answer

The Secure Score dashboard in Microsoft Defender for Cloud is specifically designed to show security recommendations ranked by their potential impact on the overall security score. Each recommendation includes a 'score impact' value, allowing the team to prioritize remediation actions that will most effectively improve their security posture across multiple subscriptions.

Exam trap

The trap here is that candidates may confuse the Secure Score dashboard with the Regulatory Compliance dashboard, thinking compliance improvements always correlate with security score gains, but the Secure Score dashboard is the only tool that explicitly quantifies the score impact of each recommendation.

How to eliminate wrong answers

Option A is wrong because the Regulatory Compliance dashboard focuses on compliance with standards like ISO 27001 or SOC 2, not on prioritizing recommendations for score improvement. Option B is wrong because the Security Alerts dashboard displays active threats and incidents, not recommendations for proactive security hardening. Option D is wrong because the Inventory dashboard provides a list of resources and their configurations, but does not rank recommendations by score impact.

172
MCQmedium

A security operations team uses Microsoft Sentinel. They want to enable User and Entity Behavior Analytics (UEBA) to detect anomalous user activities. Which configuration is required?

A.Enable UEBA in the Sentinel settings
B.Install the UEBA data connector
C.Create an analytics rule with UEBA template
D.Assign the Security Reader role to Sentinel
AnswerA

Correct. UEBA is enabled directly from the Sentinel workspace settings under 'Entity behavior'.

Why this answer

UEBA in Microsoft Sentinel is a built-in feature that must be explicitly enabled in the Sentinel configuration settings under 'Entity behavior analytics'. It does not require a separate data connector or analytics rule template; once enabled, Sentinel automatically ingests and analyzes existing log data (e.g., Azure AD sign-ins, Office 365 audit logs) to establish behavioral baselines and detect anomalies.

Exam trap

The trap here is that candidates often confuse enabling a feature with installing a connector or creating a rule, but UEBA is a toggle in Sentinel settings, not a data source or alert rule.

How to eliminate wrong answers

Option B is wrong because UEBA does not have a dedicated data connector; it leverages data already collected by other connectors (e.g., Azure AD, Office 365, Windows Security Events). Option C is wrong because UEBA is not activated by creating an analytics rule with a template; it is a platform-level feature that must be toggled on in settings, after which anomaly detection rules are automatically generated. Option D is wrong because assigning the Security Reader role to Sentinel does not enable UEBA; it only grants read permissions to Sentinel resources, not the behavioral analytics engine.

173
MCQmedium

A security analyst uses Microsoft Sentinel. They want to create a rule that triggers an incident when a user is added to a highly privileged Azure AD role (e.g., Global Administrator). The data source is Azure AD audit logs. Which type of analytics rule should they create?

A.Scheduled query rule
B.Near-real-time (NRT) rule
C.Fusion rule
D.Microsoft Security incident creation rule
AnswerA

A scheduled query rule runs a KQL query periodically and creates incidents based on the results, suitable for Azure AD audit logs.

Why this answer

A scheduled query rule is the correct choice because Azure AD audit logs are historical data ingested into Log Analytics, and scheduled queries run on a defined interval (e.g., every 5 minutes) to detect patterns like role assignments. This rule type allows you to write a KQL query against the AuditLogs table to identify when a user is added to a highly privileged role, then map the results to an incident. NRT rules are designed for high-frequency, low-latency scenarios but do not support Azure AD audit logs as a source; they require a dedicated table with near-real-time streaming.

Exam trap

The trap here is that candidates confuse NRT rules with scheduled queries, assuming NRT rules can handle any log source, but Azure AD audit logs are not streamed into the NRT pipeline and require a scheduled query with a defined interval.

How to eliminate wrong answers

Option B is wrong because near-real-time (NRT) rules require a specific NRT table (e.g., CommonSecurityLog) and cannot query Azure AD audit logs, which are stored in the AuditLogs table and only support scheduled queries. Option C is wrong because Fusion rules use machine learning to correlate multiple alerts from different products (e.g., Microsoft Defender for Cloud, Azure AD Identity Protection) and are not designed for a single, deterministic log source like Azure AD audit logs. Option D is wrong because Microsoft Security incident creation rules automatically create incidents from alerts generated by Microsoft security products (e.g., Microsoft Defender for Endpoint) and do not allow custom KQL queries against raw audit logs.

174
MCQhard

An analyst creates a Sentinel automation rule and a playbook. The playbook should run only when incidents are created from a specific analytics rule and severity is High. Where should this filtering be configured?

A.Automation rule conditions
B.Logic App recurrence trigger
C.Log Analytics workspace retention settings
D.Analytics rule suppression only
AnswerA

Correct for the stated requirement.

Why this answer

Automation rules in Microsoft Sentinel are designed to trigger actions based on incident creation or update events. By configuring conditions within the automation rule, you can specify that the associated playbook should only run when the incident is created from a specific analytics rule and has a severity of High. This is the correct and intended location for such filtering, as automation rules evaluate conditions before invoking the playbook.

Exam trap

The trap here is that candidates may confuse automation rule conditions with analytics rule suppression or Logic App triggers, mistakenly thinking filtering should be done at the analytics rule or Logic App level rather than in the automation rule that orchestrates the playbook execution.

How to eliminate wrong answers

Option B is wrong because the Logic App recurrence trigger is used for scheduled, time-based execution, not for event-driven responses to Sentinel incidents; it cannot filter on analytics rule or severity at incident creation. Option C is wrong because Log Analytics workspace retention settings control how long data is stored, not the triggering conditions for playbooks or automation rules. Option D is wrong because analytics rule suppression only prevents the rule from creating incidents or alerts for a specified period after an alert is generated; it does not filter which incidents trigger a playbook.

175
MCQhard

A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. They want the activation of this role to require approval from a specific group of senior security engineers before the role becomes active. They also want the approvers to receive an email notification when an activation request is submitted. Which PIM configuration must be set?

A.Set the activation maximum duration to 1 hour.
B.Require justification on activation.
C.Require approval to activate.
D.Configure notification emails for role activation.
AnswerC

Enabling 'Require approval' ensures that activation requests go to designated approvers. Notifications are sent automatically to approvers when a request is made.

Why this answer

Option C is correct because Azure AD PIM requires the 'Require approval to activate' setting to enforce that activation requests for a role must be approved by designated approvers before the role becomes active. This setting also automatically triggers email notifications to the configured approvers when a request is submitted, fulfilling both the approval and notification requirements.

Exam trap

The trap here is that candidates often confuse 'Configure notification emails for role activation' (Option D) with the approval workflow, not realizing that notifications are automatically sent when approval is required, and that the approval setting itself is the key to both the approval and notification requirements.

How to eliminate wrong answers

Option A is wrong because setting the activation maximum duration to 1 hour only limits how long the role can remain active after approval, but does not enforce an approval workflow or send notifications to approvers. Option B is wrong because requiring justification on activation only mandates the user to provide a reason for activation, but does not introduce an approval step or notify approvers. Option D is wrong because configuring notification emails for role activation only controls who receives alerts about activations, but does not require approval; notifications are a separate setting that can be enabled independently of the approval workflow.

176
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want users who activate this role to provide a justification and a support ticket number, and they want the activation to expire after a maximum of 4 hours. Which PIM role settings should they configure?

A.Configure the activation maximum duration only
B.Configure the requirement for justification only
C.Configure the requirement for ticket information only
D.Configure the activation maximum duration, require justification, and require ticket information in the role settings
AnswerD

This combination enforces all three requirements: maximum duration of 4 hours, justification, and ticket information, as specified in the scenario.

Why this answer

Option D is correct because the scenario requires all three conditions: a maximum activation duration of 4 hours, mandatory justification, and mandatory ticket information. In Azure AD PIM, these are independent settings within the role settings configuration, and all must be enabled to meet the stated requirements. Without configuring all three, the activation would not enforce the specified controls.

Exam trap

The trap here is that candidates might think justification and ticket information are a single combined requirement, or that duration is automatically enforced, when in fact each setting must be explicitly configured in PIM role settings.

How to eliminate wrong answers

Option A is wrong because configuring only the activation maximum duration ignores the requirements for justification and ticket information, leaving those controls unenforced. Option B is wrong because requiring only justification omits the ticket information and duration limit, so users could activate without a ticket and for longer than 4 hours. Option C is wrong because requiring only ticket information misses the justification and duration limit, allowing activations without a reason and for an indefinite or default duration.

177
MCQhard

A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. They have configured the role activation to require Azure Multi-Factor Authentication and a support ticket number. However, users are reporting that they can activate the role without entering a ticket number. What is the most likely cause?

A.The 'Require ticket information on activation' setting is not enabled in the role settings
B.Users are activating through the Azure AD overview page instead of the PIM blade
C.The activation policy requires approval but the approvers ignore the ticket field
D.The role is configured for 'Active' assignment instead of 'Eligible'
AnswerA

This setting must be explicitly enabled for PIM to prompt for a ticket number during activation. Without it, the ticket field is not shown.

Why this answer

Option A is correct because the 'Require ticket information on activation' setting is a separate toggle in the PIM role settings that must be explicitly enabled. Even if the support ticket number field is displayed in the activation form, the system will not enforce its entry unless this specific setting is turned on. Without it, users can leave the field blank and still successfully activate the role.

Exam trap

The trap here is that candidates assume the presence of a ticket number field in the activation form means it is required, but PIM separates the UI display from the enforcement toggle, so the setting must be explicitly enabled for the field to be mandatory.

How to eliminate wrong answers

Option B is wrong because the Azure AD overview page does not provide role activation capabilities; all PIM activations must go through the PIM blade or the Azure AD Roles and Administrators blade, and the enforcement of ticket information is controlled by the role settings regardless of the entry point. Option C is wrong because if the activation policy requires approval, the approver's behavior does not override the system's enforcement of the ticket field; the system itself would block activation if the setting were enabled. Option D is wrong because the assignment type (Active vs.

Eligible) determines whether the user needs to activate the role at all, but it does not affect the enforcement of ticket information during activation; an Eligible assignment is required for PIM activation, but the ticket setting is independent.

← PreviousPage 3 of 3 · 177 questions total

Ready to test yourself?

Try a timed practice session using only Manage identity and access questions.