CCNA Secure compute, storage, and databases Questions

75 of 243 questions · Page 1/4 · Secure compute, storage, and databases · Answers revealed

1
Multi-Selecteasy

You need to secure an Azure Storage account that will host sensitive data. Which TWO configurations should you implement?

Select 2 answers
A.Generate a shared access signature (SAS)
B.Enable 'Secure transfer required'
C.Allow public network access from all networks
D.Enable Azure Files
E.Configure a private endpoint
AnswersB, E

Enforces HTTPS for all requests to the storage account.

Why this answer

Option A and Option C are correct. Enabling 'Secure transfer required' enforces HTTPS. Using private endpoint ensures traffic stays within Microsoft network.

Option B is wrong because a SAS token is for delegated access, not a security configuration. Option D is wrong because public network access should be disabled for sensitive data. Option E is wrong because Azure Files is a service, not a security configuration.

2
MCQhard

A company uses Azure SQL Database with Transparent Data Encryption (TDE) and a customer-managed key stored in Azure Key Vault. The Key Vault is configured with a firewall that denies all public access. The SQL server must be able to access the key. What additional configuration is necessary?

A.Enable trusted Microsoft services on the Key Vault firewall
B.Create a private endpoint for Key Vault
C.Assign the SQL server's managed identity to the Key Vault
D.Configure a service endpoint on the SQL server
AnswerA

Correct. Enabling 'Allow trusted Microsoft services to bypass the firewall' on the Key Vault allows Azure SQL Database to access the key even with the firewall enabled.

Why this answer

When Azure Key Vault's firewall denies all public access, enabling 'Allow trusted Microsoft services' is necessary because Azure SQL Database's TDE key retrieval is considered a trusted service operation. This setting bypasses the firewall for specific Azure services like SQL Database that are authenticated and authorized to access the vault, without requiring a private endpoint or service endpoint.

Exam trap

The trap here is that candidates often confuse the authentication/authorization step (assigning managed identity) with the network connectivity step (firewall bypass), assuming that granting permissions alone is sufficient when the Key Vault firewall is blocking all traffic.

How to eliminate wrong answers

Option B is wrong because creating a private endpoint for Key Vault would provide private connectivity from a virtual network, but the SQL server is a platform-as-a-service resource that does not reside in a VNet by default; while possible, it is not the simplest or required configuration for TDE key access when the firewall is enabled. Option C is wrong because assigning the SQL server's managed identity to Key Vault is necessary for authentication and authorization (to grant the SQL server permissions to the key), but it does not bypass the Key Vault firewall; the firewall must still allow the request. Option D is wrong because configuring a service endpoint on the SQL server is not applicable; service endpoints are used for VNet integration, and Azure SQL Database does not have a service endpoint that directly controls Key Vault access.

3
MCQhard

Refer to the exhibit. You are implementing an Azure Policy to enforce encryption on managed disks. A user reports that they cannot create a VM even though they specified a disk encryption set. What is the most likely reason?

A.The user did not have permission to assign a disk encryption set.
B.The disk encryption set is in a different region than the VM.
C.The disk encryption set is not enabled for encryption.
D.The user specified the disk encryption set in the VM properties but not on the disk resource.
AnswerD

The policy checks the disk resource; the encryption set must be set on the disk itself.

Why this answer

The policy checks that the property 'diskEncryptionSet.id' exists on the OS disk. If the user specifies the encryption set at the VM level rather than the disk level, the property may not be present on the disk resource itself. Option B is correct.

Option A is incorrect because the policy allows creation if the property exists. Option C is incorrect because the policy does not check for key validity. Option D is incorrect because the policy applies to all regions.

4
Multi-Selectmedium

You are designing security for an Azure SQL Database that will store personally identifiable information (PII). The database will be accessed by multiple applications, some of which are legacy and cannot use Azure AD authentication. Your requirements include: encrypting data at rest, encrypting data in transit, and dynamically masking PII columns for non-privileged users. Which THREE features should you implement?

Select 3 answers
A.Configure Dynamic Data Masking (DDM) for the PII columns.
B.Implement Always Encrypted for the PII columns.
C.Set the 'Minimum TLS Version' to 1.2 on the Azure SQL Server.
D.Enable Transparent Data Encryption (TDE) for the Azure SQL Database.
E.Apply Azure Information Protection labels to the database.
AnswersA, C, D

DDM masks PII for non-privileged users, meeting the masking requirement.

Why this answer

Option A: Transparent Data Encryption (TDE) encrypts data at rest. Option C: Dynamic Data Masking (DDM) masks PII columns for non-privileged users. Option D: Enforce minimal TLS version 1.2 ensures data in transit is encrypted.

Option B (Always Encrypted) is client-side encryption but not required if TDE is used and the client does not support it. Option E (Azure Information Protection) is not for database-level encryption.

5
MCQhard

A company uses Azure Disk Encryption (ADE) on Windows virtual machines. They use a key encryption key (KEK) stored in Azure Key Vault to wrap the disk encryption key. The security policy requires that the KEK be automatically rotated every 90 days. They need to ensure that after rotation, the OS and data disks of running VMs automatically get re-wrapped with the new KEK version. Which configuration should they implement?

A.Enable soft-delete and purge protection on the Key Vault.
B.Use Key Vault key auto-rotation with a 90-day rotation period, and configure the disk encryption set to use the latest key version (empty string).
C.Create a new KEK every 90 days and modify the disk encryption set to point to the new key version.
D.Use Azure Policy to enforce automatic key rotation.
AnswerB

Key Vault key auto-rotation creates new key versions on schedule. By setting the key version to empty in the disk encryption set, the VMs automatically re-wrap their disks with the latest key version after rotation.

Why this answer

Option B is correct because Azure Key Vault supports automatic key rotation with a configurable rotation period, and when a disk encryption set (DES) is configured with an empty string as the key version, it automatically uses the latest version of the KEK. This ensures that after the KEK is rotated every 90 days, the running VMs' OS and data disks are re-wrapped with the new KEK version without manual intervention or VM restart.

Exam trap

The trap here is that candidates may confuse Azure Policy (which enforces compliance) with actual key rotation and re-wrapping mechanisms, or mistakenly believe that manual key version updates in the DES are sufficient for automatic re-wrapping of running VMs.

How to eliminate wrong answers

Option A is wrong because enabling soft-delete and purge protection on the Key Vault is a data protection and recovery feature, not a mechanism for automatic key rotation or re-wrapping of disks. Option C is wrong because manually creating a new KEK every 90 days and updating the DES to point to the new key version is a manual process that does not meet the requirement for automatic rotation and re-wrapping. Option D is wrong because Azure Policy can enforce compliance rules but cannot directly trigger automatic key rotation or re-wrapping of disks; it is a governance tool, not a key lifecycle management feature.

6
Multi-Selecthard

You are securing an Azure Kubernetes Service (AKS) cluster that runs a microservices application. You need to ensure that pods can only communicate with other pods in the same namespace, and that all egress traffic from the cluster is inspected for malicious content. Which three components should you include in the solution?

Select 3 answers
A.Azure Application Gateway
B.Kubernetes Network Policies
C.Azure DDoS Protection
D.User-defined route (UDR) to force-tunnel egress traffic to Azure Firewall
E.Azure Firewall
AnswersB, D, E

Controls pod-to-pod communication.

Why this answer

Option A is correct because Network Policies in AKS control pod-to-pod communication. Option C is correct because Azure Firewall can inspect egress traffic. Option D is correct because the egress traffic must be routed through the firewall.

Option B (Azure DDoS Protection) is for DDoS attacks, not content inspection. Option E (Application Gateway) is for inbound traffic, not egress inspection.

7
MCQmedium

A company uses Azure SQL Database to store customer data, including credit card numbers. The security policy requires that database administrators (DBAs) must not be able to view the credit card numbers in plaintext. The column containing the credit card numbers must be encrypted at rest and in transit, and only a specific application (using a dedicated client library) should be able to decrypt the data. Which technology should they implement?

A.Transparent Data Encryption (TDE) with a customer-managed key stored in Azure Key Vault.
B.Dynamic Data Masking (DDM) for the credit card column.
C.Always Encrypted with a client-side encryption key stored in Azure Key Vault.
D.Row-Level Security (RLS) to restrict DBA access to the credit card column.
AnswerC

Correct. Always Encrypted encrypts the data on the client side, so the SQL Database never sees the plaintext. Only the client application with access to the encryption key can decrypt the data, preventing DBAs from viewing sensitive columns.

Why this answer

Always Encrypted ensures that sensitive data, such as credit card numbers, is encrypted on the client side before being sent to Azure SQL Database, and the encryption keys are never revealed to the database engine. This prevents DBAs or any server-side administrators from viewing the plaintext data, as decryption can only occur using the client-side encryption key stored in Azure Key Vault and accessed by the dedicated application library.

Exam trap

The trap here is that candidates often confuse Dynamic Data Masking (DDM) with encryption, not realizing that DDM only masks output and does not protect the underlying plaintext from privileged users or direct database access.

How to eliminate wrong answers

Option A is wrong because Transparent Data Encryption (TDE) encrypts data at rest but does not protect data from DBAs who have access to the database; the database engine can still decrypt the data in memory and in transit unless additional measures are taken, and it does not enforce client-side-only decryption. Option B is wrong because Dynamic Data Masking (DDM) only obfuscates data in query results for unauthorized users, but the underlying plaintext is still stored in the database and can be accessed by privileged users or through direct queries. Option D is wrong because Row-Level Security (RLS) restricts access to rows based on predicates but does not encrypt the data; DBAs with elevated permissions can bypass RLS or still view the plaintext column values.

8
MCQeasy

You need to ensure that only users with a valid Azure AD token can invoke an Azure Function app. No other authentication methods should be allowed. What should you configure?

A.Enable App Service Authentication and set the action to 'Log in with Azure AD' but allow anonymous requests.
B.Configure function-level authorization and require function keys.
C.Enable App Service Authentication with Azure AD as the provider and set 'Action to take when request is not authenticated' to 'Log in with Azure AD'.
D.Configure IP restrictions to allow only known IP ranges.
AnswerC

This ensures only authenticated requests with a valid Azure AD token are accepted.

Why this answer

Option D is correct because the Function app can be configured to require authentication via Azure AD (EasyAuth) and disable anonymous access. Option A (function keys) allows anonymous access. Option B (App Service Authentication) can be set to Azure AD, but must also disable unauthenticated access.

Option C (IP restriction) does not enforce token authentication.

9
MCQmedium

A company stores sensitive financial documents in Azure Blob Storage. The security team needs to maintain an immutable log of all changes to the blob content, including the previous versions and the identity of the user who made the changes, for forensic analysis. Which Azure Storage feature should they enable on the storage account to meet this requirement?

A.Azure Blob Storage soft delete.
B.Azure Blob Storage versioning.
C.Blob Storage change feed.
D.Azure Storage analytics logs.
AnswerC

The change feed records all modifications to blobs in an immutable event log. It can be used with Azure Diagnostics logs to correlate user identity (from storage analytics) to understand who performed the action.

Why this answer

The Blob Storage change feed provides an immutable, append-only log of all changes (create, update, delete) to blobs and blob metadata, including the previous version and the identity of the user who made the change via the requestor's object ID. This meets the forensic requirement for a complete audit trail of blob content changes.

Exam trap

The trap here is that candidates often confuse versioning (which preserves previous versions for recovery) with the change feed (which provides an immutable audit log of changes), leading them to select versioning when the requirement explicitly calls for a forensic log with user identity.

How to eliminate wrong answers

Option A is wrong because soft delete only preserves deleted blobs for a retention period and does not log changes to existing blob content or track user identity. Option B is wrong because versioning maintains previous versions of blobs but does not provide a chronological log of changes with user identity; it is a point-in-time recovery feature, not an audit trail. Option D is wrong because Storage analytics logs (now deprecated in favor of Azure Monitor resource logs) capture storage service operations but are not immutable by default and do not include previous blob content or a guaranteed append-only log.

10
Multi-Selectmedium

A company uses Azure Key Vault to store keys and secrets. They want to ensure that even if an administrator accidentally deletes a key, it can be recovered for up to 90 days. Additionally, they want to prevent anyone from permanently purging the key during that period. Which two features must be enabled?

Select 2 answers
A.Soft-delete and purge protection
B.Soft-delete and resource locks
C.Purge protection and access policies
D.Soft-delete and backup
AnswersA, B

Correct. Soft-delete enables recovery; purge protection prevents permanent deletion during the retention period.

Why this answer

Soft-delete must be enabled to retain a deleted key for a configurable retention period (default 90 days), allowing recovery. Purge protection must be enabled to prevent permanent deletion (purging) of the key during that retention period, even by administrators. Together, these two features ensure the key can be recovered and cannot be permanently deleted for up to 90 days.

Exam trap

The trap here is that candidates often confuse resource locks (which protect the vault resource) with purge protection (which protects the deleted key within the vault), or assume that backup alone provides the same recovery guarantee as soft-delete with purge protection.

11
MCQhard

You are designing a secure database solution for a financial application using Azure SQL Database. The database contains highly sensitive columns (e.g., credit card numbers). Which combination of features should you implement to protect data at rest, in transit, and in use, while minimizing performance impact?

A.Always Encrypted with secure enclaves, TDE, and enforce TLS 1.2.
B.Dynamic Data Masking, TDE, and enforce TLS 1.2.
C.Always Encrypted (with deterministic encryption for equality searches), TDE, and enforce TLS 1.2.
D.Column-level encryption using Azure Key Vault, TDE, and enforce TLS 1.2.
AnswerC

Always Encrypted protects data in use and at rest on the server; TDE encrypts at rest; TLS enforces in-transit encryption.

Why this answer

Option C is correct because Always Encrypted protects data in use and at rest on the server, transparent data encryption (TDE) protects data at rest, and TLS enforces encryption in transit. Column-level encryption alone (Option A) does not encrypt at rest automatically. Dynamic Data Masking (Option B) only obfuscates in query results, not encryption.

Option D (Always Encrypted with enclaves) is for richer queries but may have performance overhead.

12
MCQmedium

A storage account contains legal evidence that must not be modified or deleted for seven years. Which feature should be configured?

A.Soft delete only
B.Lifecycle management to archive tier
C.Customer-managed keys
D.Immutable blob storage with a time-based retention policy
AnswerD

Correct for the stated requirement.

Why this answer

Immutable blob storage with a time-based retention policy (WORM – Write Once, Read Many) is the correct choice because it enforces a strict seven-year retention period during which blobs cannot be modified or deleted, even by account administrators. This is achieved through a policy that locks the data at the storage level, ensuring compliance with legal hold requirements for evidence preservation.

Exam trap

The trap here is that candidates often confuse soft delete (which only protects against accidental deletion for a short period) with immutable storage (which enforces a hard, non-negotiable retention lock against both modification and deletion for a specified duration).

How to eliminate wrong answers

Option A is wrong because soft delete only provides protection against accidental deletion for a configurable retention period (default 7 days), but it does not prevent modifications or enforce a fixed seven-year legal hold; data can still be overwritten or deleted permanently after the soft-delete period expires. Option B is wrong because lifecycle management to the archive tier is designed for cost optimization by moving data to cooler storage tiers, not for preventing modification or deletion; data in the archive tier can still be deleted or overwritten by authorized users. Option C is wrong because customer-managed keys (CMK) control encryption at rest using Azure Key Vault, but they do not impose any retention or immutability constraints; data remains fully mutable and deletable regardless of key management.

13
MCQhard

Your organization uses Azure Cosmos DB with API for MongoDB. You need to encrypt data at rest using a customer-managed key stored in Azure Key Vault, and you must ensure that the key is automatically rotated every year. What should you do?

A.Enable server-side encryption with Microsoft-managed keys.
B.Configure a customer-managed key in Key Vault and set the key rotation policy to auto-rotate annually.
C.Use a customer-managed key and manually rotate it every year.
D.Enable infrastructure encryption on the Cosmos DB account.
AnswerB

CMK with auto-rotation meets both encryption and rotation requirements.

Why this answer

Cosmos DB supports customer-managed keys with automatic rotation in Key Vault. Option A is wrong because Cosmos DB does not have infrastructure encryption. Option B is wrong because CMK with manual rotation does not meet automatic requirement.

Option D is wrong because Microsoft-managed keys do not allow customer control.

14
MCQhard

You are deploying an Azure Storage account using the ARM template snippet shown. After deployment, you need to allow access from a specific public IP address. What should you do?

A.Create a private endpoint and assign it to the storage account.
B.Add an IP rule to the ipRules array with the public IP address.
C.Configure a service endpoint for the storage account.
D.Update the defaultAction to Allow and set ipRules to deny the IP.
AnswerB

IP rules allow specific public IPs to bypass the deny default.

Why this answer

The template sets default action to Deny and has no ipRules. To allow a specific IP, you must add an IP rule. Option A is correct.

Service endpoints are for virtual networks, not public IPs. Private endpoints provide private connectivity. Changing default action to Allow would allow all traffic.

15
MCQeasy

You need to securely store connection strings and secrets for an Azure function app. The solution must automatically rotate the secrets every 90 days and provide audit logs for access. What should you use?

A.Azure SQL Database with Always Encrypted
B.Azure Key Vault with key rotation policy and diagnostic logging
C.Azure Cosmos DB with encryption at rest
D.Azure App Service application settings with slot-sticky settings
AnswerB

Provides secure storage, rotation, and auditing.

Why this answer

Option A is correct: Azure Key Vault with automatic rotation and audit logging. Option B (App Service application settings) stores secrets in plaintext. Option C (Azure Cosmos DB) is not for secrets.

Option D (Azure SQL Database) is not appropriate.

16
MCQeasy

You are deploying a web application that stores user-uploaded files in Azure Blob Storage. You need to ensure that only authenticated users can upload files, and that uploaded files are automatically scanned for malware. What should you use?

A.Use Azure Event Grid to trigger a function for malware scanning
B.Enable Azure AD authentication for the storage account and enable Microsoft Defender for Storage
C.Configure Azure Firewall to allow only the web app's IP address
D.Use shared access signatures (SAS) with stored access policies
AnswerB

Provides user authentication and malware scanning.

Why this answer

Option D is correct: Azure AD authentication for the storage account ensures only authenticated users can access, and Microsoft Defender for Storage provides malware scanning. Option A (SAS tokens) are shared access signatures, not user-specific. Option B (Event Grid) is for event handling, not authentication.

Option C (Azure Firewall) is network-level, not application-level.

17
MCQhard

An AKS cluster needs to pull container images from a private Azure Container Registry (ACR). The security policy requires that the AKS cluster identity should not have direct access to the ACR; instead, a service principal with the AcrPull role should be used, with credentials stored as a Kubernetes secret. Which authentication method should be configured on the AKS cluster?

A.AKS managed identity
B.ACR admin account
C.Kubernetes pull secret using a service principal
D.Azure AD pod identity
AnswerC

A pull secret with service principal credentials limits access to specific pods and adheres to the policy.

Why this answer

The correct answer is C because the scenario explicitly requires that the AKS cluster identity not have direct access to ACR, and instead mandates using a service principal with AcrPull role whose credentials are stored as a Kubernetes secret. A Kubernetes pull secret of type 'docker-registry' stores the service principal's client ID and client secret, which kubelet uses to authenticate to ACR when pulling images. This method decouples the AKS cluster's managed identity from ACR access, satisfying the security policy.

Exam trap

The trap here is that candidates often confuse 'AKS managed identity' with the requirement for a service principal secret, mistakenly thinking managed identity is always the best practice, but the question explicitly prohibits direct cluster identity access to ACR.

How to eliminate wrong answers

Option A is wrong because AKS managed identity would grant the cluster's own identity direct access to ACR, which violates the policy that the cluster identity should not have direct access. Option B is wrong because the ACR admin account is a shared, static credential with full access to the registry, and it is not a service principal; it also bypasses the requirement to use a service principal with AcrPull role. Option D is wrong because Azure AD pod identity is used to assign Azure AD identities to pods for accessing Azure resources, but it does not store credentials as a Kubernetes secret; it relies on Azure AD authentication and would still involve the cluster identity or pod-level managed identities, not a service principal secret stored in the cluster.

18
Multi-Selectmedium

Which TWO actions should you take to ensure that an Azure Storage account is only accessible over HTTPS and that data in transit is encrypted?

Select 2 answers
A.Configure a custom domain with HTTPS enabled.
B.Set 'Secure transfer required' to Enabled.
C.Deploy Azure Firewall in front of the storage account.
D.Set the minimum TLS version to 1.2.
E.Use Azure Private Link to connect to the storage account.
AnswersB, D

This enforces HTTPS for all requests.

Why this answer

Option A and Option D are correct. Option A: Setting 'Secure transfer required' to Enabled ensures that the storage account rejects HTTP requests. Option D: Enabling 'Minimum TLS version' to 1.2 ensures that only TLS 1.2 or higher is accepted.

Option B is wrong because Azure Firewall is for network filtering, not encryption. Option C is wrong because HTTPS is already enforced by Option A, not an additional requirement. Option E is wrong because Private Endpoint provides private connectivity but does not enforce HTTPS.

19
MCQmedium

You have an Azure Cosmos DB account with multiple containers. You need to ensure that only specific Azure AD identities can access the data and that all access is logged. What should you use?

A.Use primary keys for authentication and enable audit logging
B.Use Azure AD authentication and RBAC roles, and enable diagnostic logs
C.Configure managed identities for Azure resources and enable diagnostic logs
D.Configure an Azure Cosmos DB firewall and enable diagnostic logs
AnswerB

RBAC allows fine-grained access control and diagnostic logs capture all requests.

Why this answer

Azure Cosmos DB supports Azure AD authentication for control plane and data plane. For fine-grained access, use RBAC roles. Enable diagnostic logs for auditing.

Option C is correct. Option A is wrong because firewall rules restrict network access. Option B is wrong because primary keys grant full access.

Option D is wrong because managed identities are for services, not for user access control.

20
MCQeasy

A company uses Azure SQL Database and wants to periodically scan the database for vulnerabilities such as misconfigurations, excessive permissions, and missing patches. The scans should generate actionable reports that the security team can use to remediate issues. Which built-in Azure feature should they enable?

A.Azure Defender for SQL
B.SQL Vulnerability Assessment
C.SQL Auditing
D.Azure SQL Insights
AnswerB

Correct. Vulnerability Assessment is the dedicated tool that scans for SQL database vulnerabilities and generates actionable reports.

Why this answer

SQL Vulnerability Assessment is the correct choice because it is a built-in Azure SQL Database feature specifically designed to discover, track, and remediate potential database vulnerabilities such as misconfigurations, excessive permissions, and missing patches. It runs periodic scans and generates actionable reports with remediation steps, directly matching the requirement.

Exam trap

The trap here is that candidates often confuse Azure Defender for SQL (which includes vulnerability assessment as a sub-feature) with the standalone SQL Vulnerability Assessment, but the question explicitly asks for the feature that 'periodically scans for vulnerabilities and generates actionable reports,' which is the core function of SQL Vulnerability Assessment, not the broader threat protection service.

How to eliminate wrong answers

Option A is wrong because Azure Defender for SQL provides advanced threat protection and anomaly detection (e.g., SQL injection alerts), but it does not perform periodic vulnerability scanning or generate actionable reports for misconfigurations and missing patches. Option C is wrong because SQL Auditing tracks database events and changes for compliance and forensic analysis, but it does not scan for vulnerabilities or produce remediation reports. Option D is wrong because Azure SQL Insights is a monitoring and performance diagnostic tool that uses intelligent insights to optimize query performance and resource usage, not a vulnerability scanner.

21
MCQmedium

You are designing a backup strategy for Azure VMs running critical workloads. The VMs have Azure Disk Encryption enabled with Azure Key Vault. You need to ensure that backups can be restored securely. What should you configure?

A.Create a separate Key Vault for backup vault and copy the keys there.
B.Disable encryption before backup and re-enable after restore.
C.Configure Azure Backup with the same Key Vault that holds the encryption keys and allow Backup service access to Key Vault.
D.Export the encryption keys to a secure location and import them during restore.
AnswerC

This enables seamless backup and restore of encrypted VMs.

Why this answer

Option A is correct because Azure Backup supports backing up encrypted VMs with KEK and BEK. During restore, you can specify the same Key Vault to restore the keys. Option B (separate Key Vault) complicates restore.

Option C (disable encryption) is not secure. Option D (export keys) is risky.

22
MCQmedium

Your organization uses Azure Storage to host sensitive financial data. You need to ensure that all access to the storage account is encrypted in transit and that access keys are rotated automatically every 90 days. You also need to prevent access from public IP addresses. Which combination of configurations should you implement?

A.Configure a network firewall rule to block all traffic, enable 'Secure transfer required', and rotate keys manually every 90 days
B.Enable 'Allow trusted Microsoft services', configure key rotation policy, and disable 'Allow storage account key access'
C.Enable 'Secure transfer required', configure key rotation policy, and disable 'Allow Blob public access'
D.Enable 'Secure transfer required', configure key rotation policy, and set 'Public network access' to 'Disabled'
AnswerD

This enforces HTTPS, rotates keys, and blocks public access.

Why this answer

Option B is correct because enabling 'Secure transfer required' enforces HTTPS, automatic key rotation can be configured in the storage account settings, and the 'Selected networks' firewall with a deny-all default rule blocks public IPs. Option A is wrong because disabling public network access alone does not enforce HTTPS. Option C is wrong because firewall rules do not enforce HTTPS.

Option D is wrong because disabling anonymous access does not enforce HTTPS.

23
MCQhard

An Azure SQL Database contains salary data. Support analysts need to query employee records but must not see full salary values. Which feature is most appropriate when the application cannot be changed immediately?

A.Transparent Data Encryption
B.Dynamic data masking
C.Geo-replication
D.Accelerated database recovery
AnswerB

Correct for the stated requirement.

Why this answer

Dynamic data masking (DDM) is the correct choice because it obfuscates sensitive data in query results without modifying the underlying database or requiring application changes. The support analysts can still query employee records, but the salary column is masked according to a defined masking rule (e.g., showing only the last four digits or replacing with zeros). This meets the requirement of preventing full salary exposure while the application remains unchanged.

Exam trap

The trap here is confusing data-at-rest encryption (TDE) with data-masking at query time—candidates often assume encryption alone prevents unauthorized viewing, but encryption does not affect what authorized users see when they run SELECT queries.

How to eliminate wrong answers

Option A is wrong because Transparent Data Encryption (TDE) encrypts data at rest on disk and in backups, but it does not control what users see when querying the database—authorized users still see full salary values. Option C is wrong because geo-replication provides disaster recovery by maintaining a readable secondary replica in a different region, but it does not restrict data visibility in query results. Option D is wrong because accelerated database recovery (ADR) improves transaction rollback speed and database availability after failures, but it has no effect on data masking or access control.

24
MCQhard

Your company is migrating a legacy on-premises application to Azure VMs. The application writes log files to a local folder. You need to collect these logs centrally for security analysis using Microsoft Sentinel. The application runs on Windows Server 2022 and is expected to generate about 50 GB of logs per day. The security team requires that logs be encrypted at rest and in transit, and that log collection has minimal latency. You set up Azure Monitor Agent (AMA) on the VM and configure a Data Collection Rule (DCR) to stream custom logs to a Log Analytics workspace. However, after 24 hours, no custom logs appear in the workspace. The AMA is reporting as healthy. You need to troubleshoot and resolve the issue. What is the most likely cause?

A.The DCR does not include the correct table name for the custom log, or the table does not exist in the Log Analytics workspace.
B.The custom log file path specified in the DCR is a local path, but AMA requires a network share for custom log collection.
C.The log file format is not JSON, but AMA only supports custom logs in JSON format.
D.The VM does not have local administrator privileges required for the AMA to read the log files.
AnswerA

The DCR must reference an existing custom log table; a mismatch prevents ingestion.

Why this answer

Option B is correct: The DCR must reference the custom log table created in the Log Analytics workspace; if the table name does not match, logs will not be ingested. Option A: AMA can collect custom logs from a file path; the path does not need to be a network share. Option C: The agent does not require local admin privileges for custom log collection.

Option D: The log file format is not limited to JSON; AMA can collect plain text logs with a defined pattern.

25
MCQmedium

A company uses Azure Key Vault to store secrets. They want to grant developers the ability to read secrets, but only for specific secret names (e.g., 'App--ConnectionString'). They also want to use Azure RBAC instead of the Key Vault access policy model. Which RBAC role should they assign, and at which scope?

A.Assign the 'Key Vault Secrets User' role at the secret scope
B.Assign the 'Key Vault Secrets User' role at the vault scope
C.Assign the 'Key Vault Reader' role at the secret scope
D.Assign the 'Key Vault Secrets Officer' role at the secret scope
AnswerA

The 'Key Vault Secrets User' role permits reading secret content. When scoped to an individual secret, it restricts access to that specific secret only. Azure RBAC supports data plane roles at the secret, key, or certificate level.

Why this answer

Option A is correct because the 'Key Vault Secrets User' role, when assigned at the individual secret scope (e.g., /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.KeyVault/vaults/{vault}/secrets/{secretName}), grants read-only access to that specific secret. This satisfies the requirement to use Azure RBAC (instead of the legacy access policy model) and to limit developers to reading only secrets with a specific name, such as 'App--ConnectionString'.

Exam trap

The trap here is that candidates often assume RBAC roles can only be assigned at the vault scope, forgetting that Azure RBAC supports fine-grained scoping down to the individual secret level, which is essential for least-privilege access control.

How to eliminate wrong answers

Option B is wrong because assigning the 'Key Vault Secrets User' role at the vault scope would grant read access to all secrets in the vault, not just the specific secret name required. Option C is wrong because the 'Key Vault Reader' role only allows listing vaults and reading metadata (e.g., vault properties), not reading secret values; it does not include the 'Microsoft.KeyVault/vaults/secrets/read' action needed to retrieve secret content. Option D is wrong because the 'Key Vault Secrets Officer' role includes write and delete permissions (e.g., 'Microsoft.KeyVault/vaults/secrets/write' and 'delete'), which exceeds the required read-only access and violates the principle of least privilege.

26
MCQmedium

A company uses Azure SQL Database with Transparent Data Encryption (TDE) using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server has a system-assigned managed identity assigned the 'Key Vault Crypto Service Encryption User' role. However, TDE operations are failing because the SQL server cannot access the Key Vault. What additional configuration is needed?

A.Enable the Key Vault firewall to allow trusted Microsoft services
B.Create a private endpoint for the SQL server to access the Key Vault
C.Enable public network access on the Key Vault
D.Assign the SQL server's managed identity the 'Reader' role on the Key Vault
AnswerA

This option allows Azure SQL Database (as a trusted Microsoft service) to access Key Vault through the firewall, enabling TDE operations with the CMK.

Why this answer

When Azure Key Vault has its firewall enabled to deny all public network access, it blocks all traffic, including requests from Azure SQL Database. By enabling the 'Allow trusted Microsoft services' exception, Azure Key Vault permits specific Azure platform services (like Azure SQL Database) to bypass the firewall, provided the service authenticates using a managed identity with appropriate permissions. This setting is essential for TDE with CMK because the SQL server's system-assigned managed identity must reach the Key Vault to unwrap the encryption key, even when public access is disabled.

Exam trap

The trap here is that candidates often assume a private endpoint is required for any cross-service communication when firewalls are involved, but Azure's 'Allow trusted Microsoft services' exception is a simpler, first-line configuration that enables necessary platform-level access without exposing the Key Vault to the internet.

How to eliminate wrong answers

Option B is wrong because creating a private endpoint for the SQL server to access the Key Vault would require the SQL server to initiate a connection through a private IP, but the SQL server itself does not support outbound private endpoints to Key Vault; private endpoints are configured on the Key Vault side, not the SQL server side, and the scenario already has the Key Vault firewall denying all public access, so a private endpoint on the Key Vault would be needed, but that is not listed as an option and would not resolve the immediate firewall block without the trusted services exception. Option C is wrong because enabling public network access on the Key Vault would defeat the security purpose of the firewall and is unnecessary; the trusted services exception allows the required access without exposing the Key Vault to the public internet. Option D is wrong because the 'Reader' role on the Key Vault only grants read access to the vault's metadata and secrets list, not the cryptographic permissions needed for TDE operations; the 'Key Vault Crypto Service Encryption User' role is already assigned and provides the necessary unwrap key permission, so adding 'Reader' is irrelevant.

27
Matchingmedium

Match each Azure Key Vault feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Recover deleted vaults and objects within retention period

Prevents permanent deletion until retention period ends

Periodically replace cryptographic keys

Grant permissions to users, groups, or applications

Use Azure RBAC to manage access to vaults

Why these pairings

Key Vault features ensure secure key and secret management.

28
MCQhard

A company has an Azure Storage account with infrastructure encryption enabled. They configure the storage account to use customer-managed keys (CMK) stored in Azure Key Vault for encryption at rest. Despite this configuration, newly uploaded blobs are still encrypted with Microsoft-managed keys. What is the most likely cause?

A.The storage account was created before infrastructure encryption was generally available
B.The customer-managed key in Key Vault is disabled or expired
C.The storage account's encryption type is set to Microsoft-managed keys
D.The blob container has a policy that overrides the encryption setting
AnswerC

The storage account must have its encryption type explicitly set to 'Customer-managed keys'. If it is set to 'Microsoft-managed keys', all blobs are encrypted with Microsoft-managed keys regardless of the key vault configuration.

Why this answer

Option C is correct because the storage account's encryption type must be explicitly set to 'Customer-managed keys' to use CMK from Azure Key Vault. If the encryption type remains at the default 'Microsoft-managed keys', newly uploaded blobs will continue to be encrypted with Microsoft-managed keys regardless of the CMK configuration in Key Vault. Infrastructure encryption is a separate feature that encrypts data at the hardware level and does not affect the key management type.

Exam trap

The trap here is that candidates often assume that simply configuring a customer-managed key in Key Vault automatically changes the storage account's encryption type, but Azure requires an explicit configuration step to switch the encryption type from 'Microsoft-managed keys' to 'Customer-managed keys'.

How to eliminate wrong answers

Option A is wrong because infrastructure encryption is a separate feature that encrypts data at the storage infrastructure level (before the data is written to disk) and does not influence the choice between Microsoft-managed and customer-managed keys; the storage account's creation date does not prevent CMK from being applied. Option B is wrong because if the customer-managed key in Key Vault is disabled or expired, the storage account would fail to encrypt new blobs with CMK and would likely throw an error or fall back to Microsoft-managed keys only if the account is configured to allow that fallback, but the question states the blobs are still encrypted with Microsoft-managed keys without error, indicating the encryption type was never set to CMK. Option D is wrong because blob containers do not have policies that can override the storage account's encryption setting; encryption at rest is configured at the storage account level and applies to all blobs uniformly.

29
Multi-Selecthard

Which THREE components are required to enable Azure Disk Encryption for Windows VMs using Azure Key Vault? (Choose three.)

Select 3 answers
A.Azure Key Vault with an access policy granting permissions to the Azure Disk Encryption service
B.A key encryption key (KEK) in Azure Key Vault
C.A Recovery Services vault
D.A storage account to store the encryption logs
E.The Azure Disk Encryption extension installed on the VM
AnswersA, B, E

Key Vault stores the encryption keys and must have appropriate access policies.

Why this answer

Options A, B, and D are correct. Option A: A Key Vault is required to store encryption keys. Option B: The VM must have a key encryption key (KEK) or be configured to use a BEK.

Option D: The VM must have the AzureDiskEncryption extension installed. Option C is wrong because a recovery vault is for Azure Backup, not disk encryption. Option E is wrong because a storage account is not required; Azure Disk Encryption uses managed disks.

30
MCQmedium

You are a security engineer for Contoso Ltd., a multinational company that uses Azure extensively. The company has a custom line-of-business application hosted on Azure VMs. The application stores sensitive customer data in Azure SQL Database. The security policy requires: (1) All data at rest must be encrypted using customer-managed keys stored in Azure Key Vault. (2) Encryption keys must be rotated automatically every 90 days. (3) Access to the keys must be audited. (4) The application must not have direct access to the key vault; only Azure services should access keys on behalf of the application. You need to recommend a solution. What should you do?

A.Use Azure Storage Service Encryption with Microsoft-managed keys for the database backup.
B.Enable Azure Disk Encryption on the VMs and store keys in Azure Key Vault.
C.Configure Azure SQL Database Transparent Data Encryption (TDE) with customer-managed keys in Azure Key Vault and set key rotation policy to auto-renew every 90 days.
D.Implement Always Encrypted with column encryption keys stored in Azure Key Vault.
AnswerC

TDE with CMK meets all requirements.

Why this answer

Option C is correct because Transparent Data Encryption (TDE) with customer-managed keys in Key Vault meets all requirements: encryption at rest, automatic rotation with Key Vault's key rotation policy, and access by Azure SQL Database without application direct access. Option A is wrong because Always Encrypted encrypts columns but requires the application to handle encryption keys. Option B is wrong because Azure Disk Encryption encrypts VM disks, not SQL database.

Option D is wrong because server-side encryption with service-managed keys does not use customer-managed keys.

31
MCQmedium

A company enables Azure Disk Encryption (ADE) on Windows virtual machines using a key encryption key (KEK) stored in Azure Key Vault. They want the KEK to be automatically rotated every 30 days to meet compliance requirements. Which Azure Key Vault feature should they enable?

A.Key rotation policy
B.Key expiration date
C.Soft-delete
D.Purge protection
AnswerA

Key rotation policy enables automatic rotation of keys at a specified interval, such as every 30 days.

Why this answer

A key rotation policy in Azure Key Vault allows you to define automatic rotation rules for keys, including a rotation interval (e.g., every 30 days) and a rotation time window. This feature ensures that the KEK is automatically replaced with a new key version at the specified interval without manual intervention, meeting compliance requirements for periodic key rotation.

Exam trap

The trap here is that candidates often confuse key expiration (which only invalidates a key) with key rotation (which creates a new version and keeps the old one valid for a time), leading them to select 'Key expiration date' instead of 'Key rotation policy'.

How to eliminate wrong answers

Option B is wrong because a key expiration date sets a fixed end-of-life date for a key, after which it becomes invalid, but it does not automatically rotate the key; it only marks it as expired. Option C is wrong because soft-delete is a recovery feature that retains deleted keys for a configurable retention period, but it does not perform any automatic rotation of keys. Option D is wrong because purge protection prevents permanent deletion of soft-deleted keys, but it has no role in key rotation or lifecycle management.

32
MCQeasy

A company plans to migrate on-premises SQL Server databases to Azure SQL Managed Instance. The security team requires that all data at rest be encrypted using customer-managed keys stored in Azure Key Vault. Which feature should be enabled?

A.Row-Level Security
B.Dynamic Data Masking
C.Always Encrypted with secure enclaves
D.Transparent Data Encryption (TDE) with customer-managed keys in Azure Key Vault
AnswerD

TDE with CMK encrypts the database at rest using keys managed by the customer in Key Vault.

Why this answer

Transparent Data Encryption (TDE) with customer-managed keys (CMK) in Azure Key Vault is the feature for encrypting Azure SQL data at rest with customer-controlled keys. Option A is correct. Option B (Always Encrypted) encrypts data in use and at rest, but does not use Key Vault for TDE.

Option C (Dynamic Data Masking) masks data to non-privileged users. Option D (Row-Level Security) restricts row access.

33
MCQmedium

Your organization uses Azure Storage for sensitive customer data. You need to ensure that data at rest is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, you want to automatically rotate the key every 90 days. What should you configure?

A.Enable Azure Disk Encryption on the storage account and store the key in Key Vault with rotation policy.
B.Enable server-side encryption with a platform-managed key and use Azure Policy to enforce rotation.
C.Use client-side encryption with .NET client library and implement custom rotation logic.
D.Enable Azure Storage encryption with a customer-managed key and configure a key rotation policy in Azure Key Vault.
AnswerD

Azure Storage supports CMK from Key Vault with automatic rotation policy.

Why this answer

Option A is correct because Azure Storage encryption with CMK supports automatic key rotation via Key Vault key rotation policy. Option B is wrong because SSE with platform-managed key cannot use CMK. Option C is wrong because Azure Disk Encryption is for VMs, not storage accounts.

Option D is wrong because client-side encryption shifts responsibility to the client and does not leverage Azure Key Vault automatic rotation.

34
MCQmedium

You have an Azure Storage account that contains sensitive documents. You need to generate a time-limited, secure URL that allows a specific user to download a file without requiring storage account keys. What should you use?

A.Azure Front Door custom domain
B.Storage account access key
C.Shared Access Signature (SAS)
D.Azure RBAC role assignment
AnswerC

SAS provides time-limited delegated access to specific resources.

Why this answer

Option A is correct because a shared access signature (SAS) token provides delegated access with time-limited permissions. Option B is wrong because a storage account key grants full access and cannot be time-limited. Option C is wrong because Azure RBAC does not generate URLs.

Option D is wrong because Azure Front Door is a global load balancer, not a mechanism for generating secure URLs.

35
MCQeasy

You need to ensure that Azure SQL Database connections are encrypted and the server's identity is verified. Which connection string parameter should be required?

A.Encrypt=Optional
B.Encrypt=True; TrustServerCertificate=False
C.TrustServerCertificate=True
D.Encrypt=False
AnswerB

Encrypt=True forces encryption, and TrustServerCertificate=False ensures the server certificate is validated.

Why this answer

The 'Encrypt=True' parameter ensures that the connection is encrypted, and 'TrustServerCertificate=False' (or not setting it) verifies the server certificate against a trusted CA. Option A is correct. Option B disables encryption.

Option C (Encrypt=Optional) does not force encryption. Option D (TrustServerCertificate=True) bypasses certificate validation.

36
MCQmedium

Your organization uses Azure Storage accounts with blob containers. You need to ensure that only authorized applications can access the storage account, without using shared keys or shared access signatures. What should you configure?

A.Use a stored access policy with a shared access signature
B.Configure a firewall on the storage account to allow only the application's IP address
C.Enable a private endpoint for the storage account
D.Use Azure AD authentication with managed identities
AnswerD

Managed identities provide an automatically managed identity in Azure AD, allowing applications to authenticate to storage without storing credentials.

Why this answer

Option A is correct because Azure Storage supports managed identities for Azure resources, allowing applications to authenticate without storing keys. Option B is wrong because firewall rules control network access, not application identity. Option C is wrong because private endpoints provide network isolation, not application authentication.

Option D is wrong because SAS tokens still require managing secrets.

37
Multi-Selectmedium

You are designing a backup strategy for Azure virtual machines. You need to ensure that backups are encrypted at rest and can be restored in a different Azure region in case of a regional disaster. Which two configurations should you use?

Select 2 answers
A.Configure Azure Site Recovery for the VMs
B.Enable encryption at rest for the Recovery Services vault using platform-managed keys
C.Enable Cross-Region Restore (CRR) for the Recovery Services vault
D.Enable Azure Disk Encryption on the VMs
E.Use geo-redundant storage (GRS) for the Recovery Services vault
AnswersB, C

Backup data is encrypted at rest.

Why this answer

Option A is correct: Azure Backup uses encryption at rest by default. Option C is correct: Cross-region restore (CRR) allows restoring in a different region. Option B (geo-redundant storage) is used by Recovery Services vault but is not a restore option.

Option D (Azure Site Recovery) is for disaster recovery, not backup. Option E (Azure Disk Encryption) is for VM disks, not backup.

38
Multi-Selecthard

You are designing a backup strategy for Azure Virtual Machines. Which THREE features should you enable to ensure recoverability and security?

Select 3 answers
A.Soft delete for backup data
B.Azure Backup
C.Geo-redundant storage (GRS)
D.Azure Site Recovery
E.Encryption at rest using Azure Disk Encryption
AnswersA, B, E

Soft delete protects backups from accidental or malicious deletion.

Why this answer

Option A, Option B, and Option D are correct. Azure Backup provides automated backups. Soft delete prevents malicious deletion of backups.

Encryption at rest secures backup data. Option C is wrong because geo-redundant storage (GRS) is a replication option, not a backup feature. Option E is wrong because Azure Site Recovery is for disaster recovery, not backup.

39
MCQhard

You have an Azure SQL Database that stores financial data. You need to prevent unauthorized access by encrypting specific columns containing credit card numbers. The solution must allow authorized applications to query the data transparently. What should you implement?

A.Azure Storage service encryption
B.Transparent Data Encryption (TDE)
C.Dynamic Data Masking
D.Always Encrypted
AnswerD

Always Encrypted encrypts specific columns and allows authorized applications to decrypt transparently.

Why this answer

Option D is correct because Always Encrypted encrypts sensitive columns and allows authorized applications to decrypt transparently using the client driver. Option A is wrong because TDE encrypts the entire database at rest but does not provide column-level granularity or transparent querying for applications. Option B is wrong because Dynamic Data Masking only masks data but does not encrypt it.

Option C is wrong because Azure Storage encryption applies to Azure Storage, not SQL Database.

40
MCQmedium

A company uses Azure Blob Storage to store sensitive documents. The security policy requires that the storage account can only be accessed from a specific Azure virtual network (VNet) and that all access must use Azure Active Directory (Azure AD) authentication. They want to block any access that uses storage account keys or shared access signatures (SAS). Which configuration should they implement?

A.Configure the storage account firewall to allow access from the specific VNet, and disable 'Allow storage account key access'.
B.Configure a private endpoint for the storage account and disable 'Allow storage account key access'.
C.Configure the storage account firewall to deny all networks, and set 'Allow storage account key access' to 'Disabled'.
D.Configure the storage account firewall to allow access from the specific VNet, and enable 'Require secure transfer' (HTTPS only).
AnswerA

This restricts access to the VNet and disables key-based authorization, enforcing Azure AD authentication as required.

Why this answer

Option A is correct because it combines two essential controls: the storage account firewall restricts access to only the specified VNet, and disabling 'Allow storage account key access' enforces Azure AD authentication by blocking all requests that use account keys or SAS tokens. This ensures that only authenticated Azure AD identities from the allowed VNet can access the storage account, meeting the security policy requirements.

Exam trap

The trap here is that candidates often confuse 'Require secure transfer' (which only mandates HTTPS) with authentication enforcement, or assume that a private endpoint alone blocks key-based access, when in fact it only secures network connectivity.

How to eliminate wrong answers

Option B is wrong because while a private endpoint restricts network access to a specific VNet, disabling 'Allow storage account key access' alone does not block SAS tokens—SAS can still be generated and used unless explicitly disabled via other settings. Option C is wrong because denying all networks in the firewall blocks all traffic, including from the specific VNet, making the storage account inaccessible even with Azure AD authentication. Option D is wrong because enabling 'Require secure transfer' enforces HTTPS but does not block storage account keys or SAS tokens; it only ensures encrypted transport, not authentication method enforcement.

41
Multi-Selecteasy

Which TWO features of Azure Database for PostgreSQL ensure data security at rest?

Select 2 answers
A.Firewall rules
B.Infrastructure double encryption
C.Transparent Data Encryption (TDE)
D.Advanced Threat Protection
E.Auto-tuning
AnswersB, C

Double encryption provides two layers of encryption at rest.

Why this answer

Transparent Data Encryption (TDE) and SSL/TLS encryption for data in transit (not at rest). Options B and C are correct. Firewall rules control network access.

Advanced Threat Protection detects threats. Auto-tuning is for performance.

42
MCQhard

Your organization uses Microsoft Defender for Cloud to manage security posture. You have an Azure SQL Database that stores PII. You need to ensure that all sensitive columns are automatically discovered and classified. Additionally, you want to audit access to these columns. What should you configure?

A.Azure SQL Database Advanced Threat Protection and Azure SQL Database auditing
B.Microsoft Defender for Cloud's data discovery and classification and Azure SQL Database auditing
C.Azure Purview Data Map and Azure SQL Database auditing
D.Azure SQL Database Vulnerability Assessment and Azure SQL Database auditing
AnswerB

Provides automatic discovery and auditing.

Why this answer

Option B is correct: Microsoft Defender for Cloud includes data discovery and classification for Azure SQL Database, and auditing can be enabled to track access. Option A (Azure Purview) is for broader data governance but not directly for SQL Database auditing. Option C (Azure SQL Database Vulnerability Assessment) checks for vulnerabilities, not classification.

Option D (Azure SQL Database Advanced Threat Protection) detects threats, not classification.

43
Drag & Dropmedium

Drag and drop the steps to configure Azure Defender for SQL on an Azure SQL Database into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Defender for SQL is enabled per database under security settings, requiring storage for scans.

44
Multi-Selectmedium

An AKS cluster must reduce risk from untrusted container images. Which two controls are most appropriate?

Select 2 answers
A.Enable anonymous image pulls
B.Scan container images for vulnerabilities before deployment
C.Restrict image pulls to trusted registries such as ACR with proper RBAC
D.Store Kubernetes secrets in plain text ConfigMaps
AnswersB, C

Correct for the stated requirement.

Why this answer

Option B is correct because scanning container images for vulnerabilities before deployment ensures that known security issues are identified and remediated before the images run in the cluster. This is a critical preventive control that directly reduces the risk of exploiting vulnerabilities in untrusted images. Azure Security Center and Azure Defender for container registries can automatically scan images in ACR and provide actionable findings.

Exam trap

The trap here is that candidates might think enabling anonymous pulls is a valid way to reduce risk by simplifying access, but it actually removes authentication and exposes the registry to unauthorized access.

45
Multi-Selecthard

You are configuring security for an Azure Functions app that processes credit card numbers. You need to ensure that the function can securely access a storage account without storing any credentials in code or configuration, and that all data in the storage account is encrypted with a customer-managed key. Which three actions should you take?

Select 3 answers
A.Assign the 'Storage Blob Data Contributor' role to the function app's managed identity
B.Configure the storage account to use customer-managed keys for encryption
C.Store the storage account connection string in an application setting
D.Enable system-assigned managed identity on the function app
E.Use a Key Vault reference in the function app configuration to retrieve the storage account key
AnswersA, B, D

Grants access to storage account.

Why this answer

Option A is correct: managed identity allows the function to authenticate without credentials. Option C is correct: RBAC assignment allows the function to access the storage account. Option E is correct: CMK encryption at rest.

Option B (connection string) is not secure. Option D (Key Vault reference) still requires a secret, but managed identity is better.

46
MCQhard

You are the Azure Security Engineer for a financial services company. The company has a multi-tier application deployed on Azure Virtual Machines (VMs) in a hub-spoke network topology. The application consists of web servers, application servers, and database servers. The database servers run SQL Server on Windows Server 2022 and store sensitive financial data. Compliance requires that all data at rest be encrypted using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, all network traffic between tiers must be encrypted, and the database must be accessible only from the application servers. You have the following resources: a Key Vault with an HSM-backed key (key1) for disk encryption, and a Key Vault with a software-protected key (key2) for SQL Server TDE. Current configuration: The web servers are in subnet A, application servers in subnet B, and database servers in subnet C. Network Security Groups (NSGs) allow traffic from subnet B to subnet C on TCP 1433. The database servers are not using TDE. You need to implement the required security controls. What should you do first?

A.Enable Transparent Data Encryption (TDE) on the SQL Server instance using a service-managed key, then rotate to use key2 from Key Vault
B.Enable Azure Disk Encryption on the database VMs using key1 from the HSM-backed Key Vault
C.Configure SQL Server to use SQL authentication and create a login for the application servers
D.Implement Always Encrypted for the sensitive columns using key2 from Key Vault
AnswerA

TDE with customer-managed key meets the compliance requirement for data at rest encryption.

Why this answer

Option C is correct because to use customer-managed keys for SQL Server TDE, you must first enable TDE with a service-managed key, then switch to the customer-managed key stored in Key Vault. Option A is wrong because Azure Disk Encryption encrypts the OS disk, not SQL Server data files. Option B is wrong because enabling SQL authentication does not provide encryption.

Option D is wrong because Always Encrypted encrypts specific columns, not the entire database.

47
MCQmedium

Your organization uses Azure Storage for sensitive financial data. You need to restrict access to storage accounts based on the client's IP address. Which Azure Storage service feature should you configure?

A.Firewalls and virtual networks
B.Shared access signatures (SAS)
C.Azure Private Link
D.Azure AD role-based access control
AnswerA

Firewalls and virtual networks allow you to create IP rules to restrict access to storage accounts.

Why this answer

Firewalls and virtual networks allow you to restrict access to storage accounts based on IP rules. Option B is correct. Option A (SAS) is for delegated access, not IP restriction.

Option C (Private Link) is for private network access. Option D (Azure AD RBAC) controls data plane operations but not IP-level filtering.

48
MCQeasy

You need to backup Azure SQL Managed Instance databases to a separate region for disaster recovery. Which Azure service should you use?

A.Active geo-replication
B.Geo-redundant storage (GRS) for Azure Storage
C.Azure Site Recovery
D.Azure Backup with geo-redundant storage
AnswerD

Azure Backup provides geo-restore capability.

Why this answer

Option B is correct because Azure Backup supports long-term retention and geo-restore for SQL Managed Instance. Option A is wrong because active geo-replication is for continuous replication, not backup. Option C is wrong because Azure Site Recovery is for VM replication.

Option D is wrong because Azure Storage replication is for storage accounts, not SQL.

49
MCQmedium

Your organization runs a critical application on Azure Virtual Machines (VMs) that processes credit card transactions. Compliance with PCI DSS requires that all cardholder data be encrypted at rest and that the encryption keys be stored in a FIPS 140-2 Level 3 validated hardware security module (HSM). You have chosen to use Azure Disk Encryption with customer-managed keys stored in Azure Key Vault Managed HSM. During a security review, you discover that the VMs are using unmanaged disks. You need to migrate them to managed disks without downtime and ensure that encryption is applied. You also need to maintain the existing encryption keys and ensure that the encryption set is in the same region as the VMs. What should you do?

A.Copy the unmanaged disks to managed disks using AzCopy and then attach them to the VM while it is running.
B.Stop the VM, convert the unmanaged disks to managed disks using Azure CLI, then enable Azure Disk Encryption with the existing DES.
C.Create a new VM with managed disks, attach the unmanaged disks as data disks, and enable Azure Disk Encryption with the existing DES.
D.Take a backup of the VMs using Azure Backup, restore them to managed disks, and enable encryption with a new DES.
AnswerB

Conversion requires the VM to be stopped; after conversion, you can enable encryption with the DES.

Why this answer

Azure Disk Encryption with managed disks requires a Disk Encryption Set (DES) that references the key in the HSM. You can convert unmanaged disks to managed disks by stopping the VM and using Azure CLI or PowerShell, then attaching the managed disk. To avoid downtime, you should perform the conversion during a maintenance window.

Ensure the DES is in the same region as the VM. Option B is correct. Option A is incorrect because you cannot directly use Azure Disk Encryption on unmanaged disks with a DES; you must convert to managed disks first.

Option C is incorrect because Azure Backup does not help with disk type conversion. Option D is incorrect because copying disks would create duplicates and require reconfiguration.

50
Multi-Selectmedium

A company has an Azure SQL Database server. They want to allow an Azure Function with a system-assigned managed identity to access the database by using Azure Active Directory (Azure AD) authentication. Which two configurations are required to grant this access? (Choose two.)

Select 2 answers
A.Assign the managed identity the 'db_datareader' role in the database.
B.Create a contained database user for the managed identity in the SQL database.
C.Add the managed identity as an Azure AD admin for the SQL server.
D.Enable Azure AD-only authentication on the SQL server.
AnswersA, B

This grants the necessary read permissions to the managed identity within the database.

Why this answer

Option A is correct because assigning the managed identity the 'db_datareader' role in the database grants it read permissions on all tables and views, which is a common requirement for an Azure Function accessing data. Option B is correct because a contained database user must be created for the managed identity in the SQL database, mapping the Azure AD identity to a database principal that can be granted permissions. Without this contained user, the managed identity cannot authenticate to the database via Azure AD.

Exam trap

The trap here is that candidates often confuse server-level Azure AD admin assignment (Option C) with the necessary database-level contained user creation, assuming admin rights are required for any Azure AD authentication, when in fact a contained user with minimal roles is sufficient and more secure.

51
MCQmedium

A company stores sensitive job processing messages in Azure Queue Storage. They have a web application running on an Azure virtual machine in a VNet that reads and writes to the queue. The security team requires that only the web application's VM can access the queue, and all access from the public internet must be blocked. Which configuration should they implement?

A.Configure a service endpoint for Azure Storage on the VNet subnet and add a firewall rule allowing the VNet.
B.Deploy a private endpoint for the storage account in the same VNet and disable public network access on the storage account.
C.Route all traffic from the VNet through an Azure Firewall and create a NAT rule to the storage account.
D.Generate a shared access signature (SAS) token with narrow permissions and require the web app to use that token.
AnswerB

Correct. A private endpoint gives the storage account a private IP in the VNet. Disabling public network access ensures that only traffic via the private endpoint is allowed, blocking all internet traffic.

Why this answer

Option B is correct because deploying a private endpoint for the storage account in the same VNet assigns the storage account a private IP from the VNet, effectively bringing the service into the VNet. Disabling public network access then ensures that all traffic to the queue must traverse the private endpoint, blocking any public internet access. This meets the requirement that only the web application's VM can access the queue, as the private endpoint is accessible only from within that VNet.

Exam trap

The trap here is that candidates often confuse service endpoints (which only extend VNet identity but leave the public endpoint exposed) with private endpoints (which fully remove public exposure), leading them to choose option A instead of B.

How to eliminate wrong answers

Option A is wrong because a service endpoint for Azure Storage on the VNet subnet only extends the VNet identity to the storage account but does not remove the public endpoint; the storage account remains accessible from the public internet unless additional firewall rules explicitly block all other traffic, which is not specified. Option C is wrong because routing traffic through an Azure Firewall with a NAT rule does not inherently block public internet access to the storage account; the storage account's public endpoint would still be reachable from the internet, and the NAT rule only translates traffic, not restrict source. Option D is wrong because a shared access signature (SAS) token with narrow permissions does not restrict network-level access; the storage account's public endpoint remains accessible from the internet, and any client with the SAS token (including potentially malicious actors) could access the queue from anywhere.

52
Drag & Dropmedium

Drag and drop the steps to implement Azure AD Identity Protection to detect risky sign-ins into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Identity Protection policies are configured under Security, with user risk policy settings.

53
MCQmedium

A company is deploying Azure Virtual Machines for a batch processing workload. The VMs process highly sensitive data and must ensure that the data on the OS and data disks is encrypted using a customer-managed key stored in Azure Key Vault. Which encryption option meets the requirement?

A.Encryption at host
B.Azure Storage Service Encryption
C.Server-side encryption (SSE) with customer-managed keys
D.Azure Disk Encryption (ADE)
AnswerD

ADE encrypts the OS and data disks using BitLocker/DM-Crypt and integrates with Key Vault for key management.

Why this answer

Azure Disk Encryption (ADE) uses BitLocker (Windows) or DM-Crypt (Linux) to encrypt OS and data disks with keys managed in Key Vault. Option B is correct. Option A (SSE with CMK) encrypts managed disks at the storage layer but not the OS disk guest OS.

Option C (encryption at host) encrypts temp disks and caches but not the guest OS. Option D (Azure Storage Service Encryption) is the same as SSE.

54
MCQmedium

A company is enabling Azure Disk Encryption (ADE) on Windows virtual machines. They have enabled soft-delete on Azure Key Vault and configured a Key Encryption Key (KEK). However, the disk encryption fails with an error indicating that the key vault does not have the required permissions. What is the most likely missing configuration?

A.The Key Vault access policy does not grant the Azure Disk Encryption service principal the 'unwrap key' and 'wrap key' permissions.
B.The Key Vault firewall is blocking the Azure platform.
C.The VM does not have a managed identity assigned.
D.The KEK is in a different Azure region than the VM.
AnswerA

Correct. ADE requires the Azure Disk Encryption service principal to have these permissions to wrap and unwrap the disk encryption key using the KEK.

Why this answer

Azure Disk Encryption (ADE) requires the Azure Disk Encryption service principal (also known as the Azure Disk Encryption service) to have 'unwrap key' and 'wrap key' permissions on the Key Vault. These permissions allow the service to encrypt and decrypt the disk encryption keys using the Key Encryption Key (KEK). Without these specific cryptographic permissions, the encryption operation fails, even if soft-delete and a KEK are correctly configured.

Exam trap

The trap here is that candidates often confuse the required permissions for ADE with general Key Vault access policies (e.g., 'get' and 'list') or mistakenly think a managed identity or firewall configuration is the root cause, rather than recognizing the need for explicit 'wrap key' and 'unwrap key' permissions for the Azure Disk Encryption service principal.

How to eliminate wrong answers

Option B is wrong because the Key Vault firewall, if enabled, would block external access, but the error message specifically indicates a permissions issue, not a network connectivity problem. Option C is wrong because a managed identity is not required for ADE on Windows VMs; ADE uses the Azure Disk Encryption service principal, not the VM's identity, to access the Key Vault. Option D is wrong because the KEK can be in a different region than the VM; ADE supports cross-region key references as long as the Key Vault is in the same Azure subscription and the service principal has the required permissions.

55
MCQmedium

Your company uses Azure Managed Disks for VMs running a production database. The disks are encrypted with Azure Disk Encryption (ADE) using Azure Key Vault. Security policy requires that all encryption keys be rotated every 90 days. You have automated key rotation in Key Vault. However, after rotating the key, you find that the disks are still using the old key. You need to ensure that the disks use the new key after rotation. What should you do?

A.Disable encryption on the VM, then re-enable ADE specifying the new key version.
B.Delete the old key version from Key Vault to force the disk to use the new key.
C.No action is needed; ADE automatically re-encrypts disks with the new key after rotation.
D.Update the disk encryption set to reference the new key version; the disk will automatically use it.
AnswerA

Re-enabling encryption forces the disk to be re-encrypted with the new key.

Why this answer

Option B is correct: ADE does not automatically re-encrypt disks after key rotation. You must disable encryption on the VM and then re-enable it with the new key version to force re-encryption. Option A: ADE does not support automatic re-encryption.

Option C: Deleting the old key would break the VM. Option D: Updating the disk encryption set only affects new disks, not existing ones.

56
MCQmedium

A company stores sensitive healthcare data in Azure SQL Database. They need to encrypt specific columns containing patient diagnosis codes so that even database administrators with the 'sysadmin' role cannot view the plaintext. The application must be able to perform equality searches (WHERE clauses) on the encrypted columns. Which encryption technology should they implement?

A.Transparent Data Encryption (TDE)
B.Always Encrypted (deterministic encryption)
C.Row-Level Security (RLS)
D.Dynamic Data Masking (DDM)
AnswerB

Always Encrypted encrypts column data such that the encryption keys are stored on the client and never revealed to the database engine. Deterministic encryption supports equality searches, making it suitable for this requirement.

Why this answer

Always Encrypted with deterministic encryption ensures that sensitive columns are encrypted at the client side, so the encryption keys are never revealed to the database engine, including sysadmin roles. Deterministic encryption generates the same ciphertext for the same plaintext, enabling equality searches (WHERE clauses) on encrypted columns without exposing plaintext data to the server.

Exam trap

The trap here is that candidates confuse encryption at rest (TDE) with client-side column-level encryption, failing to recognize that TDE does not protect data from privileged users who can run queries, while Always Encrypted does by keeping keys off the server.

How to eliminate wrong answers

Option A is wrong because Transparent Data Encryption (TDE) encrypts the entire database at rest (pages on disk) but does not protect data from database administrators who have access to the decrypted data in memory or via queries. Option C is wrong because Row-Level Security (RLS) controls access to rows based on user predicates but does not encrypt data; it relies on database permissions and can be bypassed by privileged users. Option D is wrong because Dynamic Data Masking (DDM) obfuscates data in query results for non-privileged users but does not encrypt the underlying data; privileged users like sysadmin can still view plaintext by querying directly.

57
MCQmedium

A company uses Azure SQL Database for a critical application. Security policy requires that all client connections to the database use at least TLS 1.2 encryption. What configuration change must be made to enforce this requirement?

A.Configure the minimum TLS version in the SQL server's settings.
B.Enable Transparent Data Encryption (TDE).
C.Update the server firewall rules to allow only specific IP addresses.
D.Implement Always Encrypted for all sensitive columns.
AnswerA

The minimum TLS version setting directly controls which TLS versions are accepted for client connections. Setting it to 1.2 enforces the policy.

Why this answer

To enforce that all client connections to Azure SQL Database use at least TLS 1.2, you must configure the minimum TLS version at the SQL server level. This setting overrides the default behavior, which allows older, less secure TLS versions, and ensures that any connection attempt using TLS 1.0 or 1.1 is rejected. The configuration is made in the Azure portal under the SQL server's 'Connectivity' settings or via the 'Minimal TLS Version' property in ARM templates or PowerShell.

Exam trap

The trap here is that candidates often confuse encryption at rest (TDE) or column-level encryption (Always Encrypted) with encryption in transit, leading them to select options that do not enforce the TLS protocol version.

How to eliminate wrong answers

Option B is wrong because Transparent Data Encryption (TDE) encrypts data at rest, not data in transit, so it does not enforce TLS version requirements. Option C is wrong because firewall rules control network access by IP address, not the encryption protocol or TLS version used for the connection. Option D is wrong because Always Encrypted protects sensitive columns with client-side encryption, but it does not enforce a minimum TLS version for the overall connection; it can even work over TLS 1.0 if the server allows it.

58
MCQmedium

You have an Azure SQL Database that contains sensitive customer data. You need to ensure that database administrators (DBAs) cannot view the data in the 'CreditCard' column. What should you implement?

A.Enable Transparent Data Encryption (TDE) on the database.
B.Use Always Encrypted with column encryption key stored in Azure Key Vault.
C.Implement Azure SQL Auditing for the database.
D.Configure Dynamic Data Masking for the 'CreditCard' column.
AnswerB

Always Encrypted encrypts column data so that even DBAs cannot view plaintext.

Why this answer

Dynamic Data Masking (DDM) obfuscates sensitive data to non-privileged users, while DBAs with elevated permissions can still see the unmasked data unless excluded. Option B is wrong because Always Encrypted protects data from DBAs. Option C is wrong because TDE encrypts at rest, not at query time.

Option D is wrong because auditing tracks access but does not prevent viewing.

59
MCQmedium

A company stores sensitive data in Azure Blob Storage. They use customer-managed keys (CMK) stored in Azure Key Vault for encryption at rest. The security policy requires that the encryption keys be automatically rotated every 90 days. Which configuration should they implement to meet this requirement without manual intervention?

A.Enable key auto-rotation in Key Vault by setting a rotation policy on the key.
B.Use a custom Azure Automation runbook to rotate the key.
C.Set a key expiration date of 90 days and manually renew.
D.Enable versioning on the storage account and manually create a new key version.
AnswerA

Correct. Key Vault's rotation policy automates key rotation at the specified interval.

Why this answer

Azure Key Vault supports automatic key rotation by configuring a rotation policy on the key. When you enable auto-rotation, Key Vault automatically creates a new key version at the specified interval (e.g., every 90 days) without any manual intervention. This directly satisfies the requirement for automatic rotation of customer-managed keys used for Azure Storage encryption at rest.

Exam trap

The trap here is that candidates may think custom automation (Option B) is required for key rotation, but Azure Key Vault's built-in auto-rotation feature directly meets the requirement without additional overhead.

How to eliminate wrong answers

Option B is wrong because using a custom Azure Automation runbook introduces unnecessary complexity and potential failure points; Key Vault natively supports automatic rotation, making a custom solution redundant. Option C is wrong because setting a key expiration date only marks the key as expired after 90 days but does not automatically rotate it; manual renewal is required, which violates the 'without manual intervention' requirement. Option D is wrong because enabling versioning on the storage account only allows storing multiple blob versions, not key rotation; manually creating a new key version in Key Vault still requires manual action and does not automate the rotation process.

60
MCQeasy

You need to prevent data from being exfiltrated from an Azure SQL Database by unauthorized users. Which Microsoft Purview feature should you use?

A.Microsoft Purview Insider Risk Management
B.Microsoft Purview Information Protection
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview eDiscovery
AnswerC

DLP policies can be used to prevent data exfiltration from SQL Database.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) policies can be applied to SQL Database to detect and prevent sensitive data exfiltration. Option B is correct. Information Protection focuses on classification and labeling.

Insider Risk Management detects risky user activities. eDiscovery is for legal discovery.

61
Multi-Selecthard

A company uses Azure SQL Database. They want to ensure that all data at rest is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. They also require that the key is automatically rotated every 12 months. Which two actions must be configured to meet this requirement? (Select two.)

Select 2 answers
A.Enable Transparent Data Encryption (TDE) with a customer-managed key.
B.Configure Key Vault to automatically rotate the key on a schedule.
C.Configure Azure SQL Database auditing to log key usage.
D.Enable Azure Information Protection for the database.
AnswersA, B

This must be configured to use a customer-managed key stored in Azure Key Vault for encrypting the database at rest.

Why this answer

Option A is correct because Transparent Data Encryption (TDE) with a customer-managed key (CMK) stored in Azure Key Vault is the mechanism that encrypts Azure SQL Database data at rest using a key you control. This meets the requirement for CMK-based encryption. Option B is correct because Azure Key Vault supports automatic key rotation on a schedule; by configuring a rotation policy (e.g., every 12 months), the key used for TDE is automatically replaced, satisfying the rotation requirement.

Exam trap

The trap here is that candidates often confuse Azure SQL Database auditing (which logs activity) with key management, or mistakenly think Azure Information Protection can encrypt database data at rest, when it only applies classification and labeling to files and emails.

62
Multi-Selectmedium

Which TWO actions are required to enable Azure Defender for SQL on an Azure SQL Database?

Select 2 answers
A.Enable Advanced Data Security on the server.
B.Configure SQL Vulnerability Assessment.
C.Enable threat detection policies at the database level.
D.Enable Microsoft Defender for Cloud plan for SQL servers.
E.Enable SQL Auditing.
AnswersA, D

Advanced Data Security provides the foundation for Defender for SQL.

Why this answer

Azure Defender for SQL requires enabling Advanced Data Security on the server and configuring a Microsoft Defender for Cloud pricing tier. Options B and D are correct. Enabling auditing is optional for Defender.

Configuring vulnerability assessment is a separate feature. Enabling threat detection is part of the process but not listed separately as an action.

63
MCQeasy

A company deploys a public-facing web application behind Azure Application Gateway. They want to enable the Web Application Firewall (WAF) to protect against SQL injection and cross-site scripting attacks. During the initial testing phase, they want to identify malicious requests without blocking them, to tune the WAF rules before enabling full protection. Which WAF mode should they configure?

A.Prevention mode
B.Detection mode
C.Logging mode
D.Off
AnswerB

Detection mode logs alerts for matching requests but does not block them, allowing the team to tune rules without affecting live traffic.

Why this answer

Detection mode logs WAF alerts and records the full request details without blocking any traffic. This allows the security team to analyze malicious requests, tune rule exclusions, and validate that legitimate traffic is not falsely flagged before switching to Prevention mode. It is the correct choice for the initial testing phase described.

Exam trap

The trap here is that candidates may confuse Detection mode with a hypothetical 'Logging mode' or assume Prevention mode is needed for any protection, overlooking the explicit requirement to identify without blocking during tuning.

How to eliminate wrong answers

Option A is wrong because Prevention mode actively blocks malicious requests, which would disrupt testing and prevent the team from tuning rules based on observed traffic. Option C is wrong because Azure WAF does not have a 'Logging mode'; logging is a feature enabled within Detection or Prevention mode, not a standalone operational mode. Option D is wrong because Off disables the WAF entirely, providing no protection or logging of malicious requests, which defeats the purpose of the testing phase.

64
MCQmedium

A healthcare organization stores sensitive patient data in Azure SQL Database. They need to encrypt specific columns containing medical history so that even database administrators with highly privileged roles, such as 'sysadmin', cannot view the plaintext data. Additionally, they need to support complex queries on the encrypted data, including pattern matching and range comparisons. Which encryption technology should they implement?

A.Always Encrypted with secure enclaves
B.Transparent Data Encryption (TDE)
C.Dynamic Data Masking
D.Row-Level Security
AnswerA

Always Encrypted with secure enclaves provides column-level encryption and supports rich computations like pattern matching and range queries within the enclave, while preventing database administrators from seeing plaintext data.

Why this answer

Always Encrypted with secure enclaves is correct because it encrypts specific columns at the client side, ensuring that even database administrators with sysadmin privileges cannot view the plaintext data. The secure enclave feature allows computations (such as pattern matching and range comparisons) to be performed on the encrypted data inside a trusted execution environment, which is required by the question's need for complex queries on encrypted columns.

Exam trap

The trap here is that candidates often confuse Transparent Data Encryption (TDE) with column-level encryption, assuming TDE protects data from privileged users, but TDE only protects data at rest and does not prevent authorized database users from reading plaintext data.

How to eliminate wrong answers

Option B (Transparent Data Encryption) is wrong because it encrypts the entire database at rest (on disk) but does not protect data from users or administrators who have access to the database engine; the data is decrypted transparently when queried, so sysadmins can still view plaintext. Option C (Dynamic Data Masking) is wrong because it only obfuscates data in query results for unauthorized users, but the underlying data remains stored in plaintext and can be accessed by privileged users like sysadmins. Option D (Row-Level Security) is wrong because it controls access to rows based on user context but does not encrypt the data; privileged users can still read the plaintext data directly.

65
MCQhard

An Azure Storage account is configured with server-side encryption (SSE) using a customer-managed key stored in Azure Key Vault. The security team requires that the storage account's identity be used to authenticate to the key vault for key access. Additionally, they want the identity to be automatically deleted when the storage account is deleted. Which type of identity should they assign to the storage account?

A.System-assigned managed identity
B.User-assigned managed identity
C.Service principal
D.Azure AD user account
AnswerA

This identity is linked to the storage account and automatically managed, meeting both requirements.

Why this answer

A system-assigned managed identity is tied to the lifecycle of the Azure resource (the storage account) and is automatically deleted when the resource is deleted. This identity can be used to authenticate to Azure Key Vault for accessing the customer-managed key used in server-side encryption (SSE), satisfying the security team's requirement for automatic deletion upon storage account deletion.

Exam trap

The trap here is that candidates often confuse user-assigned managed identities with system-assigned ones, overlooking the critical lifecycle coupling requirement that system-assigned identities are automatically deleted with the parent resource, while user-assigned identities persist independently.

How to eliminate wrong answers

Option B is wrong because a user-assigned managed identity has an independent lifecycle and is not automatically deleted when the storage account is deleted; it must be manually removed. Option C is wrong because a service principal is a separate application identity that requires manual credential management (secrets or certificates) and does not automatically delete with the storage account. Option D is wrong because an Azure AD user account is a human identity that cannot be assigned to an Azure resource and would require interactive authentication, which is not suitable for automated key access.

66
MCQmedium

A company uses Azure Managed Disks for their virtual machines. They want to ensure that all managed disks are encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also want to automatically revoke access to the disks if the key is disabled or deleted. Which feature should they configure?

A.Azure Disk Encryption (ADE) with a Key Encryption Key (KEK)
B.Server-side encryption with customer-managed keys (SSE-CMK)
C.Azure Storage Service Encryption (SSE) with platform-managed keys
D.Azure Key Vault soft-delete and purge protection
AnswerB

SSE-CMK encrypts managed disks at rest using a CMK. When the key is disabled or deleted, the disk becomes inaccessible, meeting the revocation requirement without additional steps.

Why this answer

Server-side encryption with customer-managed keys (SSE-CMK) encrypts Azure Managed Disks at rest using a key stored in Azure Key Vault. When the key is disabled or deleted, Azure automatically revokes access to the disk by failing any I/O operations that require that key, ensuring the disk becomes inaccessible. This directly meets the requirement for both CMK-based encryption and automatic access revocation upon key loss.

Exam trap

The trap here is that candidates confuse Azure Disk Encryption (ADE) with server-side encryption (SSE-CMK), mistakenly thinking ADE provides automatic access revocation when the key is disabled, whereas ADE only encrypts at the guest OS level and does not enforce platform-level access control based on key state.

How to eliminate wrong answers

Option A is wrong because Azure Disk Encryption (ADE) with a KEK uses BitLocker (Windows) or DM-Crypt (Linux) to encrypt the OS and data disks at the VM guest OS level, not at the Azure platform level, and disabling the KEK does not automatically revoke access to the underlying managed disk; the disk remains accessible at the storage layer. Option C is wrong because Azure Storage Service Encryption (SSE) with platform-managed keys uses Microsoft-managed keys, not customer-managed keys, so it cannot meet the requirement for CMK-based encryption or allow key revocation by the customer. Option D is wrong because Azure Key Vault soft-delete and purge protection only prevents permanent deletion of keys and secrets; it does not encrypt disks or automatically revoke access to disks when a key is disabled or deleted.

67
MCQhard

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key stored in Azure Key Vault. The Key Vault has a firewall enabled that blocks all public network access. The SQL server has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. Despite this, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required?

A.Enable the Azure SQL Database server's firewall to allow Azure services to access the server.
B.Configure the Key Vault firewall to allow trusted Microsoft services to bypass the firewall.
C.Assign a user-assigned managed identity to the SQL server instead of a system-assigned identity.
D.Change the Key Vault firewall to allow all networks.
AnswerB

This setting allows trusted Azure services, including Azure SQL Database, to access the Key Vault when using a managed identity.

Why this answer

The Key Vault firewall blocks all public network access, so even though the SQL server has the correct managed identity and role assignment, the connection is denied by the firewall. By enabling the 'Allow trusted Microsoft services to bypass this firewall' setting, Azure SQL Database (a trusted Microsoft service) can connect to the Key Vault without exposing it to the public internet. This is the required additional configuration to resolve the TDE access failure.

Exam trap

The trap here is that candidates often confuse the SQL server firewall with the Key Vault firewall, or think that a managed identity alone is sufficient without considering network-level access controls.

How to eliminate wrong answers

Option A is wrong because the issue is not about the SQL server's firewall allowing Azure services; the SQL server's firewall is irrelevant to Key Vault access. Option C is wrong because a system-assigned managed identity works perfectly for this scenario; switching to a user-assigned identity does not solve the Key Vault firewall block. Option D is wrong because allowing all networks would defeat the purpose of the Key Vault firewall and is unnecessary; the trusted services bypass is the correct, secure solution.

68
MCQhard

You run the above PowerShell script to change the access tier of all block blobs in the 'data' container from Cool to Hot. However, you receive an error that the operation is not allowed. What is the most likely reason?

A.The script incorrectly filters for BlockBlob instead of PageBlob.
B.The storage account is using a shared access signature (SAS) token that has expired.
C.The access tier cannot be changed from Cool to Hot after 30 days of creation.
D.The storage account's firewall is blocking the request from the current IP address.
AnswerD

If the storage account firewall denies access from the source IP, the operation will fail with an error like 'This request is not authorized to perform this operation'.

Why this answer

The script does not include the -ErrorAction Stop or handle the case where the storage account firewall is blocking access. However, the most common issue is that the storage account requires Azure AD authentication and the script uses the storage account key (via context without explicit Azure AD). But the error message 'operation not allowed' suggests that the storage account has a firewall that denies the request.

Option D is correct. Option A: BlobType is correct. Option B: AccessTier change is allowed.

Option C: The script does not use SAS.

69
MCQeasy

Refer to the exhibit. You run the Azure CLI command to create a storage account. After creation, you need to ensure that the storage account can only be accessed using TLS 1.2. Does the command achieve this?

A.No, because the command does not include any TLS version parameter.
B.Yes, because the default minimum TLS version is 1.2.
C.Yes, because --min-tls-version 1.2 sets the minimum TLS version to 1.2.
D.No, because --https-only true only enforces HTTPS without specifying TLS version.
AnswerC

The parameter correctly enforces TLS 1.2 minimum.

Why this answer

Option A is correct. The --min-tls-version 1.2 parameter ensures that the minimum TLS version is 1.2, which effectively requires TLS 1.2 or higher. Option B is wrong because --https-only true enforces HTTPS but does not set a minimum TLS version.

Option C is wrong because the command does include the parameter. Option D is wrong because the command is correct.

70
MCQmedium

Your company uses Azure SQL Managed Instance. You need to ensure that all connections from clients use TLS 1.2 or higher. What should you configure?

A.Set the 'Minimal TLS version' property to 1.2 in the Managed Instance settings
B.Configure a firewall rule to block non-TLS 1.2 connections
C.Create an Azure Policy to require TLS 1.2 for all SQL Managed Instances
D.Enable the 'Force encryption' option on the client side
AnswerA

This setting enforces the minimum TLS version for client connections.

Why this answer

Azure SQL Managed Instance enforces TLS at the gateway level. To require a minimum TLS version, you can set the 'Minimal TLS version' property to 1.2. Option B is correct.

Option A is wrong because firewall rules control IP access. Option C is wrong because encrypting connections is separate from TLS version. Option D is wrong because Azure Policy can audit but not enforce on the instance itself.

71
Matchingmedium

Match each Azure RBAC role to its typical permission scope.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Full access to all resources including delegation

Create and manage resources but cannot grant access

View resources only

Manage user access to Azure resources

Manage security policies and view security alerts

Why these pairings

RBAC roles are fundamental to access control in Azure.

72
Drag & Dropmedium

Drag and drop the steps to enable Azure Security Center's enhanced security features for a subscription into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Enhanced security is enabled per subscription under security policy.

73
Multi-Selectmedium

You are securing an Azure SQL Database that contains personally identifiable information (PII). The solution must prevent unauthorized access to sensitive columns by privileged users (e.g., DBAs) and ensure that data is encrypted on the wire. Which three of the following should you implement? (Choose three.)

Select 3 answers
.Enable Transparent Data Encryption (TDE) with customer-managed keys in Azure Key Vault.
.Enable Always Encrypted with column-level encryption for the sensitive PII columns.
.Configure the Azure SQL Database firewall to block all public endpoints and allow only specific virtual network subnets.
.Enable Azure SQL Database Auditing and set a retention policy of at least 90 days.
.Enforce the use of TLS 1.2 or higher for all client connections to the database.
.Create a database role with SELECT permissions on all tables and grant it to the DBA group.

Why this answer

Always Encrypted with column-level encryption is correct because it ensures that sensitive PII columns are encrypted at the client side and the encryption keys are never revealed to the database engine, preventing privileged users like DBAs from reading the plaintext data. Configuring the Azure SQL Database firewall to block public endpoints and allow only specific virtual network subnets is correct because it restricts network access to trusted sources, reducing the attack surface. Enforcing TLS 1.2 or higher for all client connections is correct because it ensures data is encrypted in transit, protecting against man-in-the-middle attacks and meeting the requirement for encryption on the wire.

Exam trap

The trap here is that candidates often confuse Transparent Data Encryption (TDE) with Always Encrypted, thinking TDE protects against privileged user access, but TDE only protects data at rest and does not prevent DBAs from viewing plaintext data when queries are executed.

74
Multi-Selecthard

Which THREE capabilities are provided by Azure Storage Service Encryption (SSE) when using customer-managed keys?

Select 3 answers
A.Auditing of key usage via Azure Key Vault logs.
B.Client-side encryption of data before upload.
C.Automatic encryption of data at rest.
D.Ability to rotate keys periodically.
E.Control access to the storage account using RBAC.
AnswersA, C, D

Key Vault logs can track key access.

Why this answer

SSE with CMK provides automatic encryption, key rotation support, and audit of key usage. Options A, C, and D are correct. Client-side encryption is separate.

Access control via RBAC is possible but not a capability of SSE itself.

75
MCQmedium

Your company uses Azure SQL Database to store customer data. You need to ensure that database administrators cannot access sensitive columns (e.g., credit card numbers) even during maintenance. What should you implement?

A.Transparent Data Encryption
B.Dynamic Data Masking
C.Row-level security
D.Always Encrypted
AnswerD

Always Encrypted ensures encryption keys are held by the client, so DBAs cannot see plaintext.

Why this answer

Always Encrypted ensures that sensitive data is encrypted at the client side and the database engine never sees the plaintext. Option C is correct. Option A is wrong because Dynamic Data Masking masks data but can be bypassed.

Option B is wrong because Transparent Data Encryption encrypts at rest, not in use. Option D is wrong because row-level security controls access to rows, not columns.

Page 1 of 4 · 243 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Secure compute, storage, and databases questions.