CCNA Secure compute, storage, and databases Questions

75 of 243 questions · Page 2/4 · Secure compute, storage, and databases · Answers revealed

76
MCQeasy

You need to ensure that only approved applications can access your Azure storage account. What should you configure?

A.Use shared access keys for all storage account access.
B.Configure firewall rules to allow only specific virtual networks and IP addresses.
C.Assign Azure RBAC roles to the storage account.
D.Use private endpoints and disable public network access.
AnswerB

Firewall rules restrict network access to approved sources.

Why this answer

Firewall and virtual network settings with service endpoints allow you to restrict access to specific VNets and IP ranges. Option B is wrong because shared access keys do not restrict by application. Option C is wrong because Azure RBAC controls user permissions, not application access.

Option D is wrong because private endpoints provide private IP connectivity but still require additional controls to restrict by application.

77
MCQhard

A company stores sensitive files in Azure Files shares. They require encryption at rest using customer-managed keys (CMK) and encryption in transit using SMB 3.0 encryption. They have created a premium Azure Files share in a storage account and configured encryption at rest with a CMK. However, clients are able to connect without enforcing SMB encryption. What additional configuration is necessary to ensure that all connections to the file share are encrypted in transit?

A.Enable the 'Secure transfer required' property on the storage account.
B.Configure a network security group (NSG) to allow only encrypted traffic.
C.Set the minimum SMB protocol version to 3.0 on the file share.
D.Create a service endpoint for the storage account.
AnswerA

Correct. Enabling 'Secure transfer required' forces clients to use SMB 3.0 with encryption (or HTTPS) when connecting to the Azure Files share, ensuring encryption in transit.

Why this answer

Enabling the 'Secure transfer required' property on the storage account enforces encryption in transit for all client connections, including SMB 3.0 encryption for Azure Files. Without this setting, clients can connect using unencrypted SMB 2.1 or SMB 3.0 without encryption, even if the file share itself supports encryption. This property is a storage account-level flag that rejects any request not using HTTPS or SMB 3.0 with encryption.

Exam trap

The trap here is that candidates confuse protocol version enforcement (Option C) with encryption enforcement, not realizing that SMB 3.0 can be used without encryption unless the 'Secure transfer required' property is explicitly enabled.

How to eliminate wrong answers

Option B is wrong because a network security group (NSG) filters traffic at the network layer based on IP addresses and ports, but cannot inspect or enforce SMB encryption at the application layer; it would only block or allow traffic on port 445, not differentiate between encrypted and unencrypted SMB connections. Option C is wrong because setting the minimum SMB protocol version to 3.0 on the file share only restricts the protocol version, but SMB 3.0 can operate without encryption (encryption is an optional feature within SMB 3.0); this does not enforce encryption in transit. Option D is wrong because creating a service endpoint for the storage account secures traffic to the Azure backbone network but does not enforce encryption in transit; it only ensures traffic stays within the Azure network, leaving the connection potentially unencrypted.

78
Multi-Selecteasy

A company stores sensitive financial records in Azure Blob Storage. They want to ensure that if a blob is deleted or overwritten, it can be recovered within 30 days. They also want to protect against accidental deletion of the storage account itself. Which two configurations should they implement? (Choose two.)

Select 2 answers
A.Enable blob soft delete with a retention period of 30 days
B.Enable storage account soft delete with a retention period of 30 days
C.Enable container soft delete with a retention period of 30 days
D.Enable blob versioning
AnswersA, B

Blob soft delete preserves deleted or overwritten blob objects for the specified retention period, allowing recovery within that window.

Why this answer

Blob soft delete (Option A) protects individual blobs by retaining deleted or overwritten blobs for a specified retention period, allowing recovery within that window. Storage account soft delete (Option B) protects the entire storage account from accidental deletion by retaining the deleted account for a configurable period. Together, they address both the blob-level and account-level recovery requirements for the 30-day window.

Exam trap

The trap here is that candidates often confuse blob versioning with soft delete, assuming versioning alone provides deletion recovery, but versioning only protects against overwrites, not deletions, and lacks a configurable retention period for recovery.

79
MCQmedium

You are deploying an Azure Disk Encryption set with the above ARM template snippet. What is the result of this configuration?

A.The disk uses only customer-managed key encryption
B.The disk encryption will fail because keyversion is empty
C.The disk uses only platform-managed key encryption
D.The disk uses double encryption with both platform-managed and customer-managed keys
AnswerD

Infrastructure encryption adds platform-managed encryption layer.

Why this answer

Option A is correct: The `keySource` is `Microsoft.Keyvault`, indicating a customer-managed key. `infrastructureEncryption` is `Enabled`, meaning double encryption (platform-managed + customer-managed). Option B is wrong because `infrastructureEncryption` is enabled. Option C is wrong because keySource is Keyvault.

Option D is wrong because infrastructure encryption is enabled.

80
MCQmedium

A company has an Azure SQL Database that stores personally identifiable information (PII) in columns. They need to encrypt those columns so that only authorized applications can decrypt the data, and even database administrators cannot view the plaintext. Additionally, they need to support equality comparisons (WHERE clauses) on the encrypted columns. Which encryption technology should they use?

A.Always Encrypted with deterministic encryption
B.Always Encrypted with randomized encryption
C.Transparent Data Encryption (TDE)
D.Dynamic Data Masking
AnswerA

Deterministic encryption supports equality comparisons because the same plaintext always produces the same ciphertext, allowing the database to perform WHERE clauses.

Why this answer

Always Encrypted with deterministic encryption is the correct choice because it encrypts PII columns at the client side, ensuring that even database administrators cannot view plaintext data. Deterministic encryption generates the same ciphertext for the same plaintext, which allows equality comparisons (WHERE clauses) on encrypted columns, meeting the requirement for query support.

Exam trap

The trap here is that candidates often confuse Always Encrypted with TDE, thinking TDE provides client-side encryption and column-level query support, but TDE only encrypts data at rest and does not prevent database administrators from seeing plaintext data in memory or during queries.

How to eliminate wrong answers

Option B is wrong because Always Encrypted with randomized encryption does not support equality comparisons; it produces different ciphertext for the same plaintext, making WHERE clauses impossible on encrypted columns. Option C is wrong because Transparent Data Encryption (TDE) encrypts data at rest (the entire database file) but does not protect data from database administrators who have access to the database engine, and it does not support column-level encryption or client-side key control. Option D is wrong because Dynamic Data Masking only obfuscates data at query results for unauthorized users, but the underlying data remains in plaintext in storage and can be accessed by administrators or through direct queries.

81
MCQmedium

You manage Azure Storage accounts for a healthcare organization. To comply with HIPAA, you need to ensure that all data at rest is encrypted and that access keys are rotated automatically every 90 days. What should you implement?

A.Configure Azure RBAC roles for storage accounts.
B.Enable infrastructure encryption for storage accounts.
C.Generate new storage account access keys manually every 90 days.
D.Use customer-managed keys (CMK) in Azure Key Vault with automatic key rotation.
AnswerD

CMK with automatic rotation meets encryption and rotation requirements.

Why this answer

Customer-managed keys (CMK) with Azure Key Vault allow automatic key rotation. Option A is wrong because Azure RBAC doesn't handle encryption keys. Option B is wrong because infrastructure encryption is for double encryption, not key rotation.

Option D is wrong because shared access keys are not rotated automatically.

82
MCQhard

You are deploying an Azure SQL Database with a security alert policy as shown in the exhibit. Which statement is true?

A.Alerts are enabled and notifications are sent to both account admins and admin@contoso.com.
B.Email notifications are sent only to admin@contoso.com.
C.Alerts are not retained because retentionDays is set to 30.
D.All alerts are disabled because disabledAlerts is empty.
AnswerA

State is Enabled, emailAccountAdmins true, and emailAddresses includes admin@contoso.com.

Why this answer

The policy enables alerts, sends email to admins and a specific address, and retains alerts for 30 days. Option D is correct. Option A is wrong because retentionDays is 30, not 0.

Option B is wrong because emailAccountAdmins is true. Option C is wrong because disabledAlerts is empty, so all alerts are enabled.

83
MCQhard

Your organization uses Azure Storage blobs to store sensitive documents. You need to enforce that all blob access must be via HTTPS and that storage account keys are rotated every 90 days. Which two actions should you take? (Each correct answer presents part of the solution.)

A.Configure an Azure Policy to require HTTPS
B.Use a PowerShell script to regenerate storage account keys every 90 days
C.Generate a shared access signature (SAS) with HTTPS only
D.Store storage account keys in Azure Key Vault and enable automatic rotation
E.Enable 'Secure transfer required' on the storage account
AnswerB, E

Scripted regeneration can rotate keys on a schedule.

Why this answer

To enforce HTTPS, enable 'Secure transfer required' in storage account settings. To rotate keys, use the storage account key regeneration feature. Option B and Option D are correct.

Option A is wrong because Azure Policy can audit but not automatically rotate keys. Option C is wrong because SAS tokens are not for key rotation. Option E is wrong because Azure Key Vault can store keys but does not automatically rotate storage account keys.

84
MCQeasy

You are deploying a virtual machine that will host a legacy application. The application writes temporary files to the local disk. You must ensure that any data written to the temporary disk is encrypted at rest with a platform-managed key. What should you do?

A.Enable encryption at host on the VM
B.Enable Azure Disk Encryption on the VM
C.Configure storage service encryption on the managed disk
D.Use Always Encrypted with secure enclaves
AnswerA

Encrypts temporary disk with platform-managed key.

Why this answer

Option A is correct because Azure Disk Encryption encrypts OS and data disks, but the temporary disk (D: drive) is not encrypted by default. EncryptingHostVmWithCustomerManagedKey is a VM feature that encrypts the temporary disk with a customer-managed key. However, the question specifies a platform-managed key.

Actually, the correct answer is to use a VM with encryption at host enabled, which uses platform-managed keys by default. Option A (Azure Disk Encryption) does not encrypt temporary disk. Option B (encryption at host) encrypts temporary disk with PMK.

Option C is for storage account. Option D is for SQL.

85
MCQmedium

Your company uses Azure SQL Database for a multitenant SaaS application. You need to ensure that one tenant cannot access another tenant's data, even if the application code has a bug. Which Azure SQL Database feature should you implement?

A.Dynamic Data Masking (DDM)
B.Azure SQL Database Auditing
C.Always Encrypted
D.Row-Level Security (RLS)
AnswerC

Always Encrypted ensures that sensitive data is encrypted at the client and never exposed to the database engine, preventing unauthorized access from the database side.

Why this answer

Always Encrypted ensures that the database engine never sees plaintext data; even if the app code is compromised, tenants cannot read each other's encrypted data. Option B is correct. Option A (Row-Level Security) is bypassed by app code.

Option C (Dynamic Data Masking) does not prevent access. Option D (Auditing) only tracks access.

86
MCQhard

A company stores sensitive files in Azure Files shares. They require that data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault, and that all client connections use SMB 3.0 encryption for end-to-end encryption in transit. They create a premium Azure Files share in a storage account and configure encryption at rest with a CMK. However, clients are unable to connect without SMB encryption. What additional configuration is necessary to enforce SMB encryption for all connections?

A.No additional configuration is needed; Azure Files uses SMB encryption by default and cannot be disabled.
B.Enable 'Secure transfer required' in the storage account's configuration to enforce SMB 3.0 encryption.
C.Configure a network security group (NSG) rule to block SMB traffic on port 445 that does not use encryption.
D.Set the Azure Files share to use the 'Premium' performance tier; encryption is only available on premium shares.
AnswerB

When 'Secure transfer required' is enabled, the storage account accepts only encrypted connections (HTTPS and SMB 3.0 with encryption). For Azure Files, this means clients must use SMB 3.0 encryption to connect.

Why this answer

Option B is correct because enabling 'Secure transfer required' on the storage account enforces that all client connections use SMB 3.0 with encryption, which is necessary for end-to-end encryption in transit. Even though encryption at rest is configured with a CMK, the storage account does not automatically require encrypted connections; this setting explicitly denies unencrypted SMB 2.1 or SMB 3.0 without encryption.

Exam trap

The trap here is that candidates assume encryption at rest (CMK) automatically implies encryption in transit, but Azure requires a separate explicit setting ('Secure transfer required') to enforce SMB 3.0 encryption for all client connections.

How to eliminate wrong answers

Option A is wrong because Azure Files does not enforce SMB encryption by default; SMB 3.0 encryption is available but must be explicitly required via the 'Secure transfer required' setting, and it can be disabled. Option C is wrong because NSG rules block traffic at the network layer based on port and protocol, but they cannot inspect or enforce SMB encryption; they would block all SMB traffic on port 445 regardless of encryption status. Option D is wrong because SMB encryption is not limited to premium shares; it is supported on standard Azure Files shares as well, and the premium tier does not automatically enforce encryption.

87
MCQmedium

Your organization stores sensitive documents in Azure Blob Storage. You need to prevent data exfiltration by ensuring that authorized users can only access blobs from within the corporate network, and that any attempt to download blobs from outside the network is blocked. What should you configure?

A.Configure a storage account firewall to allow only the corporate IP range and deny all other traffic
B.Apply Azure Information Protection sensitivity labels to the blobs
C.Generate SAS tokens with a short expiration and distribute them to users
D.Assign Azure RBAC roles to users and require multi-factor authentication
AnswerA

Directly blocks access from outside the corporate network.

Why this answer

Storage account firewalls and virtual network service endpoints allow you to restrict access to specific IP ranges or virtual networks. Option A is correct. Option B is incorrect because SAS tokens can be used from anywhere if not restricted.

Option C is incorrect because Azure RBAC controls permissions but does not enforce network location. Option D is incorrect because Azure Information Protection labels classify but do not block access based on network.

88
Multi-Selecthard

Which three security configurations should you apply to an Azure SQL Database to meet a requirement for data protection at rest and in transit?

Select 3 answers
A.Enable Microsoft Defender for Azure SQL.
B.Use Always Encrypted for sensitive columns.
C.Enable Transparent Data Encryption (TDE).
D.Configure firewall rules to allow only trusted IP addresses.
E.Enable Azure SQL Auditing.
AnswersB, C, D

Encrypts data in transit to the application.

Why this answer

Correct: A, B, D. TDE encrypts at rest, firewall rules protect network access, and Always Encrypted protects sensitive columns in transit. Option C (auditing) is for monitoring, not encryption.

Option E (threat detection) is for detection, not protection.

89
MCQhard

Your organization has an Azure SQL Database that stores credit card numbers. The compliance team requires that credit card numbers be encrypted at rest and that only authorized applications can decrypt the data. The applications access the database using different service principals. You decide to implement Always Encrypted with secure enclaves. You create a column master key (CMK) in Azure Key Vault and a column encryption key (CEK) for the credit card column. You configure the column with deterministic encryption. However, after deployment, the applications report that they cannot insert or query the encrypted column. The error indicates that the column cannot be decrypted. You verify that the applications have the necessary permissions to access the CMK in Key Vault. What is the most likely cause of the issue?

A.The service principals do not have the 'Get' and 'Decrypt' permissions on the CMK in Key Vault.
B.The applications are using an older version of the SQL client driver that does not support Always Encrypted with secure enclaves.
C.Deterministic encryption is not supported with secure enclaves; you must use randomized encryption.
D.The CMK is stored in a Key Vault in a different region than the SQL Database.
AnswerB

Always Encrypted with enclaves requires a compatible client driver.

Why this answer

Option D is correct: Applications must use a client driver that supports Always Encrypted with secure enclaves, such as the latest Microsoft.Data.SqlClient or .NET Framework with the enclave type configured. Option A: The CMK does not need to be in the same region. Option B: Both deterministic and randomized encryption can be used with secure enclaves.

Option C: Even with permissions, the driver must support the enclave protocol.

90
MCQhard

A company uses Azure SQL Database with Transparent Data Encryption (TDE) and a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall that blocks all public access. The SQL server is a managed service that needs to access the key to perform TDE operations. The Key Vault is in the same Azure region as the SQL server. Which additional configuration is needed?

A.Enable 'Allow trusted Microsoft services to bypass this firewall' in the Key Vault firewall settings
B.Configure a service endpoint for Microsoft.KeyVault on the SQL server's subnet
C.Assign the SQL server's server identity the 'Contributor' role on the Key Vault
D.Create a private endpoint for the Key Vault in the SQL server's virtual network
AnswerA

This setting allows trusted Azure services, including Azure SQL Database, to access the Key Vault even when the firewall is enabled, provided the SQL server has appropriate RBAC or access policy permissions.

Why this answer

When Azure Key Vault has a firewall that blocks all public access, Azure services like SQL Database that need to access the key for TDE operations must be explicitly allowed. Enabling 'Allow trusted Microsoft services to bypass this firewall' permits the SQL server's managed service identity to authenticate and retrieve the CMK from Key Vault, even when public network access is denied. This setting is required because the SQL server, as a platform-as-a-service (PaaS) resource, does not reside in a virtual network by default and cannot use a private endpoint or service endpoint without additional networking configuration.

Exam trap

The trap here is that candidates often assume a private endpoint or service endpoint is always required for secure access, but for PaaS services like Azure SQL Database that use managed identities, the 'Allow trusted Microsoft services' setting is the simplest and correct solution when the Key Vault firewall blocks public access.

How to eliminate wrong answers

Option B is wrong because configuring a service endpoint for Microsoft.KeyVault on the SQL server's subnet is not applicable—Azure SQL Database is a PaaS service that does not have a subnet in a virtual network by default; service endpoints are used for VNet-integrated resources like VMs or App Service, not for SQL Database's managed identity access to Key Vault. Option C is wrong because assigning the 'Contributor' role on the Key Vault grants excessive permissions (e.g., ability to modify keys) and is not required; the SQL server's identity only needs the 'Get' and 'Unwrap Key' permissions on the key itself, which are granted via a Key Vault access policy, not RBAC roles. Option D is wrong because creating a private endpoint for Key Vault in the SQL server's virtual network would require the SQL server to be integrated into a VNet, which is not the default configuration for Azure SQL Database; private endpoints are used for network isolation but do not solve the firewall bypass issue for a managed service that needs to reach Key Vault over the public endpoint.

91
MCQeasy

You run the PowerShell cmdlet shown in the exhibit for an Azure SQL Database. What is the security implication?

A.Auditing of database queries is not configured.
B.The database is not protected against anomalous activities.
C.The database firewall allows all public IP addresses.
D.Transparent data encryption is not enabled.
AnswerB

ATP is disabled, so threat detection is not active.

Why this answer

Advanced Threat Protection (ATP) is disabled, meaning the database is not monitored for anomalous activities. Option A is correct. ATP is separate from firewall, TDE, and auditing.

92
MCQmedium

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure resources. A recent assessment shows that a standard-tier storage account (storageaccount1) used for backup data has the following findings: 1) 'Storage account should use a private endpoint' is unhealthy; 2) 'Storage account should use customer-managed keys (CMK) for encryption' is healthy; 3) 'Storage account should restrict network access' is unhealthy; 4) 'Storage account should enable soft delete for blobs' is healthy. Management requires that all storage accounts used for backup be protected against accidental deletion and have network access restricted to a specific virtual network (vnet-backup). Currently, the storage account is accessible from all networks. You need to remediate the unhealthy findings while maintaining the healthy status of the other controls. Which combination of actions should you take?

A.Enable a service endpoint for Microsoft.Storage on vnet-backup and configure the firewall to allow only that subnet, then create a private endpoint as well.
B.Create a private endpoint in the vnet-backup subnet for the storage account and set the public network access to 'Disabled'.
C.Enable a service endpoint for Microsoft.Storage on the vnet-backup subnet and update the storage account firewall to allow access only from that subnet.
D.Configure the storage account firewall to allow access only from the vnet-backup subnet's public IP range.
AnswerB

Private endpoint satisfies the private endpoint recommendation; disabling public access satisfies the network access restriction.

Why this answer

Option C is correct: Enabling a private endpoint and disabling public network access will remediate both the private endpoint and network access findings. Soft delete is already enabled, and CMK is already in place. Option A: Enabling a service endpoint does not remediate the private endpoint finding and may not satisfy the recommendation.

Option B: Configuring firewall rules allows public IPs, which does not meet the private endpoint recommendation. Option D: Enabling a service endpoint and firewall rules does not address the private endpoint requirement.

93
MCQeasy

You need to ensure that an Azure Storage account only allows access from a specific virtual network. Which configuration should you use?

A.Enable Azure Private Link and assign a private endpoint.
B.Configure a service endpoint for Azure Storage and add the virtual network subnet to the firewall rules.
C.Configure firewall rules to allow only the virtual network's public IP range.
D.Generate new storage account access keys and share them only with the virtual network.
AnswerB

Service endpoints allow restricting access to the storage account from a specific VNet.

Why this answer

Service endpoints allow restricting access to Azure services from a specific virtual network. Option C is correct. Firewalls and IP rules are for public IP addresses, not VNets.

Private endpoints provide private IP connectivity but do not block public access by default. Access keys don't restrict network access.

94
Multi-Selectmedium

Which TWO security features can be enabled on an Azure SQL Database to protect sensitive data from unauthorized access by database administrators? (Choose two.)

Select 2 answers
A.Transparent Data Encryption (TDE)
B.Always Encrypted
C.Row-Level Security (RLS)
D.Azure SQL Database firewall rules
E.Auditing
AnswersB, C

Always Encrypted encrypts data on the client side, so DBAs cannot decrypt it without the column encryption key.

Why this answer

Options A and D are correct. Option A: Always Encrypted ensures that database administrators cannot see plaintext data because the encryption keys are controlled by the client. Option D: Row-Level Security restricts access to rows based on user context, preventing admins from viewing data they shouldn't.

Option B is wrong because TDE protects at rest but admins can still query data. Option C is wrong because firewall rules control network access, not data access. Option E is wrong because auditing logs access but does not prevent it.

95
MCQhard

You are deploying a critical application on Azure Virtual Machines that must remain highly available. You need to implement a security solution that ensures the application can recover from a ransomware attack that encrypts all data disks. What is the most cost-effective approach?

A.Configure Azure Backup with immutable vault and soft delete.
B.Use Azure Files share with snapshots for the application data.
C.Enable Azure Site Recovery for the virtual machines.
D.Take daily snapshots of the disks and store them in the same storage account.
AnswerA

Immutable vault prevents modification/deletion of backups; soft delete provides additional protection.

Why this answer

Azure Backup with immutable vault and soft delete protects against ransomware by preventing deletion and allowing recovery. Option B is correct. Azure Site Recovery is for disaster recovery, not ransomware recovery.

Snapshots alone can be deleted by malware. Azure Files share backup is not applicable to VM disks.

96
MCQmedium

A company stores critical business data in an Azure Storage account (Blob Storage). They want to ensure that all data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also need to be able to revoke access to the data quickly if a breach is suspected. Which feature should they enable on the storage account to enforce CMK?

A.Enable infrastructure encryption for the storage account
B.Enable Azure Storage encryption with customer-managed keys
C.Enable soft delete for blobs
D.Enable versioning for blobs
AnswerB

This configures the storage account to use a CMK from Key Vault. Revocation is done by disabling the key in Key Vault, making the data inaccessible.

Why this answer

Option B is correct because enabling Azure Storage encryption with customer-managed keys (CMK) allows you to use your own key stored in Azure Key Vault to encrypt all data at rest in the storage account. This also provides the ability to revoke access to the data quickly by disabling, deleting, or rotating the key in Key Vault, which renders the data inaccessible until the key is restored.

Exam trap

The trap here is that candidates often confuse infrastructure encryption (which adds a second encryption layer but uses Microsoft-managed keys) with customer-managed key encryption, or they mistakenly think soft delete or versioning can enforce encryption key control and revocation.

How to eliminate wrong answers

Option A is wrong because infrastructure encryption provides an additional layer of encryption at the infrastructure level using platform-managed keys, not customer-managed keys, and does not support revocation via Key Vault. Option C is wrong because soft delete for blobs protects against accidental deletion by retaining deleted data for a specified retention period, but it does not enforce encryption with customer-managed keys or provide revocation capabilities. Option D is wrong because versioning for blobs preserves previous versions of blobs for data recovery and point-in-time restore, but it does not relate to encryption key management or revocation.

97
MCQhard

Refer to the exhibit. You are reviewing the JSON output of an Azure Storage account encryption configuration. What can you conclude about the encryption settings?

A.The storage account uses a customer-managed key from Azure Key Vault.
B.The encryption configuration is incomplete because keyVersion is '1'.
C.Only blob storage is encrypted; file storage is not.
D.The storage account uses platform-managed keys (SSE).
AnswerA

keySource: Microsoft.Keyvault indicates CMK.

Why this answer

Option C is correct. The JSON shows 'keySource': 'Microsoft.Keyvault' indicating customer-managed keys (CMK). The key name, version, and vault URI are provided.

Option A is wrong because platform-managed keys use 'Microsoft.Storage' as keySource. Option B is wrong because the configuration shows both blob and file encryption enabled. Option D is wrong because the configuration uses CMK, not SSE (which uses Microsoft-managed keys).

98
MCQmedium

A company stores sensitive customer data in an Azure Storage account. The security policy requires that all data be encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also need the ability to disable the key in case of a security breach and have the data become inaccessible immediately. Which feature should they enable on the storage account to achieve this?

A.Enable Azure Storage encryption with customer-managed keys (CMK)
B.Use service-managed keys (SSE) with platform-managed keys
C.Enable Azure Disk Encryption on VMs that access the storage account
D.Configure Azure Information Protection for the storage account
AnswerA

CMK allows you to manage the key used for encryption in your own Key Vault. You can disable or delete the key to revoke access to the data, though there is a short delay.

Why this answer

Option A is correct because enabling Azure Storage encryption with customer-managed keys (CMK) allows the customer to use their own key stored in Azure Key Vault for encrypting the storage account data at rest. The key can be disabled or revoked in Key Vault, which immediately renders the data inaccessible because Azure Storage uses the key to wrap the data encryption key; without access to the CMK, decryption cannot occur.

Exam trap

The trap here is that candidates often confuse Azure Disk Encryption (which encrypts VM disks) with storage account encryption, or assume that platform-managed keys (SSE) provide the same revocation capability as customer-managed keys.

How to eliminate wrong answers

Option B is wrong because service-managed keys (SSE) with platform-managed keys do not allow the customer to control or disable the key; Microsoft manages the keys, so the customer cannot revoke access in a breach scenario. Option C is wrong because Azure Disk Encryption encrypts the OS and data disks of VMs, not the data stored in Azure Storage accounts; it does not provide encryption at rest for the storage account itself. Option D is wrong because Azure Information Protection is a classification and labeling service for documents and emails, not a storage encryption mechanism; it does not encrypt data at rest in Azure Storage accounts.

99
Multi-Selectmedium

Your company plans to deploy a set of Azure virtual machines (VMs) running a critical application. The security team requires that all operating system disks and temporary disks be encrypted, and that encryption keys are never stored in Azure but are managed in an on-premises HSM. Which three of the following actions should you take? (Choose three.)

Select 3 answers
.Enable Azure Disk Encryption (ADE) on the VMs using Azure Key Vault with a key encryption key (KEK).
.Use Azure Dedicated HSM to generate and store the encryption keys for ADE.
.Configure the VMs to use Azure Disk Encryption with a passphrase-only approach (no KEK).
.Set the Key Vault firewall to allow only trusted Microsoft services to access the vault.
.Create a Key Vault access policy that grants the Azure Disk Encryption service principal the 'Wrap Key' and 'Unwrap Key' permissions.
.Deploy the VMs with Azure Premium SSD managed disks and enable encryption at host.

Why this answer

Azure Disk Encryption (ADE) uses Azure Key Vault to protect encryption keys. To meet the requirement that keys are never stored in Azure but managed in an on-premises HSM, you must use Azure Dedicated HSM, which is a physical HSM appliance that you control and that can be integrated with on-premises key management. Additionally, you must configure a Key Vault access policy granting the Azure Disk Encryption service principal the 'Wrap Key' and 'Unwrap Key' permissions so that ADE can use the key encryption key (KEK) stored in the HSM.

Enabling ADE with a KEK ensures that the disk encryption keys are wrapped (encrypted) by the KEK, and the KEK itself is stored and managed in the on-premises HSM via Azure Dedicated HSM.

Exam trap

The trap here is that candidates often confuse Azure Key Vault Managed HSM (which stores keys in Azure) with Azure Dedicated HSM (which allows on-premises key management), or they mistakenly think that enabling encryption at host or using a passphrase-only approach satisfies the requirement for keys to never reside in Azure.

100
MCQhard

Your company uses Azure SQL Database and wants to protect sensitive data stored in a column named 'CreditCardNumber'. You need to ensure that the data is encrypted at rest and that only authorized users can decrypt the data at the application layer. Additionally, you want to prevent unauthorized administrators from accessing the plaintext. Which solution should you implement?

A.Enable Transparent Data Encryption (TDE) and store the encryption key in Azure Key Vault
B.Use Dynamic Data Masking to mask the credit card column for non-privileged users
C.Implement Azure SQL Database's Always Encrypted with enclaves
D.Implement Always Encrypted and store the column encryption key in Azure Key Vault
AnswerD

Always Encrypted encrypts data at the client side, ensuring only authorized applications can decrypt. Administrators cannot access plaintext because they do not have the column encryption key.

Why this answer

Option D is correct because Always Encrypted ensures data is encrypted at rest and in transit, and only client applications with the column encryption key can decrypt it; server administrators cannot access plaintext. Option A is wrong because TDE protects at rest but server administrators can still access plaintext. Option B is wrong because Dynamic Data Masking masks data but does not encrypt it.

Option C is wrong because Transparent Data Encryption alone does not prevent server administrators from reading data.

101
MCQhard

Your organization uses Azure Files shares. You need to enforce access control using on-premises Active Directory (AD) credentials. The Azure Files share is already created. What should you do?

A.Enable Azure AD Domain Services authentication and join the storage account to the managed domain.
B.Assign RBAC roles (e.g., Storage File Data SMB Share Contributor) to AD users at the share level.
C.Enable AD DS authentication for the storage account, sync identities with Azure AD Connect, and configure NTFS permissions on the share.
D.Use storage account keys to mount the share and rely on Windows ACLs.
AnswerC

This allows on-prem AD authentication.

Why this answer

Option A is correct because Azure Files supports identity-based authentication using on-premises AD DS. You need to enable AD DS authentication on the storage account and assign NTFS permissions on the file share. Option B is wrong because Azure AD DS is a separate service, not on-premises AD.

Option C is wrong because Azure RBAC provides share-level permissions but not NTFS. Option D is wrong because storage account keys provide full access, not granular control.

102
MCQeasy

You need to securely connect to an Azure SQL Database from an on-premises application without exposing the database to the public internet. Which solution should you use?

A.Configure a firewall rule to allow the on-premises public IP address
B.Use Azure Private Link to connect via a private endpoint
C.Enable Always Encrypted on the database
D.Use a virtual network service endpoint for Azure SQL Database
AnswerB

Private Link provides a private IP address in your virtual network, accessible from on-premises via VPN/ExpressRoute, without public internet exposure.

Why this answer

Option A is correct because Azure Private Link creates a private endpoint in a virtual network, allowing on-premises connectivity via VPN or ExpressRoute without public exposure. Option B is wrong because firewall rules with public IP still expose the database to the internet. Option C is wrong because always encrypted does not affect network access.

Option D is wrong because service endpoints still use a public IP for the service, though traffic stays on the backbone.

103
MCQeasy

You need to restrict access to an Azure Storage account so that only requests from a specific Azure Virtual Network are allowed. What should you configure?

A.Assign an RBAC role to the VNet's managed identity
B.Configure a service endpoint for the storage account
C.Configure the storage account firewall to allow access only from the VNet
D.Configure an Azure Private Endpoint for the storage account
AnswerC

Firewall rules with VNet rules restrict access to that VNet.

Why this answer

Azure Storage firewalls and virtual network rules allow you to restrict access to specific VNets. Option B is correct. Option A is wrong because private endpoints provide private connectivity but do not automatically block other traffic.

Option C is wrong because service endpoints are used for other services. Option D is wrong because RBAC controls who can access, not where from.

104
MCQhard

You are designing a secure data solution for a financial application. The data must be encrypted at rest, in transit, and in use. You choose Azure SQL Database. Which combination of features should you implement?

A.Transparent Data Encryption, enforce TLS, and Always Encrypted
B.Azure Information Protection, Dynamic Data Masking, and column-level security
C.Always Encrypted, Azure Active Directory authentication, and Azure Information Protection
D.Transparent Data Encryption, Dynamic Data Masking, and Azure Active Directory authentication
AnswerA

TDE for at rest, TLS for in transit, Always Encrypted for in use.

Why this answer

To encrypt data at rest, use Transparent Data Encryption (TDE). For in-transit, enforce TLS. For in-use, use Always Encrypted.

Option C is correct. Option A is wrong because Dynamic Data Masking is for masking, not encryption. Option B is wrong because Azure Active Directory authentication is not encryption.

Option D is wrong because column-level security is for access control.

105
MCQhard

Your organization uses Azure Kubernetes Service (AKS) for containerized workloads. You need to ensure that only approved container images from a private Azure Container Registry (ACR) can run in the cluster. The solution must also enforce that pods run with least privilege. What should you configure?

A.Create a Kubernetes NetworkPolicy to restrict pod-to-pod communication and use Secrets for image pull
B.Configure ACR tasks to scan images for vulnerabilities and use AKS pod security policies
C.Use Azure AD pod-managed identities to authenticate to ACR and assign RBAC roles
D.Apply Azure Policy with built-in initiatives 'Kubernetes cluster containers should only use allowed images' and 'Kubernetes cluster pods should use specified service account'
AnswerD

Enforces allowed image sources and pod security.

Why this answer

Option C is correct because Azure Policy for AKS can enforce image source from ACR and restrict pod security policies (via built-in initiatives). Option A is wrong because ACR tasks are for building images, not enforcement. Option B is wrong because Azure AD pod-managed identities are for authentication, not image enforcement.

Option D is wrong because Kubernetes network policies control traffic, not image source or privileges.

106
Multi-Selectmedium

You are a Security Engineer for a company that is migrating critical workloads to Azure. You need to ensure the security of compute, storage, and databases. Which of the following actions should you take? (Choose four.)

Select 4 answers
.Enable Azure Defender for SQL to receive security alerts and vulnerability assessments for Azure SQL databases.
.Use Azure Disk Encryption (ADE) to encrypt managed disks attached to virtual machines using BitLocker (Windows) or DM-Crypt (Linux).
.Configure a storage account firewall to restrict access to only specific virtual networks and trusted Azure services.
.Enable Azure Defender for Storage to detect anomalies and potential threats to your blob storage, Azure Files, and Data Lake Storage.
.Implement Azure Front Door WAF policies to protect against SQL injection and cross-site scripting attacks on virtual machines.
.Use Azure Backup for virtual machines without enabling soft delete to ensure immediate permanent deletion of backup data.

Why this answer

Enabling Azure Defender for SQL provides security alerts and vulnerability assessments for Azure SQL databases, which is essential for securing database workloads. This action directly addresses the requirement to ensure the security of databases by detecting threats and identifying misconfigurations.

Exam trap

The trap here is that candidates may confuse Azure Front Door WAF with network security groups (NSGs) or Azure Firewall, thinking it can protect VMs directly, but WAF is specifically for web applications and does not secure compute instances like virtual machines.

107
Multi-Selecteasy

Which two options are valid methods to authenticate to Azure Storage from on-premises servers?

Select 2 answers
A.Microsoft Entra ID authentication.
B.Storage account access keys.
C.X.509 certificate authentication.
D.SAS tokens generated from the storage account.
E.Azure CLI login.
AnswersA, B

Supported for Azure Storage.

Why this answer

Correct: B and D. Shared access keys and Entra ID authentication are both supported. Option A (X.509 certificates) is not supported for storage.

Option C (SAS tokens) is a form of shared access, but not a primary authentication method. Option E (Azure CLI) is a command-line tool, not an authentication method per se.

108
Multi-Selecthard

Which THREE measures should you implement to secure a Linux virtual machine running a web application on Azure?

Select 3 answers
A.Enable Azure Disk Encryption for OS and data disks
B.Configure network security groups to allow only HTTP and HTTPS
C.Deploy Microsoft Defender for Servers
D.Configure Azure Backup for the VM
E.Enable just-in-time VM access in Microsoft Defender for Cloud
AnswersA, C, E

Encrypts data at rest using BitLocker or DM-Crypt.

Why this answer

Option A (just-in-time VM access) reduces exposure by opening ports only when needed. Option C (Azure Disk Encryption) encrypts OS and data disks at rest. Option E (Microsoft Defender for Servers) provides threat detection and vulnerability management.

Option B is incorrect because NSGs filter traffic but do not encrypt data. Option D is incorrect because Azure Backup protects against data loss but does not encrypt disks themselves; backup encryption is separate.

109
MCQhard

You are the security engineer for a healthcare company that uses Azure to store electronic health records (EHR) in Azure Blob Storage. Compliance requires that all data be encrypted at rest with customer-managed keys stored in a hardware security module (HSM), that the storage account be accessible only from a specific virtual network, and that all access to the storage account be logged and sent to a central security information and event management (SIEM) system. Additionally, you must ensure that any blobs containing protected health information (PHI) are automatically labeled with a sensitivity label that prevents them from being shared externally. You have decided to use Azure Key Vault Managed HSM for key storage, Azure Private Endpoint for network access, and Azure Monitor for logging. However, you are unsure how to automatically apply sensitivity labels to blobs based on content inspection. Which service should you use to achieve automatic labeling of PHI data in Azure Blob Storage?

A.Microsoft Defender for Storage with sensitivity labeling integration
B.Azure Policy with custom policies to tag blobs containing PHI
C.Microsoft Purview Information Protection with auto-labeling policies for Azure Blob Storage
D.Microsoft Sentinel with analytics rules to detect PHI and apply labels via automation
AnswerC

Purview can scan blob content and automatically apply sensitivity labels based on data classification.

Why this answer

Microsoft Purview Information Protection can automatically classify and label sensitive data in Azure Blob Storage using content scanning and machine learning. Option C is correct. Option A is incorrect because Azure Policy enforces rules but does not inspect content for labeling.

Option B is incorrect because Microsoft Sentinel is a SIEM, not a labeling service. Option D is incorrect because Microsoft Defender for Storage provides threat detection but does not apply sensitivity labels.

110
MCQmedium

You need to protect Azure VM disks from unauthorized snapshot creation. Which configuration should you implement?

A.Assign the 'Reader' role to all users on the disk.
B.Apply a 'CanNotDelete' resource lock on the disk resource.
C.Configure Azure Backup for the VM.
D.Use Azure Policy to audit snapshot creation.
AnswerB

Resource locks prevent deletion and modification, including snapshot creation.

Why this answer

Azure Resource Locks prevent deletion or modification of resources, including snapshot creation. Option B is wrong because Azure Backup does not prevent snapshots. Option C is wrong because RBAC can allow snapshot creation if permissions are granted.

Option D is wrong because Azure Policy can audit but not prevent.

111
MCQeasy

You need to protect Azure VMs from ransomware by ensuring that encrypted file systems cannot be read by attackers. Which solution should you implement?

A.Apply network security groups (NSGs) to block unauthorized access.
B.Configure Azure Backup for the VMs.
C.Enable Azure Disk Encryption on the VMs.
D.Enable Microsoft Defender for Cloud on the subscription.
AnswerC

Azure Disk Encryption encrypts disks at rest, mitigating ransomware impact.

Why this answer

Azure Disk Encryption uses BitLocker (Windows) or DM-Crypt (Linux) to encrypt the OS and data disks, protecting against offline attacks. Option B is wrong because Defender for Cloud is for threat detection, not encryption. Option C is wrong because Azure Backup provides recovery, not encryption.

Option D is wrong because NSGs control network traffic, not disk encryption.

112
MCQmedium

Your company hosts a web application on Azure Virtual Machines. You need to ensure that all disks attached to the VMs are encrypted. You plan to use Azure Disk Encryption. What should you configure first?

A.Assign a system-assigned managed identity to the VMs
B.Configure a network security group to allow encryption traffic
C.Create an Azure Key Vault and configure a key encryption key
D.Enable Azure Backup on the VMs
AnswerC

Azure Disk Encryption requires a Key Vault to store the encryption keys or secrets.

Why this answer

Azure Disk Encryption requires a Key Vault and a key encryption key (KEK) or secret. Option B is correct. Option A is wrong because Managed Identities are used for authentication, not for encryption.

Option C is wrong because network security groups are unrelated. Option D is wrong because Azure Backup is for backup, not encryption.

113
MCQhard

You are reviewing the above Azure Policy definition. What does this policy do?

A.Denies storage accounts that have the default network action set to Deny
B.Denies storage accounts that do not have encryption enabled
C.Denies storage accounts that have firewall rules configured
D.Denies storage accounts that allow all network traffic
AnswerA

Matches the condition and effect.

Why this answer

Option D is correct: the policy denies (via `"effect": "deny"`) any storage account that has `networkAcls.defaultAction` set to `Deny`. This means storage accounts that deny all traffic by default are blocked, which effectively requires that storage accounts allow traffic by default (i.e., `defaultAction` must not be `Deny`). Actually, the policy denies a storage account if its defaultAction equals Deny.

So it prevents storage accounts from having a deny default action. Option A is opposite. Option B is about encryption, not network.

Option C is about firewall rules, not the default action.

114
Multi-Selectmedium

Which TWO actions should you take to secure managed database backups in Azure SQL Managed Instance?

Select 2 answers
A.Configure geo-redundant backup storage (RA-GRS)
B.Enable Transparent Data Encryption (TDE)
C.Configure auditing for the managed instance
D.Enable soft delete for managed instance backups
E.Set a long-term retention policy for backups
AnswersA, D

Replicates backups to a paired region for disaster recovery.

Why this answer

Option B (geo-redundant storage) ensures backups are replicated to another region for disaster recovery. Option D (soft delete) protects backups from accidental or malicious deletion. Option A is incorrect because TDE encrypts data at rest, but backups are automatically encrypted if TDE is enabled.

Option C is incorrect because retention policies do not provide cross-region redundancy. Option E is incorrect because auditing does not protect backups directly.

115
MCQhard

Your organization uses Azure Files shares for user home directories. You need to enforce that users access these shares only from trusted locations (corporate IP ranges) and that all access is logged. Which combination of actions should you take?

A.Use a Private Endpoint for the storage account and configure a service endpoint on the virtual network.
B.Generate a shared access signature (SAS) token that is valid only from corporate IPs and attach it to the file share.
C.Configure a storage account firewall to allow only the corporate IP range, and enable diagnostic settings to send logs to a Log Analytics workspace.
D.Assign Azure AD DS to the storage account and enable Azure AD authentication for Azure Files, then configure conditional access policies.
AnswerC

Correctly restricts access by IP and enables logging.

Why this answer

Azure Files supports network security using service endpoints and firewalls to restrict access to specific IP ranges. Diagnostic settings can send logs to Log Analytics. Option A is correct.

Option B is incorrect because Private Endpoint does not filter by IP. Option C is incorrect because SAS tokens are for delegated access, not IP restriction. Option D is incorrect because Azure AD DS does not filter by source IP.

116
MCQmedium

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is a Microsoft service. How can the SQL server be granted access to the key vault to perform TDE operations?

A.Create a private endpoint on the Key Vault for the SQL server
B.Disable the Key Vault firewall
C.Enable the 'Allow trusted Microsoft services to bypass the firewall' setting on the Key Vault
D.Assign the SQL server a system-assigned managed identity and grant it access to the key vault
AnswerC

This setting allows Azure SQL Database (as a trusted Microsoft service) to access the key vault for TDE operations without enabling public access.

Why this answer

Option C is correct because Azure Key Vault's firewall includes a setting to 'Allow trusted Microsoft services to bypass this firewall.' Azure SQL Database is a trusted Microsoft service, so enabling this setting allows the SQL server to authenticate to Key Vault using its system-assigned managed identity to retrieve the customer-managed key for TDE operations, without needing to disable the firewall or create a private endpoint.

Exam trap

The trap here is that candidates often think a private endpoint is required for PaaS services to access a firewalled Key Vault, but they overlook that Azure SQL Database is a trusted Microsoft service that can bypass the firewall with the appropriate setting, and that a private endpoint would require the SQL server to be network-integrated, which it is not by default.

How to eliminate wrong answers

Option A is wrong because creating a private endpoint on the Key Vault for the SQL server would require the SQL server to be in a virtual network, but Azure SQL Database is a platform-as-a-service (PaaS) resource that does not reside in a customer VNet by default; a private endpoint on Key Vault does not directly grant the SQL server network access. Option B is wrong because disabling the Key Vault firewall would expose the vault to all public network traffic, violating the security requirement to deny all public network access. Option D is wrong because while assigning a system-assigned managed identity and granting it access to the key vault is necessary for authentication and authorization, it does not solve the network connectivity issue caused by the Key Vault firewall blocking all public traffic; the managed identity alone cannot bypass the firewall without the 'Allow trusted Microsoft services' setting.

117
MCQeasy

You need to ensure that an Azure Key Vault is accessible only from a specific virtual network and that all operations are logged. What should you configure?

A.Key Vault firewall and virtual network service endpoints, and diagnostic settings
B.Azure RBAC roles and diagnostic settings
C.Soft-delete and purge protection, and diagnostic settings
D.Azure Policy and diagnostic settings
AnswerA

Firewall and service endpoints restrict network access; diagnostic settings log operations.

Why this answer

Key Vault firewall and virtual network service endpoints restrict network access. Diagnostic settings enable logging. Option A is correct.

Option B is wrong because RBAC controls permissions, not network access. Option C is wrong because soft-delete is for recovery. Option D is wrong because Azure Policy can enforce settings but does not restrict network access to the vault.

118
MCQhard

You are deploying a three-tier application on Azure VMs. The web tier must be accessible from the internet, but the application and database tiers must only accept traffic from the web tier. You need to implement network segmentation using Azure networking components. What is the most secure and manageable solution?

A.Use a single subnet and configure NSGs on VM NICs to restrict traffic.
B.Use VNet peering to connect separate VNets for each tier and use NSGs.
C.Use a single VNet with one subnet and use Azure Firewall to filter traffic between tiers.
D.Use separate subnets for each tier in the same VNet and configure NSGs to allow traffic only from the previous tier.
AnswerD

Separate subnets provide isolation; NSGs enforce least-privilege network access.

Why this answer

Option B is correct because placing each tier in separate subnets with NSGs restricting traffic to the previous tier provides network segmentation and is manageable. Option A is wrong because VNet peering connects separate VNets but doesn't provide fine-grained control within a single VNet. Option C is wrong because a single subnet with NSGs is less secure due to lack of isolation.

Option D is wrong because Azure Firewall is more expensive and complex than NSGs for this scenario.

119
MCQhard

A company uses Azure SQL Database to store personally identifiable information (PII). They need to encrypt specific columns containing social security numbers so that even database administrators with the 'db_owner' role cannot view the plaintext. The application must be able to perform equality searches on the encrypted columns. Which encryption technology should they implement?

A.Transparent Data Encryption (TDE)
B.Always Encrypted with deterministic encryption
C.Dynamic Data Masking
D.Row-Level Security
AnswerB

Always Encrypted encrypts data in the client driver, so the database cannot see plaintext. Deterministic encryption enables equality matching without revealing data.

Why this answer

Always Encrypted with deterministic encryption is the correct choice because it encrypts specific columns at the client-side, ensuring that even database administrators with db_owner cannot view plaintext data. Deterministic encryption generates the same ciphertext for a given plaintext value, enabling equality searches (e.g., WHERE SSN = '123-45-6789') directly on the encrypted column without decrypting the data on the server.

Exam trap

The trap here is that candidates often confuse encryption at rest (TDE) with client-side column encryption, mistakenly believing TDE protects against privileged users, but TDE only protects against physical theft of the database files, not against authorized database access.

How to eliminate wrong answers

Option A is wrong because Transparent Data Encryption (TDE) encrypts the entire database at rest (pages written to disk) but does not protect data from users or DBAs who have access to the database; plaintext is visible to anyone with query permissions. Option C is wrong because Dynamic Data Masking obfuscates data in query results for non-privileged users but does not encrypt the underlying data; DBAs with db_owner can still view the unmasked values by altering the masking rule or querying directly. Option D is wrong because Row-Level Security restricts access to rows based on a predicate function but does not encrypt column values; DBAs with db_owner can bypass or modify the security policy to see all data.

120
Multi-Selectmedium

Your organization is planning to use Azure Container Instances (ACI) and Azure Kubernetes Service (AKS) for running containerized workloads. The security policy mandates that container images be scanned for vulnerabilities, secrets never be stored in image layers, and network traffic between containers be encrypted. Which three of the following should you implement? (Choose three.)

Select 3 answers
.Integrate Azure Container Registry (ACR) with Microsoft Defender for Containers to scan images on push.
.Use Azure Key Vault with the AKS Secrets Store CSI Driver to mount secrets as volumes or environment variables.
.Enable Azure Policy for AKS to enforce that containers run with privileged access.
.Configure a service mesh (e.g., Azure Service Mesh or Istio) on AKS to enable mutual TLS (mTLS) between pods.
.Store all secrets as Kubernetes Secrets and reference them in the container image definition.
.Deploy ACI containers with a public IP address and rely on network security groups for encryption.

Why this answer

Integrating ACR with Microsoft Defender for Containers enables vulnerability scanning of container images at rest and on push, ensuring images are free from known vulnerabilities before deployment. This directly addresses the mandate to scan images for vulnerabilities.

Exam trap

The trap here is that candidates might think NSGs or Kubernetes Secrets provide encryption or secure secret storage, but NSGs only filter traffic (no encryption) and Kubernetes Secrets are not encrypted by default, so they fail the mandates for encrypted traffic and secret-free image layers.

121
MCQmedium

Your company has a policy to disable TLS versions older than 1.2 for Azure Storage accounts. You configure the minimum TLS version setting to 1.2. After a week, an audit reveals that some clients are still connecting with TLS 1.0. What is the most likely reason?

A.Clients are accessing the storage account through a private endpoint with IP rules.
B.The storage account is configured to allow TLS 1.0 by default.
C.The setting does not apply to Azure Files.
D.Some clients have established persistent connections before the change.
AnswerD

Persistent connections may retain the TLS version negotiated at connection time.

Why this answer

The minimum TLS version setting may not be enforced immediately for existing connections; clients with persistent connections may continue using older TLS. Option A is wrong because the setting applies to all storage services. Option B is wrong because the setting is not related to IP rules.

Option D is wrong because TLS 1.0 is not required by default.

122
MCQhard

A company uses Azure Key Vault to store secrets for their applications. They want to ensure that an application hosted on an Azure virtual machine can access secrets from only a specific Key Vault, and that all traffic between the VM and Key Vault remains within the Azure network and does not traverse the public internet. Which configuration should they implement?

A.Create a private endpoint for Key Vault in the same VNet as the VM and disable public network access on the Key Vault.
B.Enable the Key Vault firewall and add the VM's public IP address to the allowed list.
C.Use a service endpoint for Key Vault on the VM's subnet, and assign a managed identity to the VM.
D.Assign a system-assigned managed identity to the VM and grant it access to the Key Vault.
AnswerA

Private endpoints use private IPs from the VNet, keeping traffic off the internet. Disabling public access ensures only private endpoint traffic is accepted.

Why this answer

Option A is correct because it combines a private endpoint for Azure Key Vault with disabling public network access. A private endpoint assigns a private IP address from the VM's VNet to the Key Vault, ensuring all traffic stays within the Microsoft Azure backbone network and never traverses the public internet. Disabling public network access on the Key Vault firewall then blocks any attempts to access the vault via its public endpoint, enforcing that only traffic through the private endpoint is allowed.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, not realizing that service endpoints still use the public endpoint of the resource and do not provide true private IP-based isolation, while private endpoints assign a private IP and can fully disable public access.

How to eliminate wrong answers

Option B is wrong because adding the VM's public IP address to the Key Vault firewall allows traffic that still traverses the public internet; it does not keep traffic within the Azure network. Option C is wrong because a service endpoint for Key Vault on the VM's subnet only routes traffic to the Key Vault's public endpoint via the Azure backbone, but it does not prevent the Key Vault from being accessible over the public internet, and it does not use a private IP address; a managed identity alone does not enforce network isolation. Option D is wrong because assigning a system-assigned managed identity and granting it access to Key Vault only handles authentication and authorization; it does not address network-level isolation or prevent traffic from leaving the Azure network.

123
MCQmedium

A company uses Azure SQL Database with Transparent Data Encryption (TDE) encrypted using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault is protected by a firewall and virtual network service endpoints. The storage account used for TDE logs is in the same Azure region. What additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for TDE operations?

A.Enable 'Allow trusted Microsoft services to bypass this firewall' in the Key Vault firewall settings.
B.Disable public network access on the Key Vault.
C.Add the SQL Database server's system-assigned managed identity to the Key Vault access policy.
D.Enable soft-delete on the Key Vault.
AnswerA

Correct. This setting allows Azure SQL Database (a trusted service) to bypass the Key Vault firewall and access the CMK for TDE operations.

Why this answer

Azure SQL Database uses TDE with a customer-managed key stored in Key Vault. When the Key Vault has a firewall enabled, Azure SQL Database must be able to bypass that firewall to access the key. Enabling 'Allow trusted Microsoft services to bypass this firewall' is required because Azure SQL Database is a trusted Microsoft service that needs to reach the Key Vault endpoint for TDE operations, even when the firewall blocks public network access.

Exam trap

The trap here is that candidates often think adding a managed identity or disabling public access is sufficient, but they miss that the Key Vault firewall explicitly requires the 'Allow trusted Microsoft services' bypass for Azure SQL Database to access the CMK.

How to eliminate wrong answers

Option B is wrong because disabling public network access on the Key Vault would block all external traffic, including from Azure SQL Database, unless the 'Allow trusted Microsoft services' setting is also enabled; it is not a standalone solution. Option C is wrong because Azure SQL Database for TDE does not use a system-assigned managed identity to authenticate to Key Vault; instead, it uses the Azure SQL logical server's identity (which is automatically granted permissions via the Key Vault access policy when using CMK). Option D is wrong because soft-delete is a data protection feature that prevents permanent deletion of keys, secrets, or certificates, but it is not required for TDE access; it is recommended for recovery but not a prerequisite for the SQL Database to reach the key.

124
Multi-Selecteasy

Which TWO of the following are benefits of using managed identities for Azure resources to access Azure Storage? (Choose two.)

Select 2 answers
A.Replicates storage data across regions for disaster recovery
B.Eliminates the need to store credentials in code or configuration files
C.Enables federated identity with external identity providers
D.Automatically rotates the credentials used for authentication
E.Provides granular auditing of all storage access
AnswersB, D

Managed identities provide an automatically managed identity in Azure AD, removing the need for secrets.

Why this answer

Options A and B are correct. Managed identities eliminate the need to manage credentials (A) and provide automatic rotation (B). Option C (auditing) is not a benefit, though managed identities support auditing via Azure AD.

Option D (federated identity) is for external users. Option E (replication) is unrelated.

125
MCQhard

You are designing a secure data solution for a financial services company. Data must be encrypted at rest and in transit. Additionally, you need to prevent administrators from accessing the encryption keys. What should you use?

A.Azure Storage encryption with service-side encryption and HTTPS enforced.
B.Azure Storage encryption with customer-managed keys and a key vault access policy that denies key operations for the admin group.
C.Azure Storage encryption with Microsoft-managed keys.
D.Azure Storage encryption with infrastructure encryption enabled.
AnswerB

CMK with restricted access ensures admins cannot access keys.

Why this answer

Azure Storage encryption with customer-managed keys stored in a key vault with vault access policy set to deny all key operations for administrators meets the requirement. Option A is wrong because infrastructure encryption does not prevent admin access. Option B is wrong because Microsoft-managed keys do not meet the requirement.

Option D is wrong because encryption in transit alone does not address at-rest encryption.

126
MCQmedium

Your company uses Azure Blob Storage to store sensitive documents. You need to prevent data exfiltration by ensuring that all access to the storage account is through Microsoft's private network. What should you configure?

A.Apply a network security group (NSG) to the subnet with a deny rule for internet traffic.
B.Create a private endpoint for the storage account and disable public network access.
C.Set the firewall to deny all and add a rule to allow only your VNet's public IP.
D.Enable service endpoints and configure a service endpoint policy.
AnswerB

Traffic goes through Private Link, staying on Microsoft network.

Why this answer

Option C is correct because Azure Private Link with Private Endpoint ensures that traffic to the storage account stays within the Microsoft backbone network. Service endpoints also keep traffic on the Azure backbone but do not prevent exfiltration if the storage account is exposed to the internet. Option A is wrong because service endpoints do not block internet access.

Option B is wrong because firewall rules only restrict IPs, but traffic may still leave Azure backbone. Option D is wrong because network security groups (NSGs) are for subnets, not storage accounts.

127
MCQhard

You are deploying a containerized application on Azure Kubernetes Service (AKS). The application needs to pull images from a private Azure Container Registry (ACR) and access secrets from Azure Key Vault. You want to minimize credential exposure. What should you configure?

A.Use a service principal with certificate authentication, and rotate the certificate annually.
B.Create a service principal with a secret, assign it acrpull role, and store the secret in a Kubernetes secret for imagePullSecrets.
C.Enable managed identity on the AKS cluster, grant the identity acrpull role on ACR, and use Azure Key Vault Provider for Secrets Store CSI Driver.
D.Enable the admin account on ACR and use the admin credentials in Kubernetes secrets.
AnswerC

Managed identity eliminates static credentials; CSI driver mounts secrets as volumes.

Why this answer

Option A is correct because AKS can use managed identity to authenticate to ACR (via acrpull role) and to Key Vault (via Secret Provider or CSI driver). Option B (service principal with secret) exposes a credential. Option C (admin account on ACR) is not recommended.

Option D (image pull secrets with service principal) exposes credentials.

128
MCQmedium

A company stores sensitive documents in an Azure Blob Storage account. They have enabled infrastructure encryption and configured the storage account to use a customer-managed key stored in Azure Key Vault for encryption at rest. Despite this, newly uploaded blobs are still encrypted with Microsoft-managed keys. What is the most likely cause?

A.The Key Vault is in a different Azure region than the storage account.
B.The storage account does not have a system-assigned managed identity enabled.
C.A default encryption scope is configured on the blob container that uses a Microsoft-managed key.
D.The customer-managed key in Key Vault is disabled or expired.
AnswerC

Encryption scopes can be set at the container level. A default encryption scope overrides the storage account-level encryption. If the scope uses Microsoft-managed keys, new blobs in that container will not use the customer-managed key.

Why this answer

Option C is correct because when a default encryption scope is set on a blob container, it overrides the storage account's encryption settings for all blobs uploaded to that container. Even if the storage account is configured with a customer-managed key (CMK), the container-level encryption scope with a Microsoft-managed key takes precedence, causing new blobs to be encrypted with Microsoft-managed keys instead.

Exam trap

The trap here is that candidates assume the storage account-level CMK setting applies uniformly to all blobs, but they overlook that encryption scopes at the container level can override that setting, causing a silent fallback to Microsoft-managed keys.

How to eliminate wrong answers

Option A is wrong because Azure Key Vault and the storage account can be in different regions; cross-region CMK is supported as long as the Key Vault is in the same Azure Active Directory tenant. Option B is wrong because a system-assigned managed identity is not required for CMK; a user-assigned managed identity can be used, or the storage account can use its own identity implicitly when granted access to Key Vault via access policies or RBAC. Option D is wrong because if the customer-managed key were disabled or expired, the storage account would fail to encrypt or decrypt blobs, resulting in errors (e.g., 403 Forbidden) rather than silently falling back to Microsoft-managed keys.

129
MCQhard

A company stores highly sensitive data in Azure Blob Storage. They require encryption at rest using a customer-managed key. Additionally, they want to ensure that the key can only be used from the same Azure region as the storage account. Which configuration must they implement?

A.Store the key in a key vault in each region and use a managed identity to access the key vault.
B.Use a key stored in an Azure Key Vault with the 'Soft Delete' enabled.
C.Use an Azure Key Vault with 'Purge Protection' enabled.
D.Use an Azure Key Vault in the same region as the storage account (keys are region-bound by default).
AnswerD

Customer-managed keys must be stored in a key vault that resides in the same Azure region as the storage account; this is an inherent constraint.

Why this answer

Option D is correct because Azure Key Vault keys are inherently region-bound; when you create a key vault in a specific Azure region, the key material and its cryptographic operations are confined to that region. By placing the key vault in the same region as the storage account, you ensure that the customer-managed key used for Azure Storage Service Encryption (SSE) can only be accessed and used within that region, satisfying the requirement for region-restricted key usage.

Exam trap

The trap here is that candidates may overthink the solution by focusing on additional security features like soft delete or purge protection, when the core requirement is simply about regional restriction, which is already a default behavior of Azure Key Vault.

How to eliminate wrong answers

Option A is wrong because storing the key in a key vault in each region and using a managed identity does not enforce region-bound key usage; it allows cross-region access if the managed identity is granted permissions, and it introduces unnecessary complexity without addressing the region constraint. Option B is wrong because enabling 'Soft Delete' on a key vault is a data protection feature that prevents accidental deletion of keys, but it does not restrict key usage to a specific region. Option C is wrong because 'Purge Protection' is an additional safeguard that prevents permanent deletion of soft-deleted keys, but it has no effect on the regional scope of key operations.

130
Multi-Selecteasy

Which TWO database-level security features are available in Azure SQL Database to protect sensitive data?

Select 2 answers
A.Azure Information Protection
B.Always Encrypted
C.Dynamic Data Masking
D.Azure AD authentication
E.Azure Disk Encryption
AnswersB, C

Column-level encryption.

Why this answer

Option A and Option C are correct. Always Encrypted (A) encrypts data at the column level, and Dynamic Data Masking (C) obfuscates data in query results. Option B is wrong because Azure AD authentication is an access control feature, not data protection.

Option D is wrong because Azure Information Protection is a classification service. Option E is wrong because Azure Disk Encryption is for VMs.

131
MCQhard

Refer to the exhibit. You are analyzing the Always Encrypted configuration for an Azure SQL Database. The SSN column uses randomized encryption, and the CreditCard column uses deterministic encryption. Which statement is true regarding querying these columns?

A.Both columns support equality searches.
B.Only the CreditCard column supports equality searches.
C.Both columns support pattern matching with LIKE.
D.Only the SSN column supports point lookups.
AnswerB

Deterministic encryption allows equality comparisons.

Why this answer

Option B is correct. Deterministic encryption allows equality comparisons (e.g., WHERE CreditCard = 'value') because it always generates the same ciphertext for a given plaintext. Randomized encryption does not allow any operations on encrypted data.

Option A is wrong because randomized encryption does not allow equality checks. Option C is wrong because deterministic encryption does not allow pattern matching. Option D is wrong because both columns support point lookups via equality; randomized does not.

132
MCQmedium

You are designing a backup strategy for Azure Virtual Machines that host a critical database. Compliance requires that backups be stored in a separate Azure region and be immutable for 90 days. What should you use?

A.Azure Backup with Locally Redundant Storage (LRS) and a retention policy of 90 days
B.Azure Backup with Geo-Redundant Storage (GRS) and enable soft delete
C.Azure Disk Encryption with a backup policy stored in a different region
D.Azure Site Recovery with a recovery plan and retention of 90 days
AnswerB

GRS replicates to a paired region; soft delete provides immutability for 90 days.

Why this answer

Azure Backup with geo-redundant storage (GRS) stores backups in a paired region. Immutable storage for Azure Backup is achieved by enabling soft delete and using backup policies with retention that prevents deletion. Option B is correct.

Option A is incorrect because LRS does not provide cross-region storage. Option C is incorrect because Azure Site Recovery is for disaster recovery, not long-term backup. Option D is incorrect because Azure Disk Encryption encrypts disks but does not provide geo-redundancy or immutability.

133
MCQmedium

Your company stores sensitive customer data in Azure Blob Storage. You need to ensure that data at rest is encrypted using a customer-managed key stored in Azure Key Vault. The key must be automatically rotated every 90 days. Which Azure policy should you configure to enforce this requirement?

A.Configure encryption of Azure Blob Storage with customer-managed key stored in Azure Key Vault with automatic key rotation
B.Configure encryption of Azure Blob Storage with customer-managed key stored in Azure Key Vault
C.Configure Transparent Data Encryption for Azure SQL Database with customer-managed key
D.Deploy encryption of Azure Blob Storage using Azure Disk Encryption
AnswerA

Includes both CMK and automatic rotation.

Why this answer

Option B is correct because 'Configure encryption of Azure Blob Storage with customer-managed key stored in Azure Key Vault with automatic key rotation' enforces CMK and automatic rotation. Options A and C do not include rotation. Option D is for Azure SQL Database, not Blob Storage.

134
MCQhard

Your company has a large number of Azure SQL databases that contain personally identifiable information (PII). You need to classify and protect sensitive columns across all databases. The solution must automatically discover and label sensitive data, and enable auditing of access to that data. What should you implement?

A.Always Encrypted with secure enclaves
B.Microsoft Defender for SQL
C.Dynamic Data Masking
D.Data Discovery & Classification
AnswerD

Automatically discovers and classifies sensitive data.

Why this answer

Option D is correct because Azure SQL Database's Data Discovery & Classification automatically discovers sensitive columns, allows labeling, and integrates with auditing and vulnerability assessment. Option A is wrong because Dynamic Data Masking only masks data, it does not classify. Option B is wrong because Always Encrypted encrypts data at rest, but does not classify or audit.

Option C is wrong because Microsoft Defender for SQL provides security alerts and vulnerability assessment, but not classification.

135
MCQeasy

You need to secure a Linux virtual machine running a web application in Azure. The solution must ensure that only traffic on port 443 (HTTPS) is allowed from the internet, and that SSH access is restricted to a management subnet. What should you configure?

A.Azure Firewall with application rules to allow HTTPS and SNAT SSH traffic
B.Network Security Group (NSG) on the VM NIC with inbound rules: Allow HTTPS from Internet, Allow SSH from management subnet, Deny all other inbound
C.Application Security Group with a network security group that allows HTTPS and SSH
D.Network Security Group on the subnet with inbound rules: Allow HTTPS from Internet, Allow SSH from management subnet, Deny all other inbound
AnswerB

NSG on NIC provides host-level control.

Why this answer

Option A is correct because an NSG with inbound rules that allow HTTPS from any source and SSH only from the management subnet achieves the goal. Option B is wrong because Azure Firewall is more complex and costly than needed. Option C is wrong because a network security group attached to the subnet would affect all VMs.

Option D is wrong because Application Security Groups are used for grouping VMs, not for filtering traffic.

136
Multi-Selectmedium

Which TWO configurations are required to ensure that an Azure Storage account is accessible only via HTTPS and that access keys are not used?

Select 2 answers
A.Enable blob versioning
B.Set the 'Secure transfer required' property to Enabled
C.Enable diagnostic settings for the storage account
D.Configure the storage account firewall to allow only selected virtual networks
E.Set 'Allow storage account key access' to Disabled
AnswersB, E

Enforces HTTPS for all requests to the storage account.

Why this answer

Option A (secure transfer required) enforces HTTPS. Option D (disable shared key access) prevents use of access keys. Option B is incorrect because enabling firewall does not disable access keys.

Option C is incorrect because enabling logging does not enforce HTTPS or disable keys. Option E is incorrect because enabling versioning does not affect encryption or key usage.

137
MCQhard

You are designing a secure Azure SQL Database deployment. The database must support real-time analytics and reporting without impacting the performance of the transactional workload. You need to ensure that the reporting queries have an isolated copy of the data that is automatically kept up to date. The solution must also encrypt the data at rest using a customer-managed key. What should you include in the design?

A.Hyperscale service tier with named replicas
B.Active geo-replication with a readable secondary
C.Serverless compute tier with auto-pause
D.Failover groups with automatic failover
AnswerA

Provides isolated read replicas for reporting, supports TDE with CMK.

Why this answer

Option C is correct because Azure SQL Database Hyperscale service tier with named replicas provides a scalable read-only replica for reporting, and it supports TDE with CMK. Geo-replication (A) is for disaster recovery, not reporting. Failover groups (B) are for high availability.

Serverless (D) is for compute scaling, not read replicas.

138
MCQeasy

You need to ensure that all data at rest in an Azure Storage account is encrypted using a customer-managed key. Which feature should you enable?

A.Azure Disk Encryption
B.Azure Storage Service Encryption (SSE) with platform-managed key
C.Azure Storage Service Encryption with customer-managed key
D.Azure Information Protection
AnswerC

Allows you to use your own key from Azure Key Vault for encryption at rest.

Why this answer

Azure Storage Service Encryption with customer-managed keys allows you to use your own key stored in Azure Key Vault. Option B is correct because it uses CMK. Option A is incorrect because SSE with PMK uses Microsoft-managed keys.

Option C is incorrect because Azure Disk Encryption is for VMs. Option D is incorrect because Azure Information Protection is for classification and labeling.

139
MCQhard

You are designing a secure backup strategy for Azure Virtual Machines. The backup data must be encrypted at rest and in transit. Which combination should you use?

A.Azure Backup automatically encrypts data at rest using Azure Storage Service Encryption and in transit using HTTPS
B.Azure Storage Service Encryption and HTTPS
C.Azure Backup with customer-managed keys and enforce HTTPS
D.Azure Disk Encryption on the VMs and Azure Backup
AnswerA

Azure Backup encrypts backup data at rest with SSE and in transit with HTTPS without additional configuration.

Why this answer

Azure Backup uses SSE for encryption at rest and HTTPS for in-transit encryption. Option D is correct. Option A is wrong because Azure Disk Encryption encrypts VM disks but not backup data.

Option B is wrong because Azure Backup automatically uses SSE and HTTPS. Option C is wrong because Azure Storage Service Encryption is for storage accounts, but backup uses SSE already.

140
MCQhard

A company uses Azure Cosmos DB with SQL API to store user profiles. They need to ensure that only authorized applications can access the data, and that the data is encrypted in transit and at rest. Currently, the application uses a master key to connect. What should they implement to improve security?

A.Use resource tokens with permissions for each user
B.Enable private endpoint for Cosmos DB
C.Configure IP firewall rules on the Cosmos DB account
D.Enable managed identity for the application and grant it access to Cosmos DB via Azure RBAC
AnswerD

Eliminates master keys and uses Azure AD authentication for secure access.

Why this answer

Using managed identities for Azure resources eliminates the need for master keys by allowing the application to authenticate to Azure Cosmos DB via Azure AD. Option D is correct. Option A is incorrect because firewall restricts network access but does not address key management.

Option B is incorrect because private endpoints improve network security but still require authentication. Option C is incorrect because resource tokens are for granular user-level access, not application authentication.

141
MCQhard

You are deploying a multi-tier application on Azure Kubernetes Service (AKS). The application uses Azure Disks for persistent storage. You need to ensure that the disks are encrypted at rest using a customer-managed key stored in a Key Vault in a different region. What should you do?

A.Enable Azure Disk Encryption (ADE) using Azure Key Vault in the same region as AKS.
B.Use server-side encryption (SSE) with platform-managed keys.
C.Use Azure Storage Service Encryption (SSE) with customer-managed keys from the remote Key Vault.
D.Configure disk encryption set (DES) with a customer-managed key from a Key Vault in the same region as the disks.
AnswerD

DES requires same region; cross-region CMK is not supported for disks.

Why this answer

Azure Disk Encryption with customer-managed keys requires the Key Vault to be in the same region as the disks. Option D is correct. Server-side encryption with PMK does not use customer keys.

CMK must be in the same region. Azure Disk Encryption (ADE) with Key Vault also requires same region.

142
MCQhard

A healthcare organization stores sensitive patient data in Azure SQL Database. They need to encrypt specific columns containing medical history so that even database administrators with the 'sysadmin' role cannot view the plaintext data. Additionally, they need to support equality comparisons (WHERE clauses) on the encrypted columns. Which encryption technology should they implement?

A.Transparent Data Encryption (TDE)
B.Always Encrypted with randomized encryption
C.Always Encrypted with deterministic encryption
D.Dynamic Data Masking
AnswerC

Deterministic encryption allows equality searches by generating consistent ciphertext for a given plaintext, and keys are stored client-side, preventing DBAs from decrypting.

Why this answer

Always Encrypted with deterministic encryption is correct because it encrypts specific columns at the client side, ensuring that even database administrators with 'sysadmin' role cannot view plaintext data. Deterministic encryption generates the same ciphertext for identical plaintext values, which allows equality comparisons (WHERE clauses) on encrypted columns, meeting both requirements.

Exam trap

The trap here is that candidates confuse Dynamic Data Masking with encryption, thinking it prevents privileged users from seeing data, when in fact it only masks output and does not protect data at rest or from direct queries by sysadmins.

How to eliminate wrong answers

Option A is wrong because Transparent Data Encryption (TDE) encrypts the entire database at rest but does not protect data from database administrators who have access to the database engine; they can still query plaintext data. Option B is wrong because Always Encrypted with randomized encryption does not support equality comparisons (WHERE clauses) on encrypted columns, as it produces different ciphertext for the same plaintext each time. Option D is wrong because Dynamic Data Masking only obfuscates data at query result time but does not encrypt the underlying data, so administrators with 'sysadmin' role can still access plaintext by running queries without masking.

143
MCQeasy

Your company uses Azure Files shares for user home directories. Security policy requires that all data be encrypted at rest and in transit. You have enabled encryption at rest using Azure Storage Service Encryption (SSE). For encryption in transit, you require SMB clients to use SMB 3.0 or later with encryption. You configure the storage account to require secure transfer. A user reports that they cannot mount the file share from a Windows 10 machine that is not domain-joined. The user can mount other file shares without issues. What is the most likely reason for the failure?

A.The storage account firewall is blocking the client's public IP address.
B.The user's machine is not domain-joined, so it cannot authenticate to Azure Files.
C.Azure Files only supports SMB 2.1, and the client is trying to use SMB 3.0.
D.The client machine does not support SMB 3.0 encryption, which is required when secure transfer is enabled.
AnswerD

Secure transfer enforces encryption; the client must support it.

Why this answer

Option B is correct: When secure transfer is required, SMB 3.0 with encryption is mandatory. If the client does not support SMB encryption (e.g., due to older OS or misconfiguration), the mount will fail. Option A: Azure Files supports SMB mount from non-domain-joined machines.

Option C: Azure Files supports both SMB protocols. Option D: DNS resolution is not the issue if they can mount other shares.

144
MCQmedium

A company stores sensitive data in Azure Blob Storage. They want to encrypt the data at rest using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, they want the key to be automatically rotated every 90 days without manual intervention. Which configuration should they implement?

A.Enable Azure Storage encryption with a CMK and configure a rotation policy on the storage account.
B.Enable Azure Storage encryption with a CMK and enable automatic key rotation in Azure Key Vault by creating a rotation policy.
C.Enable Azure Storage encryption with a CMK and manually rotate the key every 90 days.
D.Use Azure Storage service-side encryption with platform-managed keys and enforce rotation via Azure Policy.
AnswerB

Key Vault rotation policy handles automatic key version updates. The storage account can be configured to use the key URI without a specific version to pick up new versions automatically.

Why this answer

Option B is correct because Azure Key Vault supports automatic key rotation through a rotation policy, which can be configured to rotate a customer-managed key (CMK) every 90 days without manual intervention. When Azure Storage encryption uses a CMK stored in Key Vault, the storage account references the key version, and enabling a rotation policy in Key Vault automatically creates new key versions, which Azure Storage then uses for encryption. This satisfies the requirement for automated 90-day rotation without manual steps.

Exam trap

The trap here is that candidates confuse where the rotation policy is configured—thinking it is on the storage account (Option A) rather than in Azure Key Vault, or they assume platform-managed keys can be scheduled for rotation (Option D), which is not supported.

How to eliminate wrong answers

Option A is wrong because a rotation policy cannot be configured on the storage account itself; key rotation is managed in Azure Key Vault, not on the storage account resource. Option C is wrong because it requires manual rotation every 90 days, which contradicts the requirement for automatic rotation without manual intervention. Option D is wrong because platform-managed keys (PMK) cannot be rotated on a custom schedule; they are managed entirely by Microsoft, and Azure Policy cannot enforce a specific rotation interval for PMKs.

145
MCQeasy

You need to restrict access to an Azure Storage account so that only traffic from a specific virtual network (VNet) subnet is allowed. Which Azure Storage firewall setting should you configure?

A.Create a private endpoint for the storage account.
B.Enable service endpoints on the subnet and add an IP rule.
C.Add a firewall rule with the subnet's public IP address range.
D.Add a virtual network rule that references the VNet and subnet.
AnswerD

This allows traffic from that subnet.

Why this answer

Option B is correct because Storage firewall rules can restrict access to specific VNets and subnets by adding a 'Virtual Network' rule. Option A is wrong because IP rules allow specific public IPs, not VNets. Option C is wrong because Private Endpoint is a separate feature that uses private IPs but requires Private Link.

Option D is wrong because service endpoints are a prerequisite but the rule type is 'Virtual Network'.

146
MCQmedium

Your company uses Azure Storage to store sensitive customer data. You need to ensure that only authorized applications running on Azure VMs can access the storage account without using shared keys or SAS tokens. What should you configure?

A.Use Azure AD authentication with storage account access keys.
B.Enable Azure Storage firewall, deny access from all networks, and add a private endpoint. Then assign a managed identity to the VMs and grant it the necessary RBAC role.
C.Configure a storage account key and distribute it to the applications.
D.Generate a SAS token with IP restrictions and embed it in the application code.
AnswerB

This configuration ensures access only from authorized VMs using managed identity, eliminating shared keys.

Why this answer

Option B is correct because Azure Storage firewall with service endpoints or private endpoints, combined with managed identity, allows secure access without shared keys or SAS tokens. Option A (storage account key) is a shared key. Option C (SAS token) is a shared access signature.

Option D (access keys) are shared keys.

147
MCQeasy

You need to ensure that all new blobs uploaded to an Azure Storage account are automatically encrypted at rest. What is the simplest way to achieve this?

A.Use Azure Disk Encryption on any VMs writing to storage.
B.Implement client-side encryption in the application.
C.Enable Azure Storage Service Encryption (SSE) on the storage account.
D.Configure a customer-managed key in Azure Key Vault.
AnswerC

SSE is enabled by default and encrypts all data.

Why this answer

Option A is correct because Azure Storage automatically encrypts all data at rest using Azure Storage Service Encryption (SSE). This is enabled by default and requires no configuration. Option B is wrong because customer-managed keys (CMK) are optional for additional control.

Option C is wrong because client-side encryption requires application changes. Option D is wrong because Azure Disk Encryption is for VM disks.

148
MCQmedium

You are deploying a new application on Azure VMs. The application must be encrypted at rest and during transmission. Which combination of features should you implement?

A.Azure Firewall and Azure Disk Encryption
B.Azure Disk Encryption and HTTPS
C.Azure Storage Service Encryption and SSL
D.Azure Disk Encryption and SSL
AnswerB

Disk Encryption secures data at rest; HTTPS secures data in transit.

Why this answer

Option C is correct because Azure Disk Encryption provides at-rest encryption for managed disks using BitLocker or DM-Crypt, while HTTPS ensures encryption in transit. Option A is wrong because Azure Storage Service Encryption only encrypts data in Azure Storage, not on VMs. Option B is wrong because SSL is for transit but Azure Disk Encryption is for at-rest.

Option D is wrong because Azure Firewall provides network security, not encryption.

149
MCQmedium

A company uses Azure Blob Storage to store archival data that is rarely accessed. The security policy requires that the data must be encrypted at rest using a unique Microsoft-managed key per storage account, and the data must be stored cost-effectively while allowing retrieval within 15 minutes. Which storage account type and encryption configuration should they choose?

A.BlockBlobStorage account with infrastructure encryption
B.BlobStorage account with Hot access tier and default encryption
C.General-purpose v2 account with Cool access tier and default encryption
D.General-purpose v1 account with Archive access tier and default encryption
AnswerC

GPv2 accounts support Cool tier (low cost, retrieval within minutes) and default SSE with unique Microsoft-managed keys.

Why this answer

Option C is correct because a General-purpose v2 (GPv2) storage account supports the Cool access tier, which is cost-effective for rarely accessed data, and uses default Microsoft-managed encryption keys (SSE) that are unique per storage account. The Cool tier allows data retrieval within minutes (typically under 15 minutes for blob rehydration), meeting the recovery time objective.

Exam trap

The trap here is that candidates often confuse the Archive tier's long retrieval time (up to 15 hours) with the Cool tier's near-instant access, or assume that a specialized account type like BlockBlobStorage is required for encryption features, when in fact default SSE on GPv2 meets the unique key requirement.

How to eliminate wrong answers

Option A is wrong because BlockBlobStorage accounts are optimized for high transaction rates and block blobs, not for archival data, and infrastructure encryption adds an extra layer of encryption but does not affect key uniqueness or cost-effectiveness. Option B is wrong because the Hot access tier is designed for frequently accessed data and incurs higher storage costs, making it unsuitable for rarely accessed archival data. Option D is wrong because General-purpose v1 accounts do not support access tiers (Hot/Cool/Archive) and the Archive tier has a retrieval time of up to 15 hours, which exceeds the 15-minute requirement.

150
MCQeasy

You are configuring security for an Azure App Service web app that connects to an Azure SQL Database. You need to ensure that the database connection string does not contain credentials in plaintext. What should you use?

A.Store the connection string in the web.config file with encryption.
B.Store the connection string in Azure Key Vault and use a Key Vault reference in the App Service application settings.
C.Store the connection string in Azure App Configuration with encryption.
D.Store the connection string in an App Service application setting without encryption.
AnswerB

This keeps credentials secure and managed centrally.

Why this answer

Option A is correct because Azure Key Vault securely stores secrets, and App Service can reference them via Key Vault references. Option B (App Service environment variable) can be seen in configuration. Option C (connection string in web.config) is plaintext.

Option D (App Configuration with encryption) is possible but Key Vault is the standard for secrets.

← PreviousPage 2 of 4 · 243 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Secure compute, storage, and databases questions.