CCNA Manage Identity And Access Questions

75 of 177 questions · Page 1/3 · Manage Identity And Access topic · Answers revealed

1
MCQmedium

A company uses Microsoft Defender for Cloud. The security team wants to receive a weekly email digest that includes the current Secure Score, the number of healthy and unhealthy resources, and a list of top recommendations. Which Defender for Cloud feature should they configure?

A.Regulatory Compliance dashboard
B.Security policies
C.Email notifications for alerts and weekly digests
D.Continuous Export
AnswerC

Under Defender for Cloud's settings, you can configure email notifications. This includes a weekly digest that contains the Secure Score, resource health summary, and top recommendations. You can specify recipients.

Why this answer

Option C is correct because Microsoft Defender for Cloud provides a built-in 'Email notifications for alerts and weekly digests' feature that allows security teams to configure a weekly email containing the current Secure Score, the number of healthy and unhealthy resources, and a list of top recommendations. This feature is specifically designed to deliver a summary of the security posture directly to recipients without requiring manual export or custom automation.

Exam trap

The trap here is that candidates often confuse the weekly digest feature with Continuous Export, assuming that exporting data to a third-party system is the only way to get a summary, but Defender for Cloud has a native email notification feature specifically for this purpose.

How to eliminate wrong answers

Option A is wrong because the Regulatory Compliance dashboard displays compliance posture against standards (e.g., SOC 2, ISO 27001) and does not generate weekly email digests with Secure Score or resource health counts. Option B is wrong because Security policies define the rules and initiatives that govern resource compliance (e.g., enabling MFA or encryption), but they do not include any notification or email delivery mechanism for weekly summaries. Option D is wrong because Continuous Export streams security data (e.g., alerts, recommendations) to Log Analytics or Event Hubs for external processing, but it does not natively generate or send weekly email digests with Secure Score and resource health summaries.

2
MCQmedium

A security analyst is using Microsoft Sentinel to investigate a security incident. The analyst needs to view all related events, alerts, and entities (users, IPs, hosts) in a single, interactive graph to understand the full scope of the attack. Which Microsoft Sentinel feature should they use?

A.Incident timeline
B.Investigation graph
C.Hunting
D.Analytics rules
AnswerB

The investigation graph allows analysts to visually explore entities and alerts related to an incident. It shows connections and helps identify the scope of an attack.

Why this answer

The Investigation graph in Microsoft Sentinel provides an interactive, visual map that correlates all related events, alerts, and entities (such as users, IPs, and hosts) for a given incident. This allows the analyst to explore the full scope of an attack by dragging and dropping entities to uncover hidden relationships, making it the correct feature for this scenario.

Exam trap

The trap here is that candidates often confuse the Incident timeline (which shows a linear history) with the Investigation graph (which shows relational connections), leading them to choose the timeline option when the question explicitly asks for an interactive graph to understand the full scope of an attack.

How to eliminate wrong answers

Option A is wrong because the Incident timeline shows a chronological list of activities and changes for an incident, but it does not provide an interactive graph with entities and relationships. Option C is wrong because Hunting is a proactive search for threats using queries and bookmarks, not a tool for viewing all related events and entities in a single graph for an existing incident. Option D is wrong because Analytics rules are used to create detection logic that generates alerts and incidents, not to visualize or investigate the relationships between events and entities in an existing incident.

3
MCQeasy

A company uses Azure Active Directory and has guest users invited via B2B collaboration. The security team wants to require that all guest users from specific external organizations must complete multi-factor authentication (MFA) when accessing the company's SaaS applications. Which Conditional Access policy configuration should they use?

A.Create a policy that applies to 'All users' with a condition for 'Guest or external users' and a grant control of 'Require multi-factor authentication'.
B.Create a policy that applies to 'Guest or external users' with a condition for 'External tenants' specifying the organizations, and a grant control of 'Require multi-factor authentication'.
C.Create a policy that applies to 'All guest users' and assign it to the SaaS applications. Use a session control 'Use app enforced restrictions'.
D.Create a policy that applies to 'Guest or external users' with a condition for 'Sign-in risk' set to 'Medium and above' and a grant control of 'Block access'.
AnswerB

This correctly scopes the policy to guest users from specific external tenants and enforces MFA as a grant control.

Why this answer

Option B is correct because it uses the 'External tenants' condition within a Conditional Access policy targeting 'Guest or external users' to specify the exact organizations from which guests must complete MFA. This directly meets the requirement to scope MFA enforcement to specific external organizations, not all guests. The 'Require multi-factor authentication' grant control ensures MFA is enforced for those guests when accessing SaaS applications.

Exam trap

The trap here is that candidates confuse the broad 'Guest or external users' identity with the granular 'External tenants' condition, mistakenly thinking that selecting 'Guest or external users' alone is sufficient to scope MFA to specific organizations.

How to eliminate wrong answers

Option A is wrong because applying the policy to 'All users' would include internal users, not just guests from specific external organizations, and the 'Guest or external users' condition alone does not filter by specific organizations. Option C is wrong because 'All guest users' applies to all guests regardless of their home organization, and 'Use app enforced restrictions' is a session control that relies on the application itself to enforce restrictions, not a grant control for MFA. Option D is wrong because 'Sign-in risk' condition targets risky sign-ins based on Microsoft's risk detection, not specific external organizations, and 'Block access' prevents access entirely rather than requiring MFA.

4
Multi-Selecthard

An enterprise app requests tenant-wide admin consent for Microsoft Graph permissions. Security wants to prevent unreviewed user consent while allowing approved apps. Which two controls help meet this requirement?

Select 2 answers
A.Configure admin consent workflow
B.Allow all users to grant consent to any app
C.Restrict user consent settings and review publisher verification/permissions
D.Disable service principals globally
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because the admin consent workflow allows users to request admin approval for apps they want to consent to, ensuring that no unreviewed user consent is granted while still enabling approved apps. This workflow routes consent requests to designated administrators for review, meeting the security requirement of preventing unreviewed user consent.

Exam trap

The trap here is that candidates often confuse the admin consent workflow with simply blocking all user consent, but the workflow allows controlled approval of specific apps, which is the precise requirement for preventing unreviewed consent while still enabling approved apps.

5
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want to require that activation of this role must be approved by a designated group of security engineers before it becomes active. Which PIM role setting should they configure?

A.Activation maximum duration (hours)
B.MFA on activation
C.Require approval
D.Require justification on activation
AnswerC

Enabling 'Require approval' in the PIM role settings means a user's activation request must be approved by designated approvers. This ensures that role activation is reviewed by a security team.

Why this answer

Option C is correct because Azure AD PIM's 'Require approval' setting enforces that a designated group of approvers must authorize each activation request before the role becomes active. This directly meets the requirement for approval by security engineers, ensuring that role activation is gated by explicit consent rather than being automatic.

Exam trap

The trap here is that candidates often confuse 'Require justification' or 'MFA on activation' with approval workflows, but neither introduces a separate approval step by a designated group—they only add authentication or logging requirements.

How to eliminate wrong answers

Option A is wrong because 'Activation maximum duration (hours)' controls how long a role can remain active after approval, not the approval process itself. Option B is wrong because 'MFA on activation' enforces multi-factor authentication during activation but does not introduce a separate approval step by a designated group. Option D is wrong because 'Require justification on activation' mandates a reason for activation but does not require approval from another party.

6
MCQmedium

A company uses Azure AD B2B collaboration to invite external partner users. The security policy requires that guest users who have not signed in for more than 90 days should have their access automatically reviewed and, if not approved, removed. The company has Azure AD Premium P2 licenses. Which Azure AD feature should they configure to meet this requirement?

A.Enable automatic user deletion in the Azure AD B2B collaboration settings.
B.Create a Conditional Access policy that blocks sign-ins for guest users who haven't authenticated in 90 days.
C.Configure an Azure AD Access Review that reviews guest user access and automatically removes access after 90 days of inactivity.
D.Use Azure AD Identity Protection to detect guest user sign-in anomalies and revoke sessions.
AnswerC

Access Reviews can be configured to run periodically (e.g., quarterly) and include only guest users. The review can be set to automatically remove users who do not respond or who are not approved, effectively removing access for inactive guests.

Why this answer

Option C is correct because Azure AD Access Reviews, available with Azure AD Premium P2 licenses, allow you to create recurring reviews that specifically target guest users who have not signed in for a specified period (e.g., 90 days). The review can be configured to automatically remove access if the reviewer does not approve, directly meeting the requirement for automatic review and removal after 90 days of inactivity.

Exam trap

The trap here is that candidates often confuse blocking sign-ins via Conditional Access (Option B) with actually removing access, but Conditional Access only prevents future authentication and does not revoke existing permissions or trigger a review workflow.

How to eliminate wrong answers

Option A is wrong because Azure AD B2B collaboration settings do not include an 'automatic user deletion' feature; user deletion must be performed manually or via automated scripts, and there is no built-in inactivity-based deletion in those settings. Option B is wrong because a Conditional Access policy can block sign-ins based on sign-in frequency or risk, but it cannot automatically remove guest user access or trigger a review process; it only prevents future sign-ins without addressing existing access. Option D is wrong because Azure AD Identity Protection is designed to detect and respond to sign-in anomalies and risky behaviors, not to manage inactivity-based access reviews or removals for guest users.

7
MCQmedium

An organization wants to export Defender for Cloud recommendations and alerts into a central Log Analytics workspace for retention and hunting. Which feature should they use?

A.Microsoft Defender External Attack Surface Management
B.Continuous export
C.Microsoft Entra access reviews
D.Azure Monitor autoscale
AnswerB

Correct for the stated requirement.

Why this answer

Continuous export is the correct feature because it allows you to stream Defender for Cloud security alerts and recommendations to a Log Analytics workspace for long-term retention and custom hunting queries. This feature supports both real-time and scheduled export of security data, enabling centralized monitoring and compliance auditing. It directly addresses the requirement to export Defender for Cloud data into a Log Analytics workspace without additional third-party tools.

Exam trap

The trap here is that candidates may confuse 'Continuous export' with 'Azure Monitor autoscale' or 'External Attack Surface Management' because they all involve monitoring or scaling, but only continuous export directly addresses the requirement to export Defender for Cloud data to Log Analytics.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender External Attack Surface Management (EASM) is a service for discovering and mapping an organization's external attack surface, not for exporting Defender for Cloud alerts or recommendations to Log Analytics. Option C is wrong because Microsoft Entra access reviews are used for managing identity governance, such as reviewing group memberships and application access, and have no capability to export security alerts or recommendations. Option D is wrong because Azure Monitor autoscale is a feature that automatically adjusts the number of compute resources based on demand, and it does not handle the export of security data to Log Analytics.

8
MCQhard

A company uses Azure AD Privileged Identity Management (PIM) for the Security Administrator role. The security policy requires that when a user activates the Security Administrator role, they must: 1) Provide a justification, 2) Get approval from a designated security group, and 3) The activation must last a maximum of 4 hours. Which combination of PIM settings should they configure?

A.Enable 'Require justification', 'Require approval', and set 'Maximum activation duration' to 4 hours. Assign the security group as the approver.
B.Enable 'Require justification', 'Require ticket information', and set 'Maximum activation duration' to 8 hours.
C.Enable 'Require approval' and set 'Maximum activation duration' to 4 hours. Do not require justification.
D.Enable 'Require Azure MFA on activation', 'Require justification', and set 'Maximum activation duration' to 4 hours.
AnswerA

This meets all three requirements: justification is required, approval from the security group is required, and the activation duration is limited to 4 hours.

Why this answer

Option A is correct because Azure AD PIM allows you to enforce all three requirements: justification, approval from a specified security group, and a maximum activation duration. By enabling 'Require justification' and 'Require approval' and setting the 'Maximum activation duration' to 4 hours, you meet the security policy exactly. The approval step requires assigning a designated security group as the approver, which is supported in PIM role settings.

Exam trap

The trap here is that candidates often confuse 'Require justification' with 'Require ticket information' or assume that MFA is always required for activation, but the question explicitly lists only three requirements—justification, approval, and 4-hour duration—so any extra or missing settings make the option incorrect.

How to eliminate wrong answers

Option B is wrong because it includes 'Require ticket information' instead of 'Require approval', and sets the maximum activation duration to 8 hours instead of the required 4 hours. Option C is wrong because it omits 'Require justification', which is a mandatory policy requirement. Option D is wrong because it includes 'Require Azure MFA on activation' (not required by the policy) and omits 'Require approval', which is explicitly required.

9
MCQmedium

A security team uses Microsoft Sentinel. They want to create a custom analytics rule that generates an incident whenever a user from a list of known malicious IP addresses attempts to sign in to any Azure AD app. They have imported the IP list into Sentinel using Threat Intelligence. Which rule type should they use?

A.Scheduled query rule
B.Near-real-time (NRT) rule
C.Microsoft Security rule
D.Anomaly rule
AnswerA

Scheduled query rules run your KQL query periodically and can generate incidents based on matches. They support matching against threat intelligence tables.

Why this answer

A scheduled query rule is the correct choice because it allows you to run a KQL query at a defined interval (e.g., every 5 minutes) to match sign-in events from IP addresses in a Threat Intelligence indicator. This rule type supports alert grouping and incident creation based on the query results, making it ideal for correlating Azure AD sign-in logs with a known malicious IP list imported via Threat Intelligence.

Exam trap

The trap here is that candidates often confuse NRT rules with scheduled queries, assuming 'near-real-time' is always better for threat intelligence matching, but NRT rules lack the ability to join against the ThreatIntelligenceIndicator table, making scheduled queries the only viable option for this use case.

How to eliminate wrong answers

Option B (NRT rule) is wrong because NRT rules run continuously with a near-real-time latency of 1-2 minutes but cannot reference Threat Intelligence indicators directly; they are designed for high-frequency, low-latency detection on streaming data without the ability to join against static or dynamic indicator lists. Option C (Microsoft Security rule) is wrong because it is used to create incidents from alerts generated by Microsoft security products (e.g., Microsoft Defender for Cloud, Microsoft 365 Defender), not from custom KQL queries against imported threat intelligence. Option D (Anomaly rule) is wrong because anomaly rules use machine learning to detect unusual patterns in data over time, not to match specific known malicious IP addresses from a predefined list.

10
MCQmedium

A security analyst uses Microsoft Sentinel. They have created a playbook that tags Azure VMs as 'isolated' when a high-severity malware alert is triggered. They want this playbook to run automatically whenever a related alert is generated. Which feature should they configure?

A.Automation rule.
B.Scheduled analytics rule.
C.Incident creation rule.
D.Workbook.
AnswerA

Correct. Automation rules can be set to run a playbook automatically when an incident is created or updated, based on alert conditions.

Why this answer

Automation rules in Microsoft Sentinel allow you to define triggers that automatically run playbooks when specific alerts or incidents are created. In this scenario, the playbook tags Azure VMs as 'isolated' upon a high-severity malware alert, and an automation rule can be configured to run that playbook automatically whenever such an alert is generated, without manual intervention.

Exam trap

The trap here is that candidates often confuse automation rules with analytics rules, mistakenly thinking that scheduled analytics rules can directly trigger playbooks, but analytics rules only generate alerts and do not natively invoke automated responses.

How to eliminate wrong answers

Option B is wrong because scheduled analytics rules are used to periodically query data and generate alerts based on predefined schedules, not to trigger automated responses like running playbooks. Option C is wrong because incident creation rules are not a native feature in Microsoft Sentinel; incidents are created automatically from alerts, and there is no separate rule type for incident creation that triggers playbooks. Option D is wrong because workbooks are visualization tools for dashboards and reports, not mechanisms for automating response actions like running playbooks.

11
MCQhard

A Sentinel watchlist contains high-value administrator accounts. Which KQL pattern best uses it in a detection rule?

A.Load the watchlist with _GetWatchlist() and join or filter SigninLogs by the account identifier
B.Export the watchlist to CSV and manually compare it after alerts fire
C.Use the watchlist as a replacement for the SigninLogs table
D.Attach the watchlist to a workbook without changing the detection query
AnswerA

Correct for the stated requirement.

Why this answer

Option A is correct because the `_GetWatchlist()` function in KQL allows you to dynamically load a Sentinel watchlist into a query. By joining or filtering `SigninLogs` against the watchlist's account identifier field, you can create a detection rule that triggers only when a high-value administrator account (defined in the watchlist) performs a sign-in, enabling precise, automated alerting without manual intervention.

Exam trap

The trap here is that candidates confuse a watchlist as a static data source that can replace log tables, rather than understanding it as a reference dataset that must be explicitly joined or filtered within a KQL query to be useful in detection rules.

How to eliminate wrong answers

Option B is wrong because exporting a watchlist to CSV and manually comparing it after alerts fire defeats the purpose of automation and real-time detection; it introduces latency and human error, which is not a valid KQL pattern for a detection rule. Option C is wrong because a watchlist is a reference dataset (a list of values), not a log table like `SigninLogs`; it cannot replace a table that contains event data, and attempting to use it as such would result in a query error or no meaningful results. Option D is wrong because attaching a watchlist to a workbook only visualizes data in a dashboard; it does not integrate the watchlist into the detection query logic, so the detection rule would not use the watchlist to filter or alert on high-value accounts.

12
MCQmedium

A security team uses Microsoft Defender for Cloud. They have assigned a custom regulatory compliance initiative that includes policies to enforce encryption on storage accounts and SQL databases. They want to automatically remediate any non-compliant resources as soon as they are created, without manual intervention. Which feature should they configure?

A.Security policies (assignments)
B.Azure Policy with a 'DeployIfNotExists' effect
C.Just-in-time VM access
D.Adaptive application controls
AnswerB

The 'DeployIfNotExists' effect ensures that non-compliant resources are automatically modified to meet the policy requirement upon creation.

Why this answer

The 'DeployIfNotExists' effect in Azure Policy automatically deploys a resource (e.g., encryption configuration) when a non-compliant resource is created or updated, without manual intervention. This aligns with the requirement to remediate non-compliant storage accounts and SQL databases as soon as they are provisioned, as part of a custom regulatory compliance initiative assigned via Defender for Cloud.

Exam trap

The trap here is that candidates often confuse 'DeployIfNotExists' with 'AuditIfNotExists' or assume that simply assigning a policy (Option A) will automatically fix non-compliant resources, but only 'DeployIfNotExists' provides automatic remediation without manual steps.

How to eliminate wrong answers

Option A is wrong because Security policies (assignments) in Defender for Cloud only define which initiatives and standards are applied to a scope; they do not perform automatic remediation of non-compliant resources. Option C is wrong because Just-in-time VM access is a security control for managing VM inbound traffic and has no role in enforcing encryption on storage accounts or SQL databases. Option D is wrong because Adaptive application controls are used to create allowlists for running applications on Azure VMs, not for deploying encryption configurations to storage or SQL resources.

13
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want a user to be able to activate this role for a maximum of 2 hours per activation. Which PIM setting should they configure?

A.Set the 'Activation maximum duration' to 2 hours in the role settings for Security Administrator.
B.Set the 'Expire eligible assignments after' to 2 hours in the role settings.
C.Enable 'Require justification' and 'Require approval' to ensure the role is not misused.
D.Set the 'Activation maximum duration' to 1 hour and the user can activate twice.
AnswerA

This setting directly controls the maximum time a role can be active after activation.

Why this answer

Option A is correct because the 'Activation maximum duration' setting in Azure AD PIM role settings directly controls the maximum time a user can remain active in an eligible role after activation. By setting this to 2 hours, the user will be able to activate the Security Administrator role for up to 2 hours per activation, after which the role assignment expires automatically.

Exam trap

The trap here is confusing 'Activation maximum duration' (the time a role is active after activation) with 'Expire eligible assignments after' (the time a user remains eligible to activate), leading candidates to incorrectly choose Option B.

How to eliminate wrong answers

Option B is wrong because 'Expire eligible assignments after' controls how long a user can remain eligible for the role before their eligibility expires, not the duration of an activation. Option C is wrong because 'Require justification' and 'Require approval' are additional security controls that do not limit the activation duration; they enforce auditing and approval workflows but do not set a time limit. Option D is wrong because setting the 'Activation maximum duration' to 1 hour would limit each activation to 1 hour, and the user activating twice does not achieve a 2-hour continuous activation; the maximum duration per activation is a single session limit, not a cumulative allowance.

14
MCQmedium

An organization is deploying Microsoft Sentinel to centrally collect and analyze security events. They need to ingest logs from multiple on-premises Windows servers located behind a firewall. Which agent should they deploy on those servers?

A.Azure Monitor Agent (AMA)
B.Log Analytics agent (Microsoft Monitoring Agent)
C.Azure Security Center agent
D.Azure Automation Agent
AnswerA

AMA is the modern agent that collects logs and metrics from Windows and Linux machines and is fully supported by Sentinel with Data Collection Rules.

Why this answer

The Azure Monitor Agent (AMA) is the correct choice because it is the current, unified data-collection agent for Microsoft Sentinel and Azure Monitor, designed to collect logs from Windows servers behind firewalls via outbound HTTPS (port 443) to the Log Analytics workspace. It supports data-collection rules (DCRs) for flexible, scalable ingestion and is the recommended replacement for the legacy Log Analytics agent. AMA can be deployed on-premises Windows servers using Azure Arc for management, ensuring secure log forwarding to Sentinel.

Exam trap

The trap here is that candidates often confuse the legacy Log Analytics agent (option B) as still being the primary agent for Sentinel, but Microsoft has deprecated it in favor of AMA, and the exam expects knowledge of the current recommended agent.

How to eliminate wrong answers

Option B is wrong because the Log Analytics agent (Microsoft Monitoring Agent) is legacy and deprecated for new deployments in Microsoft Sentinel as of August 2024; it lacks support for advanced data-collection rules and is being phased out. Option C is wrong because the Azure Security Center agent (now part of Defender for Cloud) is specifically for security posture and threat detection, not for general log ingestion into Sentinel; it does not replace the log-collection agent. Option D is wrong because the Azure Automation Agent (Hybrid Runbook Worker) is designed to run automation runbooks on-premises, not to collect and forward security logs to Sentinel; it serves a completely different purpose.

15
MCQeasy

A company wants to require that users perform multi-factor authentication (MFA) when accessing a critical enterprise application, but only when they are outside the corporate network. They have Azure Active Directory Premium P1 licenses. Which feature should they use to enforce this requirement?

A.Azure AD Identity Protection
B.Conditional Access policy
C.Azure AD Privileged Identity Management (PIM)
D.Azure AD Application Proxy
AnswerB

A Conditional Access policy can be scoped to the application and configured with a location condition to require MFA only when the user's IP address is outside the corporate network.

Why this answer

Conditional Access policies in Azure AD Premium P1 allow you to enforce MFA based on conditions such as network location. By configuring a policy that targets the critical enterprise application and includes a condition for 'Locations' set to 'All trusted locations' (or 'Not trusted locations'), you can require MFA only when users access the app from outside the corporate network. This directly meets the requirement without needing additional licensing or services.

Exam trap

The trap here is that candidates often confuse Azure AD Identity Protection (which requires P2 licenses) with Conditional Access (available in P1), assuming risk-based policies are needed for location-based MFA, when in fact Conditional Access alone with location conditions is sufficient.

How to eliminate wrong answers

Option A is wrong because Azure AD Identity Protection is a P2 feature that uses risk signals (e.g., leaked credentials, anonymous IP addresses) to trigger policies like MFA or password reset, but it cannot enforce MFA based solely on network location without a Conditional Access policy. Option C is wrong because Azure AD Privileged Identity Management (PIM) manages just-in-time privileged role activation and access reviews, not location-based MFA enforcement for end-user application access. Option D is wrong because Azure AD Application Proxy provides secure remote access to on-premises web applications but does not enforce MFA based on network location; it relies on pre-authentication with Azure AD, which can be combined with Conditional Access, but the proxy itself is not the feature that enforces the MFA requirement.

16
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want to ensure that when a user activates the role, they must provide a ticket number as justification, and the activation must be approved by a designated approver group. The role activation duration should be limited to 4 hours. Which PIM settings should be configured?

A.Enable 'Require approval' for the role and set 'Approvers' to the designated group. Also, set 'Activation maximum duration' to 4 hours.
B.Enable 'Require justification on activation' and set 'Activation maximum duration' to 4 hours. No approval configuration is needed.
C.Enable 'Require approval' and set 'Approvers' to the designated group. Also, enable 'Require ticket information on activation' and set 'Activation maximum duration' to 4 hours.
D.Enable 'Require ticket information on activation' and set 'Activation maximum duration' to 4 hours. Approval is not required because the ticket number serves as justification.
AnswerC

This configures all required settings: approval, ticket information, and duration.

Why this answer

Option C is correct because the scenario requires both approval and ticket-based justification. In Azure AD PIM, 'Require approval' enforces that a designated approver group must approve the activation, while 'Require ticket information on activation' ensures the user provides a ticket number as justification. Setting 'Activation maximum duration' to 4 hours limits the role activation time.

These three settings together satisfy all requirements.

Exam trap

The trap here is that candidates may confuse 'justification' with 'ticket information' and assume that enabling justification alone satisfies the ticket number requirement, or they may think that a ticket number inherently serves as approval, leading them to omit the approval configuration.

How to eliminate wrong answers

Option A is wrong because it omits the requirement for ticket information on activation; the scenario explicitly requires a ticket number as justification, not just any justification. Option B is wrong because it does not include approval configuration; the scenario requires activation to be approved by a designated approver group, which is not addressed by just enabling justification. Option D is wrong because it incorrectly assumes that a ticket number alone serves as sufficient justification and that approval is not needed; the scenario requires both a ticket number and approval from a designated group.

17
Multi-Selecthard

A Conditional Access policy should reduce account takeover risk for administrators without blocking normal low-risk access. Which two signals or controls are most appropriate?

Select 2 answers
A.Require phishing-resistant MFA or strong authentication for privileged roles
B.Allow legacy authentication for administrator accounts
C.Use sign-in risk or user risk conditions from Microsoft Entra ID Protection
D.Exclude all Global Administrators from the policy
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because requiring phishing-resistant MFA (e.g., FIDO2 security keys or certificate-based authentication) for privileged roles directly mitigates account takeover by preventing credential theft and replay attacks. This aligns with the principle of using strong authentication for high-value accounts, as specified in Microsoft's Conditional Access guidance for administrators.

Exam trap

The trap here is that candidates often confuse 'reducing risk' with 'blocking all access' and may incorrectly choose to exclude admins (Option D) to avoid disruption, missing that the policy should use risk-based conditions (Option C) to allow normal low-risk access while blocking high-risk attempts.

18
MCQmedium

A company wants to allow external business partners to access specific SharePoint Online sites using their own corporate credentials. They do not want to manage partner accounts in their own Azure AD tenant. Which Azure AD feature should they use?

A.Azure AD B2C
B.Azure AD External Identities
C.Conditional Access
D.Privileged Identity Management
AnswerB

External Identities (B2B) enables collaboration with external users who use their own organizational identities.

Why this answer

Azure AD External Identities (specifically B2B collaboration) allows you to invite external business partners to access your SharePoint Online sites using their own corporate credentials (their home Azure AD or identity provider). This eliminates the need to manage partner accounts in your tenant, as identities remain in their home directory and are authenticated via federation or SAML/WS-Fed protocols.

Exam trap

The trap here is confusing Azure AD B2C (customer-facing) with Azure AD External Identities B2B (business-to-business), as both involve 'external' users but serve fundamentally different scenarios and identity providers.

How to eliminate wrong answers

Option A is wrong because Azure AD B2C is designed for customer-facing applications where users sign up with social or local accounts, not for business-to-business collaboration with existing corporate identities. Option C is wrong because Conditional Access is a policy engine that enforces access controls (e.g., MFA, device compliance) on already-authenticated users, not a feature for inviting external partners or managing their identities. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role assignments for users within your own tenant, not for external partner identity federation or guest access.

19
MCQmedium

A company wants Defender for Cloud to recommend fixes for container image vulnerabilities stored in Azure Container Registry. Which capability is most relevant?

A.Container vulnerability assessment in Defender for Containers
B.Azure SQL auditing
C.Microsoft Entra access reviews
D.Application Gateway rewrite rules
AnswerA

Correct for the stated requirement.

Why this answer

Defender for Containers includes a container vulnerability assessment capability that scans container images stored in Azure Container Registry (ACR) for known vulnerabilities. This assessment integrates with Defender for Cloud to provide actionable recommendations for fixing identified vulnerabilities, directly addressing the company's requirement.

Exam trap

The trap here is that candidates may confuse general container security features (like runtime protection) with the specific vulnerability assessment capability, or mistakenly think that Azure SQL auditing or access reviews could be repurposed for image scanning.

How to eliminate wrong answers

Option B is wrong because Azure SQL auditing is a database auditing feature for tracking database events and changes, not for scanning container images for vulnerabilities. Option C is wrong because Microsoft Entra access reviews are used to manage user access rights and certifications, not for vulnerability scanning of container images. Option D is wrong because Application Gateway rewrite rules are used to modify HTTP request/response headers and URLs in web traffic, not for assessing container image security.

20
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage access to the 'Security Administrator' role. They want a specific user to be able to activate the role only when needed, rather than having standing access. The user should not have the role active at all times. Which type of assignment should they configure for this user in PIM?

A.Assign the user as 'Active' for the role.
B.Assign the user as 'Eligible' for the role.
C.Assign the user as 'Permanent' for the role.
D.Add the user as a 'Guest' in the directory.
AnswerB

An eligible assignment requires the user to activate the role for a specified duration. This provides just-in-time access without permanent privileges.

Why this answer

In Azure AD Privileged Identity Management (PIM), an 'Eligible' assignment means the user does not have permanent access to the role. They must activate the role on-demand through a time-bound activation process, which may require approval and multi-factor authentication. This directly meets the requirement of having no standing access, as the role is inactive until the user explicitly activates it.

Exam trap

The trap here is confusing 'Active' (permanent standing access) with 'Eligible' (just-in-time activation), as candidates often think 'Active' means the user can activate the role, when in fact it means the role is always active.

How to eliminate wrong answers

Option A is wrong because an 'Active' assignment grants the user standing access to the role at all times, which contradicts the requirement for on-demand activation. Option C is wrong because 'Permanent' is not a valid assignment type in PIM; roles are either 'Active' (permanent) or 'Eligible' (requiring activation). Option D is wrong because adding the user as a 'Guest' in the directory does not assign any Azure AD role; it only provides external collaboration access without any privileged role permissions.

21
MCQmedium

A company uses Azure AD Identity Protection and Conditional Access. They want to automatically block user access to cloud applications when Identity Protection detects that a user's sign-in risk level is high. Which configuration should they use in a Conditional Access policy?

A.Include 'User risk' level 'High' and set Grant to 'Require multi-factor authentication'.
B.Include 'Sign-in risk' level 'High' and set Grant to 'Block access'.
C.Include 'Device platforms' 'All' and set Grant to 'Require managed device'.
D.Include 'Locations' 'All trusted locations' and set Grant to 'Block access'.
AnswerB

This configuration blocks the specific sign-in if the risk is high, directly preventing access.

Why this answer

Option B is correct because Conditional Access policies can evaluate sign-in risk levels detected by Azure AD Identity Protection. When the sign-in risk level is 'High', setting the Grant control to 'Block access' directly prevents the user from accessing cloud applications, meeting the requirement to automatically block access based on a high sign-in risk.

Exam trap

The trap here is confusing 'User risk' with 'Sign-in risk'; candidates often select Option A because they think high user risk should trigger MFA, but the question specifically requires blocking access based on sign-in risk, not user risk.

How to eliminate wrong answers

Option A is wrong because it uses 'User risk' (which reflects the likelihood that a user's identity is compromised) and sets Grant to 'Require multi-factor authentication' instead of blocking access; this would prompt MFA rather than blocking. Option C is wrong because it targets 'Device platforms' and requires a managed device, which does not address sign-in risk levels at all. Option D is wrong because it includes 'All trusted locations' and sets Grant to 'Block access', which would block access from trusted locations rather than blocking based on sign-in risk.

22
MCQmedium

An application hosted on an Azure VM needs to read secrets from Key Vault without storing credentials. Which identity pattern should be used?

A.System-assigned managed identity with Key Vault access granted by RBAC or access policy
B.Client secret stored in appsettings.json
C.Shared access signature stored as an environment variable
D.A user account excluded from MFA
AnswerA

Correct for the stated requirement.

Why this answer

A system-assigned managed identity enables an Azure VM to authenticate to Azure Key Vault without storing any credentials in code or configuration. Azure automatically creates a service principal for the VM in Azure AD, and the VM can obtain an access token from the Azure Instance Metadata Service (IMDS) endpoint (169.254.169.254) to authenticate to Key Vault. Access to secrets is then controlled by assigning RBAC roles (e.g., Key Vault Secrets User) or configuring a Key Vault access policy for that identity, eliminating the need for any stored secrets.

Exam trap

The trap here is that candidates may confuse managed identities with other credential-based patterns (like client secrets or SAS tokens) and fail to recognize that the question explicitly requires 'without storing credentials,' which only a managed identity satisfies.

How to eliminate wrong answers

Option B is wrong because storing a client secret in appsettings.json directly violates the requirement of not storing credentials; it introduces a security risk of secret exposure in configuration files. Option C is wrong because a shared access signature (SAS) is used for delegating access to Azure Storage resources, not for authenticating to Key Vault, and storing it as an environment variable still requires managing a credential. Option D is wrong because a user account excluded from MFA does not provide an identity pattern for a VM to access Key Vault; it is a human identity that would require interactive sign-in and credential storage, and excluding MFA weakens security without solving the credential storage problem.

23
MCQeasy

A security analyst uses Microsoft Defender for Cloud. They need to view the current compliance status of their Azure subscription against the Payment Card Industry Data Security Standard (PCI DSS). Which feature in Defender for Cloud should they use?

A.Security posture dashboard
B.Regulatory compliance dashboard
C.Vulnerability assessment solutions
D.Workflow automation
AnswerB

The regulatory compliance dashboard in Defender for Cloud displays compliance status for various standards such as PCI DSS, SOC, ISO, etc. It provides a detailed view of controls, assessments, and recommendations.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides a pre-built view of your Azure subscription's compliance posture against specific standards like PCI DSS. It continuously assesses your resources against the controls defined in the selected compliance framework and displays a compliance score, passed/failed controls, and remediation steps. This is the dedicated feature for tracking regulatory compliance, not general security posture or vulnerability management.

Exam trap

The trap here is that candidates confuse the general Security posture dashboard (which shows a security score) with the Regulatory compliance dashboard, which is the only place to see compliance against specific standards like PCI DSS, SOC 2, or ISO 27001.

How to eliminate wrong answers

Option A is wrong because the Security posture dashboard shows an overall security score based on security recommendations, but it does not map to specific regulatory frameworks like PCI DSS. Option C is wrong because Vulnerability assessment solutions (e.g., integrated Qualys or Microsoft Defender Vulnerability Management) focus on identifying software vulnerabilities in VMs and containers, not on compliance with regulatory standards. Option D is wrong because Workflow automation is used to trigger automated responses (e.g., sending notifications or creating tickets) based on security alerts or recommendations, not to view compliance status.

24
MCQmedium

A security team uses Microsoft Sentinel. They want to detect a potential privilege escalation scenario: when a user is added to the Global Administrator role in Azure AD (audit log) and within 10 minutes that user signs in from a suspicious location (sign-in log). Which type of analytics rule should they create to correlate these two different log sources?

A.Fusion rule
B.Scheduled query rule
C.Anomaly rule
D.NRT rule (Near Real-Time)
AnswerB

Scheduled query rules allow you to write custom KQL queries that can join logs from different tables, enabling correlation events across data sources.

Why this answer

A scheduled query rule is the correct choice because it allows you to define a KQL query that joins the AuditLogs table (for role assignment events) with the SigninLogs table (for sign-in events) and then uses a time window (e.g., 10 minutes) to correlate the two disparate log sources. This rule type supports cross-table joins and custom time-based correlation, which is exactly what is needed to detect a user added to Global Administrator followed by a suspicious sign-in.

Exam trap

The trap here is that candidates confuse Fusion rules (which correlate alerts) with the need to correlate raw log entries, or they mistakenly think NRT rules can handle multi-table joins with custom time windows, when in fact only scheduled query rules provide the necessary KQL flexibility for this scenario.

How to eliminate wrong answers

Option A is wrong because Fusion rules use machine learning to correlate multiple alerts from different security products, not to join raw audit and sign-in logs with a custom time window. Option C is wrong because Anomaly rules are designed to detect unusual patterns in a single data source using baselines, not to correlate two different log sources with a specific temporal condition. Option D is wrong because NRT (Near Real-Time) rules run every minute but do not support cross-table joins or custom time windows longer than a few minutes; they are intended for single-table, low-latency detection.

25
MCQhard

A security team uses Microsoft Defender for Cloud to protect Azure virtual machines. They want to implement application allowlisting to prevent execution of unauthorized software on a set of Windows Server VMs. They need to create a baseline of allowed applications and then enforce the allowlist. Which Defender for Cloud feature should they enable?

A.Adaptive application controls
B.Just-in-time VM access
C.File integrity monitoring
D.Adaptive network hardening
AnswerA

Correct. Adaptive application controls provide application allowlisting based on behavioral learning and enforcement.

Why this answer

Adaptive application controls (AAC) in Microsoft Defender for Cloud is the correct feature because it specifically provides application allowlisting for Azure VMs. AAC uses machine learning to analyze processes running on a VM, generate a baseline of allowed applications, and then enforce that allowlist by blocking execution of any unauthorized software. This directly meets the requirement to create a baseline and enforce it on Windows Server VMs.

Exam trap

The trap here is that candidates often confuse adaptive application controls with file integrity monitoring, thinking both prevent unauthorized software, but FIM only detects changes after the fact and does not block execution.

How to eliminate wrong answers

Option B (Just-in-time VM access) is wrong because it controls network access to management ports (e.g., RDP, SSH) by locking down inbound traffic, not application execution on the VM. Option C (File integrity monitoring) is wrong because it monitors changes to critical files, registry keys, and software installations, but it does not block unauthorized software execution—it only alerts on changes. Option D (Adaptive network hardening) is wrong because it recommends and enforces network security group (NSG) rules based on traffic patterns, not application-level allowlisting on the VM.

26
MCQmedium

A company wants to detect exposed internet-facing assets that are not yet known in its Azure inventory. Which Microsoft Defender capability is most relevant?

A.Defender for SQL vulnerability assessment
B.Microsoft Entra Permissions Management
C.Defender External Attack Surface Management
D.Azure Monitor VM insights
AnswerC

Correct for the stated requirement.

Why this answer

Defender External Attack Surface Management (EASM) is specifically designed to discover and inventory internet-facing assets (e.g., domains, IPs, open ports, certificates) that are not yet known to an organization's Azure inventory. It continuously scans public attack surfaces to identify unknown or unmanaged resources, making it the most relevant capability for detecting exposed assets outside the current Azure footprint.

Exam trap

The trap here is that candidates may confuse Defender EASM with Microsoft Entra Permissions Management (CIEM), assuming both deal with 'unknown assets' when in fact CIEM focuses on permissions and identity risks, not external asset discovery.

How to eliminate wrong answers

Option A is wrong because Defender for SQL vulnerability assessment focuses on identifying and remediating database-specific vulnerabilities (e.g., misconfigurations, missing patches) within known Azure SQL resources, not on discovering unknown internet-facing assets. Option B is wrong because Microsoft Entra Permissions Management (formerly CloudKnox) is a Cloud Infrastructure Entitlement Management (CIEM) tool that analyzes and manages permissions across multi-cloud environments, but it does not perform external asset discovery or attack surface scanning. Option D is wrong because Azure Monitor VM insights provides performance monitoring and dependency mapping for existing virtual machines, but it has no capability to discover unknown or external internet-facing assets.

27
Multi-Selectmedium

A security team wants to use Microsoft Sentinel to detect potential data exfiltration events from Azure Blob Storage. Which two logs should they ingest to best identify unauthorized read access and data transfer activities? (Choose two.)

Select 2 answers
A.Storage account audit logs (e.g., StorageReadKey, GetBlob)
B.Azure Activity log for storage account write operations
C.Azure AD sign-in logs
D.Azure Key Vault audit logs
AnswersA, B

These logs record data access operations on blobs, critical for detecting exfiltration.

Why this answer

Option A is correct because Storage account audit logs (e.g., StorageReadKey, GetBlob) capture detailed data-plane operations, including read access to blobs and keys, which directly indicates potential data exfiltration. Option B is correct because the Azure Activity log for storage account write operations records management-plane events like storage account key regeneration, which can be used to bypass existing access controls and exfiltrate data. Together, these logs provide visibility into both the data access and the administrative actions that could enable exfiltration.

Exam trap

The trap here is that candidates often confuse Azure AD sign-in logs with storage-specific audit logs, mistakenly thinking authentication logs alone can detect data exfiltration, when in fact they lack the data-plane operation details needed to identify unauthorized read or transfer activities.

28
Multi-Selectmedium

You are designing an Azure RBAC role assignment strategy for a subscription. Which three of the following practices are recommended for secure role management? (Choose three.)

Select 3 answers
.Assign roles at the management group level to reduce the number of assignments
.Use custom roles with the least privilege principle when built-in roles are too permissive
.Assign roles to Azure AD groups rather than to individual users
.Assign the Contributor role at the resource group level for all developers
.Use the User Access Administrator role to grant users access to resources
.Create multiple role assignments for the same scope to the same user

Why this answer

Assigning roles at the management group level reduces the number of assignments because permissions are inherited by all child subscriptions, simplifying management and reducing the risk of misconfiguration. Using custom roles with the least privilege principle ensures that users have only the permissions they need when built-in roles are too broad, minimizing the attack surface. Assigning roles to Azure AD groups rather than individual users enables centralized management of permissions through group membership, making it easier to audit and update access without modifying role assignments directly.

Exam trap

The trap here is that candidates often confuse the User Access Administrator role (which grants permission to assign roles) with a role that grants direct resource access, leading them to select it as a valid practice for granting access to resources.

29
MCQmedium

A security operations team uses Microsoft Sentinel. They want to create a rule that generates an incident when an Azure virtual machine is deployed with a public IP address that is not in a predefined approved list. The rule should run every hour and query Azure Activity logs. Which type of analytics rule should they create?

A.Scheduled query rule
B.NRT (Near-Real-Time) rule
C.Anomaly rule
D.Fusion rule
AnswerA

Scheduled query rules are ideal for running queries on a fixed schedule (e.g., every hour) against log data to detect patterns and generate incidents.

Why this answer

A scheduled query rule is correct because the requirement specifies a rule that runs every hour and queries Azure Activity logs. Scheduled query rules in Microsoft Sentinel are designed for periodic, time-based queries against log data, such as Azure Activity logs, and can generate incidents based on predefined conditions like detecting a VM deployment with an unapproved public IP. This aligns perfectly with the need for a recurring, non-real-time check.

Exam trap

The trap here is that candidates confuse the frequency requirement (every hour) with the near-real-time label, assuming NRT rules can be configured for any interval, when in fact NRT rules are hard-limited to 1-minute intervals and cannot be set to hourly runs.

How to eliminate wrong answers

Option B (NRT rule) is wrong because near-real-time rules run at intervals of 1 minute or less, not every hour, and are designed for low-latency detection, not scheduled hourly checks. Option C (Anomaly rule) is wrong because anomaly rules use machine learning to detect unusual patterns over time, not static conditions like a predefined approved IP list. Option D (Fusion rule) is wrong because Fusion rules correlate alerts from multiple security products to detect multi-stage attacks, not single-event conditions like VM deployment with a specific IP.

30
MCQeasy

A company has Azure AD with Premium P2 licenses. They want to enforce Azure Multi-Factor Authentication (MFA) for all users accessing the Azure portal from untrusted networks, but only after the user has successfully entered their password. Which Conditional Access grant control should they configure?

B.Require device to be marked as compliant
C.Require approved client app
D.Require domain join
AnswerA

This grant control requires users to complete MFA before accessing the resource, which meets the requirement of enforcing MFA after password authentication.

Why this answer

Option A is correct because the 'Require multi-factor authentication' grant control in Conditional Access enforces MFA after password authentication, which aligns with the requirement to prompt for MFA only after the user has successfully entered their password. This control is applied based on the condition of 'untrusted networks' (e.g., using the 'Locations' condition to target all locations except trusted IPs), ensuring that MFA is triggered specifically for Azure portal access from untrusted networks.

Exam trap

The trap here is that candidates often confuse 'Require multi-factor authentication' with 'Require device to be marked as compliant' or 'Require domain join', mistakenly thinking device state controls can enforce MFA step-up, when in fact only the MFA grant control triggers the additional authentication challenge after password entry.

How to eliminate wrong answers

Option B is wrong because 'Require device to be marked as compliant' enforces device compliance (e.g., Intune policy) but does not enforce MFA after password entry; it blocks or grants access based on device health, not authentication step-up. Option C is wrong because 'Require approved client app' restricts access to specific client applications (e.g., Microsoft Authenticator) but does not enforce MFA after password entry; it is used for app-level restrictions, not authentication step-up. Option D is wrong because 'Require domain join' enforces hybrid Azure AD join or domain-joined devices, which does not enforce MFA after password entry; it is a device state control, not an authentication enforcement.

31
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) for Azure AD roles. They want to require that users must perform multi-factor authentication (MFA) when activating a role. Which PIM setting should they configure?

A.Require Azure AD Multi-Factor Authentication on activation
B.Require approval to activate
C.Require justification on activation
D.Require ticket information on activation
AnswerA

This setting enforces MFA every time a user activates a role, adding an extra layer of security.

Why this answer

To enforce multi-factor authentication during role activation in Azure AD Privileged Identity Management (PIM), you must configure the 'Require Azure AD Multi-Factor Authentication on activation' setting. This ensures that before a user’s role assignment is activated, they must complete an MFA challenge, adding an extra layer of security against unauthorized access.

Exam trap

The trap here is that candidates often confuse 'Require approval to activate' with MFA enforcement, but approval is a separate authorization step that does not verify the user’s identity through a second factor.

How to eliminate wrong answers

Option B is wrong because 'Require approval to activate' enforces a workflow where one or more approvers must authorize the activation, but it does not mandate MFA. Option C is wrong because 'Require justification on activation' only prompts the user to provide a business reason for activation, not an MFA challenge. Option D is wrong because 'Require ticket information on activation' asks for a support ticket number for auditing purposes, which is unrelated to multi-factor authentication.

32
Multi-Selecthard

A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure AD roles. They want to require that users who activate the Global Administrator role must get approval from their manager before activation, and that the approval must be time-bound (maximum 8 hours). Which two PIM configurations should they set?

Select 2 answers
A.Set the activation maximum duration to 8 hours.
B.Enable approval workflow by adding the manager as an approver.
C.Require multi-factor authentication on activation.
D.Require justification on activation.
AnswersA, B

This limits how long the role can be active, meeting the time-bound requirement.

Why this answer

Option A is correct because setting the activation maximum duration to 8 hours enforces the time-bound requirement, ensuring that once a user activates the Global Administrator role, the activation automatically expires after 8 hours. Option B is correct because enabling the approval workflow and adding the manager as an approver ensures that the manager must approve each activation request, meeting the requirement for manager approval. Together, these two configurations satisfy both the time-bound and approval constraints.

Exam trap

The trap here is that candidates often confuse 'justification' or 'MFA' with approval and time-bound constraints, but justification and MFA are separate security controls that do not satisfy the specific requirements for manager approval and a maximum duration.

33
MCQmedium

A security team uses Microsoft Sentinel. They want to automatically isolate a compromised virtual machine by applying a network security group (NSG) rule. They have created a playbook in Azure Logic Apps that modifies the NSG. How should they trigger this playbook when an incident of type 'Suspicious VM activity' is created?

A.Create an automation rule in Microsoft Sentinel that is triggered when an incident is created, and set the action to run the playbook.
B.Configure a data connector to send all alerts to the playbook.
C.Enable the playbook as a response action in the analytics rule.
D.Use a logic app trigger that polls Sentinel incidents every minute.
AnswerA

Automation rules can respond to incident creation and execute a playbook, making them ideal for automated response scenarios.

Why this answer

Option A is correct because Microsoft Sentinel automation rules are designed to trigger playbooks automatically when incidents are created, updated, or closed. By configuring an automation rule with the condition 'When incident is created' and the action 'Run playbook', the playbook that modifies the NSG will execute immediately upon the creation of a 'Suspicious VM activity' incident, achieving the desired automated isolation without manual intervention.

Exam trap

The trap here is that candidates often confuse analytics rule response actions (which trigger on alert generation) with automation rules (which trigger on incident creation), leading them to incorrectly select Option C when the question explicitly requires incident-based triggering.

How to eliminate wrong answers

Option B is wrong because data connectors ingest raw logs and alerts into Sentinel, but they do not trigger playbooks; playbooks are triggered by automation rules or analytics rule response actions, not by data connectors. Option C is wrong because analytics rules can have automated responses, but those responses run when an alert is generated, not when an incident is created; the question specifies triggering on incident creation, which requires an automation rule. Option D is wrong because polling every minute introduces latency and inefficiency, and Sentinel provides event-driven triggers (via automation rules) that react instantly to incident creation, making polling unnecessary and suboptimal.

34
MCQmedium

A security operations team uses Microsoft Sentinel. They are investigating a security incident that involves multiple alerts from different Azure resources. They need to see the entire attack timeline and all related entities (such as user accounts, IP addresses, and hosts) in a single, visual graph to understand the scope of the attack. Which Microsoft Sentinel feature should they use?

A.Investigation graph
B.Incident dashboard
C.Entity behavior analytics (UEBA)
D.Threat hunting blade
AnswerA

The investigation graph displays entities and their connections, allowing analysts to visually explore relationships and understand the full attack timeline within an incident.

Why this answer

The Investigation graph in Microsoft Sentinel is specifically designed to visually map the relationships between alerts, entities (such as user accounts, IP addresses, and hosts), and the attack timeline. It allows security analysts to explore the scope of an incident by interactively expanding nodes and viewing connections, which directly meets the requirement for a single visual graph showing the entire attack timeline and related entities.

Exam trap

The trap here is that candidates often confuse the Incident dashboard (which shows a list of incidents) with the Investigation graph (which provides the interactive visual graph of entities and timeline), leading them to select the dashboard option because it sounds like the place to 'see' incident details.

How to eliminate wrong answers

Option B (Incident dashboard) is wrong because it provides a high-level summary of incidents (e.g., severity, status, count) but does not offer a visual graph of entity relationships or an attack timeline. Option C (Entity behavior analytics / UEBA) is wrong because it focuses on profiling and detecting anomalous behavior of individual entities over time, not on mapping the relationships and timeline of multiple alerts in a single incident. Option D (Threat hunting blade) is wrong because it is used for proactive, query-based searches for potential threats across large datasets, not for visualizing the scope and relationships of an already identified incident.

35
MCQhard

A KQL hunting query joins SecurityIncident with SecurityAlert but returns duplicate rows for incidents with multiple alerts. What KQL approach best preserves one row per incident while summarizing alert details?

A.Use order by TimeGenerated desc only
B.Replace join with union
C.Use take 1 before the join
D.Use summarize make_set() or arg_max() grouped by IncidentNumber
AnswerD

Correct for the stated requirement.

Why this answer

Option D is correct because `summarize make_set()` or `arg_max()` grouped by `IncidentNumber` collapses multiple alert rows into a single incident row while preserving alert details in an array or the most recent alert. This directly addresses the duplicate rows caused by a one-to-many join between SecurityIncident and SecurityAlert, ensuring one row per incident without data loss.

Exam trap

The trap here is that candidates often confuse sorting or limiting rows (options A and C) with deduplication, or incorrectly think a union can replace a join, missing the fundamental need to aggregate after a one-to-many relationship.

How to eliminate wrong answers

Option A is wrong because `order by TimeGenerated desc` only sorts the results and does not remove duplicate rows; it leaves the duplicates intact. Option B is wrong because `union` combines rows from two tables without any join logic, which would not correlate incidents with their alerts and would produce a completely different, incorrect result set. Option C is wrong because `take 1` before the join arbitrarily limits the input rows before the join, which can discard relevant alerts and still produce duplicates if the incident has multiple alerts in the remaining data.

36
Drag & Dropmedium

Drag and drop the steps to configure Azure AD Privileged Identity Management (PIM) for a role into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

PIM requires enabling the service first, then selecting roles, configuring settings, and finally assigning users as eligible.

37
MCQhard

A company uses Azure AD Privileged Identity Management (PIM) to manage access to critical roles. They want to require that users who are eligible for the 'Security Administrator' role must provide a support ticket number in the justification when activating the role. Additionally, they want to set a maximum activation duration of 4 hours. Which PIM role setting should they configure?

A.Activation settings
B.Notification settings
C.Approval settings
D.Assignment settings
AnswerA

In the activation settings for the role, you can set maximum duration (4 hours) and require justification with a ticket number field.

Why this answer

Option A is correct because the 'Activation settings' in Azure AD PIM allow you to configure the maximum activation duration (in hours) and require justification, including a support ticket number, when a user activates an eligible role. These settings directly control the conditions under which role activation occurs, such as duration and mandatory justification fields.

Exam trap

The trap here is that candidates often confuse 'Assignment settings' (which control the duration of an eligible or active assignment) with 'Activation settings' (which control the duration and conditions of activation for eligible users), leading them to incorrectly select Option D.

How to eliminate wrong answers

Option B is wrong because 'Notification settings' control who receives email alerts when roles are activated or assigned, not the activation duration or justification requirements. Option C is wrong because 'Approval settings' require designated approvers to approve activation requests, but they do not enforce a maximum activation duration or a support ticket number in the justification. Option D is wrong because 'Assignment settings' define whether a role assignment is eligible or active, and the duration of the assignment itself, not the activation duration or justification content for eligible users.

38
MCQhard

A Sentinel data connector based on Azure Monitor Agent stops collecting Windows Security Events after migration from the legacy agent. What should the engineer verify first?

A.A Data Collection Rule is associated with the target machines and includes the required event streams
B.The workspace has a saved KQL function named SecurityEvent
C.The machines are assigned an Azure Policy initiative for tags
D.The analytics rule is configured as near-real-time
AnswerA

Correct for the stated requirement.

Why this answer

After migrating from the legacy Log Analytics Agent to the Azure Monitor Agent (AMA), data collection is governed by Data Collection Rules (DCRs). If the DCR is not associated with the target machines or does not include the required Windows Security Event data streams (e.g., `Microsoft-Event` or `SecurityEvent`), the Sentinel connector will stop receiving events. This is the most common root cause because AMA relies entirely on DCRs for configuration, unlike the legacy agent which used workspace settings directly.

Exam trap

The trap here is that candidates often assume the legacy agent's workspace configuration persists after migration, but AMA requires explicit Data Collection Rules to be created and associated, and missing or misconfigured DCRs are the primary cause of data loss.

How to eliminate wrong answers

Option B is wrong because a saved KQL function named `SecurityEvent` is a query artifact, not a prerequisite for data ingestion; the connector ingests raw events into the `SecurityEvent` table regardless of saved functions. Option C is wrong because Azure Policy initiatives for tags manage resource governance and compliance, not data collection or agent configuration. Option D is wrong because analytics rules define detection logic and alerting, not the underlying data ingestion pipeline; near-real-time configuration affects alert latency, not whether events are collected.

39
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Global Administrator' role. The security team wants to ensure that when a user activates the role, they must provide a justification, and the activation request must be approved by a specific group of security administrators. They have already configured the role for activation with a maximum duration of 8 hours. Which additional PIM settings should they configure?

A.Enable 'Require approval to activate' and select the security group as approver
B.Set 'Require Azure Multi-Factor Authentication' to 'On'
C.Set 'Require justification on activation' to 'On' and also enable 'Require ticket information'
D.Create a separate PIM request workflow using Azure Logic Apps
AnswerA

This setting ensures that an activation request must be approved by members of the designated security group before the role is activated.

Why this answer

Option A is correct because the scenario requires both justification and approval for role activation. PIM allows you to enforce 'Require justification on activation' and 'Require approval to activate' as separate settings. By enabling 'Require approval to activate' and selecting the security group as the approver, you meet the requirement for approval.

Justification is already a default requirement in PIM when approval is enabled, but you must also explicitly set 'Require justification on activation' to 'On' if not already enforced; however, the question states they have already configured the role for activation with a maximum duration, so the missing piece is the approval configuration.

Exam trap

The trap here is that candidates may think 'Require justification on activation' alone satisfies the requirement, but the question explicitly asks for approval by a specific group, which requires the separate 'Require approval to activate' setting.

How to eliminate wrong answers

Option B is wrong because requiring Azure Multi-Factor Authentication (MFA) is a separate security control that does not enforce approval or justification; it only adds an authentication step during activation. Option C is wrong because while 'Require justification on activation' is needed, the scenario also requires approval by a specific group, which is not addressed by justification or ticket information alone. Option D is wrong because Azure Logic Apps are not a native PIM setting for role activation approval; PIM has built-in approval workflows that do not require custom Logic Apps.

40
MCQhard

A company uses Microsoft Defender for Cloud's Just-In-Time (JIT) VM access to manage RDP connections to a critical jump-box virtual machine. The company has a CI/CD pipeline running on Azure DevOps agent pools that needs to periodically RDP into this VM to deploy software. The agent pool's source IP addresses are dynamic and change frequently. They want the pipeline to automatically request JIT access before each deployment without manual intervention. Which approach should they implement?

A.Use the Azure REST API with a managed identity assigned to the DevOps agent to request JIT access, specifying the agent's current source IP address
B.Create a JIT access rule in Defender for Cloud with a scheduled time window that matches the pipeline's deployment schedule
C.Configure a PowerShell script in the pipeline to modify the network security group (NSG) to allow the agent's IP during deployment
D.Assign a static public IP to the Azure DevOps agent and add that IP to the JIT allowed list permanently
AnswerA

The REST API endpoint for JIT allows programmatic requests. A managed identity on the agent (or virtual machine running the agent) provides secure authentication without secrets. The pipeline can fetch its current outbound IP and request JIT access for the required time.

Why this answer

Option A is correct because it uses the Azure REST API with a managed identity to dynamically request JIT VM access, specifying the agent's current source IP address. This approach allows the CI/CD pipeline to authenticate without secrets and automatically obtain time-bound RDP access, even though the agent's IP changes frequently. The managed identity provides secure, automated authentication to Azure Resource Manager, enabling the pipeline to call the JIT policy endpoint and grant access for the deployment duration.

Exam trap

The trap here is that candidates may think scheduled JIT rules (Option B) exist or that permanently whitelisting an IP (Option D) is acceptable, but Azure JIT is designed for dynamic, on-demand access requests, not static schedules or permanent allowances.

How to eliminate wrong answers

Option B is wrong because scheduled JIT access rules do not exist; JIT access is request-based and time-bound, not scheduled, and a fixed time window cannot accommodate dynamic IP changes or unpredictable deployment schedules. Option C is wrong because directly modifying the NSG bypasses Defender for Cloud's JIT access control, defeating the purpose of using JIT for security and auditability, and it would require additional permissions and manual cleanup. Option D is wrong because assigning a static public IP to the Azure DevOps agent is often impractical or impossible (agents may be in a dynamic pool or behind a NAT), and adding it permanently to the JIT allowed list eliminates the just-in-time security benefit, leaving the VM exposed continuously.

41
MCQmedium

A security team uses Microsoft Defender for Cloud to monitor the security posture of a hybrid environment that includes on-premises servers connected via Azure Arc. They want to enable a vulnerability assessment solution that automatically scans all servers (both Azure VMs and on-premises Arc-enabled servers) for OS vulnerabilities. Which solution should they enable directly from Defender for Cloud?

A.Enable the integrated vulnerability assessment solution (Qualys) in Defender for Cloud
B.Enable Microsoft Defender for Endpoint and integrate it with Defender for Cloud
C.Configure Azure Update Management to assess missing patches
D.Use Azure Policy to deploy the Log Analytics agent and manually enable scanning
AnswerA

The built-in VA solution (Qualys) is available at no additional cost in Defender for Cloud. It can be deployed to both Azure VMs and Arc-enabled servers through the integration, providing automatic OS vulnerability scanning.

Why this answer

The integrated vulnerability assessment (VA) solution in Defender for Cloud, powered by Qualys, is the correct choice because it is a native, built-in capability that can be automatically enabled for both Azure VMs and Azure Arc-enabled on-premises servers. It requires no additional licensing or external configuration, and it automatically discovers and scans OS vulnerabilities without manual intervention, directly from the Defender for Cloud portal.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Endpoint's threat and vulnerability management (TVM) with a dedicated vulnerability assessment solution, but the question specifically asks for a solution that can be enabled directly from Defender for Cloud for automatic OS vulnerability scanning, which is the integrated Qualys-based VA solution.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint (MDE) is an endpoint detection and response (EDR) solution focused on threat detection and response, not a dedicated vulnerability assessment scanner; while MDE includes threat and vulnerability management (TVM), the question specifically asks for a solution that automatically scans for OS vulnerabilities directly from Defender for Cloud, and the integrated Qualys solution is the one that meets this requirement natively. Option C is wrong because Azure Update Management is designed to manage and deploy OS patches, not to assess vulnerabilities; it reports missing updates but does not perform vulnerability scanning or provide a vulnerability score. Option D is wrong because deploying the Log Analytics agent and manually enabling scanning is not a built-in vulnerability assessment solution; it requires custom configuration and does not provide the automated, integrated scanning that the Qualys-based solution offers directly from Defender for Cloud.

42
MCQmedium

A team wants to automatically deploy Defender for Cloud settings across new subscriptions under a management group. Which Azure capability should they use?

A.Application security groups
B.Conditional Access templates
C.Sentinel workbooks
D.Azure Policy initiative assignment
AnswerD

Correct for the stated requirement.

Why this answer

Azure Policy initiative assignments allow you to bundle multiple policy definitions (such as those for Defender for Cloud) and assign them at the management group scope. This ensures that all new subscriptions under that management group automatically inherit and enforce the Defender for Cloud settings, including enabling security monitoring and threat detection. This is the correct approach because Azure Policy provides continuous compliance evaluation and remediation at scale across the entire resource hierarchy.

Exam trap

The trap here is that candidates often confuse Azure Policy with Azure Blueprints or think that Defender for Cloud settings can only be configured per subscription manually, missing that Policy initiatives at the management group level provide automatic, scalable enforcement for new subscriptions.

How to eliminate wrong answers

Option A is wrong because Application security groups are used to group virtual machines and define network security rules based on those groups, not to deploy or enforce security settings across subscriptions. Option B is wrong because Conditional Access templates are part of Azure AD and control access to applications based on conditions like location or device state; they do not deploy Defender for Cloud settings. Option C is wrong because Sentinel workbooks are visualization tools for security data within Azure Sentinel, not a mechanism to automatically deploy or enforce security configurations across subscriptions.

43
MCQmedium

An organization uses Microsoft Defender for Cloud. They want to allow specific administrators to temporarily open RDP (port 3389) to a virtual machine only when needed, and for a limited time, while minimizing management overhead. Which Defender for Cloud feature should they use?

A.Azure Bastion
B.Just-in-time (JIT) VM access
C.Azure AD Privileged Identity Management (PIM)
D.Network Security Groups (NSGs)
AnswerB

JIT VM access allows you to request time-limited access to VMs via NSG rules, meeting the requirement.

Why this answer

Just-in-time (JIT) VM access in Microsoft Defender for Cloud allows administrators to temporarily open RDP (port 3389) to a virtual machine for a limited time, reducing exposure to brute-force attacks. It integrates with Azure Network Security Groups (NSGs) and Azure Firewall to automatically lock down inbound traffic when not in use, minimizing management overhead by eliminating the need for manual NSG rule changes.

Exam trap

The trap here is that candidates confuse Azure Bastion (persistent secure access) with JIT (time-limited port opening), or mistakenly think PIM controls network access rather than role activation.

How to eliminate wrong answers

Option A is wrong because Azure Bastion provides persistent, secure RDP/SSH access via TLS over the Azure portal without exposing public IPs, but it does not offer time-limited, on-demand port opening; it is always available once deployed. Option C is wrong because Azure AD Privileged Identity Management (PIM) manages just-in-time activation of Azure AD roles and Azure resource roles (e.g., Contributor), not network-level port access to VMs. Option D is wrong because Network Security Groups (NSGs) are the underlying mechanism to allow or deny traffic, but they require manual rule creation and removal, which increases management overhead and does not provide automated, time-limited access.

44
Multi-Selectmedium

Your company is implementing an Azure AD B2B collaboration strategy for external partners. Which three of the following statements about Azure AD B2B collaboration are correct? (Choose three.)

Select 3 answers
.External users can use their own Azure AD or Microsoft account to sign in
.External users are represented as guest users in the tenant directory
.Conditional Access policies can be applied to guest users
.Azure AD B2B collaboration requires an Azure AD Premium P2 license for each guest user
.Guest users cannot access SharePoint Online sites
.External users must have an Azure AD tenant in their own organization

Why this answer

Azure AD B2B collaboration allows external users to sign in using their own Azure AD, Microsoft account (e.g., Outlook.com), or other identity providers (e.g., Google, SAML/WS-Fed IdPs). These users are represented as guest user objects in the tenant directory, which enables them to be managed like internal users. Conditional Access policies can be applied to guest users at the tenant or application level, allowing organizations to enforce MFA, device compliance, or sign-in risk policies for external collaborators.

Exam trap

The trap here is that candidates often assume Azure AD B2B collaboration requires each guest user to have an Azure AD Premium license or their own Azure AD tenant, but in reality, Azure AD B2B is free for guest users and supports a wide range of identity providers beyond Azure AD.

45
MCQeasy

A security team wants to receive a weekly email summary of the security posture of all their Azure subscriptions, including the Secure Score, top recommendations, and the number of healthy resources. Which Microsoft Defender for Cloud feature should they configure?

A.Continuous export to a Log Analytics workspace
B.Email notifications for weekly digest
C.Automation rules to trigger a Logic App on a schedule
D.Workflow automation to export data daily
AnswerB

In Defender for Cloud's email notifications blade, you can enable a 'Send weekly digest' option that emails the Secure Score, top recommendations, and healthy resource count.

Why this answer

Option B is correct because the 'Email notifications for weekly digest' feature in Microsoft Defender for Cloud is specifically designed to send a weekly summary of security posture, including Secure Score, top recommendations, and healthy resources, directly to specified email recipients. This feature is configured under Defender for Cloud's 'Email notifications' settings, where you can enable the weekly digest and define the recipients.

Exam trap

The trap here is that candidates confuse the weekly digest with workflow automation or continuous export, assuming any automated export can be scheduled to send emails, but only the dedicated 'Email notifications for weekly digest' feature provides the exact preformatted summary without custom Logic App development.

How to eliminate wrong answers

Option A is wrong because Continuous export to a Log Analytics workspace is used for streaming security data (e.g., alerts, recommendations) to a workspace for custom analysis or retention, not for sending a preformatted weekly email summary. Option C is wrong because Automation rules trigger actions (e.g., Logic Apps) based on specific events like new alerts or recommendations, not on a schedule for a weekly digest; scheduling requires a separate Logic App trigger. Option D is wrong because Workflow automation triggers Logic Apps or runbooks in response to Defender for Cloud events (e.g., when a recommendation is created), not for scheduled daily exports; daily exports to email are not a native feature.

46
Multi-Selecthard

A team wants to deploy Sentinel content consistently across workspaces. Which two approaches are appropriate?

Select 2 answers
A.Manually copy screenshots of rules
B.Use Content Hub solutions where available
C.Store incidents in Azure Key Vault
D.Use infrastructure-as-code or automation for analytic rules and workbooks
AnswersB, D

Correct for the stated requirement.

Why this answer

Content Hub solutions in Azure Sentinel provide pre-packaged content (analytic rules, workbooks, playbooks) that can be installed consistently across multiple workspaces via the Azure portal or API. This ensures standardized deployment without manual errors, leveraging Microsoft's curated content for common scenarios.

Exam trap

The trap here is that candidates may confuse 'storing incidents' (operational data) with 'deploying content' (configuration), leading them to incorrectly select Azure Key Vault as a deployment mechanism for Sentinel rules.

47
MCQeasy

A company uses Azure AD with Premium P2 licenses. They want to require that all new users register for Azure Multi-Factor Authentication (MFA) within 14 days of their first sign-in. If they do not register, they should be denied access to all cloud applications until registration is completed. Which Azure AD feature should they configure?

A.Identity Protection user risk policy
B.Conditional Access policy targeting the MFA registration
C.Azure AD Identity Protection sign-in risk policy
D.Privileged Identity Management (PIM)
AnswerB

A Conditional Access policy with the 'Require MFA registration' grant control enforces registration before access is granted.

Why this answer

The requirement to enforce MFA registration within a specific time frame and block access until registration is complete is achieved by configuring a Conditional Access policy targeting the 'Register security information' (MFA registration) user action. This policy can require users to register for MFA and, if not completed, deny access to all cloud apps. Azure AD Premium P2 licenses are required for Conditional Access.

Exam trap

The trap here is that candidates confuse Identity Protection risk policies (which handle risky sign-ins or compromised users) with Conditional Access policies that directly enforce MFA registration deadlines, leading them to select A or C instead of B.

How to eliminate wrong answers

Option A is wrong because Identity Protection user risk policy addresses user accounts with compromised credentials or risky behavior, not the enforcement of MFA registration timing. Option C is wrong because Identity Protection sign-in risk policy evaluates the risk of a specific sign-in attempt (e.g., from anonymous IP addresses) and can block or require MFA, but it does not enforce a registration deadline for new users. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not MFA registration enforcement for all users.

48
MCQmedium

A security analyst uses Microsoft Defender for Cloud. They need to assess their Azure environment's compliance against the Payment Card Industry Data Security Standard (PCI DSS). Which dashboard in Defender for Cloud should they use to view the compliance status?

A.Secure Score
B.Security Alerts
C.Regulatory Compliance
D.Workbooks
AnswerC

This dashboard shows compliance status for selected regulatory standards, with detailed insights into which controls pass or fail.

Why this answer

The Regulatory Compliance dashboard in Microsoft Defender for Cloud provides a pre-built assessment of your Azure environment against specific compliance standards, including PCI DSS. It maps your security controls to the requirements of the standard and shows a compliance score based on the results of continuous assessments. This is the correct tool for viewing compliance status against PCI DSS.

Exam trap

The trap here is that candidates may confuse Secure Score (which measures general security hygiene) with regulatory compliance scoring, but Secure Score does not map to specific standards like PCI DSS, while Regulatory Compliance does.

How to eliminate wrong answers

Option A is wrong because Secure Score measures your overall security posture based on implemented security controls, not compliance with a specific regulatory standard like PCI DSS. Option B is wrong because Security Alerts lists active threats and suspicious activities, not compliance status. Option D is wrong because Workbooks are customizable visualizations that can be built from Azure Monitor data, but they do not provide a pre-built, out-of-the-box compliance assessment against PCI DSS.

49
MCQeasy

A company uses Microsoft Defender for Cloud. They want to receive email notifications when a high-severity security alert is generated for any resource in the subscription. Which configuration should they make in Defender for Cloud?

A.Configure the 'Email notifications' setting in Defender for Cloud to send alerts to the required email addresses.
B.Create a workflow automation in Defender for Cloud that sends an email when a high-severity alert is generated.
C.Enable continuous export to stream all security alerts to a Log Analytics workspace and create an alert rule to send email.
D.Enable the 'Send email alerts' option in the Azure Monitor activity log alert rule.
AnswerA

This is correct. Defender for Cloud can be configured to email security alerts to a list of recipients based on severity.

Why this answer

Option A is correct because the 'Email notifications' setting in Microsoft Defender for Cloud allows you to directly configure email recipients to receive notifications for high-severity alerts. This built-in feature sends emails to specified addresses whenever a high-severity security alert is triggered for any resource in the subscription, without requiring additional automation or external tools.

Exam trap

The trap here is that candidates often confuse workflow automation (Option B) as the primary method for email notifications, but Microsoft Defender for Cloud has a dedicated 'Email notifications' setting specifically for this purpose, making it the simplest and correct configuration.

How to eliminate wrong answers

Option B is wrong because workflow automation in Defender for Cloud is designed to trigger automated actions (e.g., Logic Apps) in response to alerts, but it does not natively send email notifications; it requires a separate Logic App to send emails, making it more complex than the direct email notification setting. Option C is wrong because continuous export streams alerts to a Log Analytics workspace, but creating an alert rule to send email involves additional configuration and latency, and it is not the simplest or intended method for direct email notifications. Option D is wrong because Azure Monitor activity log alert rules monitor activity log events, not security alerts from Defender for Cloud; security alerts are not activity log entries, so this option would not capture high-severity alerts.

50
MCQmedium

An organization uses Microsoft Defender for Cloud. They want to receive alerts when Azure virtual machines do not have disk encryption enabled. What should they configure to achieve this?

A.A custom alert rule in Microsoft Sentinel
B.A regulatory compliance standard in Defender for Cloud
C.A security policy recommendation in Defender for Cloud
D.An Azure Policy initiative
AnswerC

Defender for Cloud includes a recommendation for disk encryption. When a VM does not have encryption enabled, it appears as an unhealthy resource, triggering a security recommendation.

Why this answer

Option C is correct because Defender for Cloud's security policy recommendations include 'Disk encryption should be applied on virtual machines' as a built-in recommendation. When enabled, Defender for Cloud continuously assesses VMs against this recommendation and generates alerts for non-compliant resources. This is the native mechanism within Defender for Cloud to monitor and alert on missing disk encryption without requiring external tools or custom rules.

Exam trap

The trap here is that candidates often confuse Defender for Cloud's built-in security recommendations with Azure Policy initiatives, not realizing that Defender for Cloud automatically surfaces and alerts on missing disk encryption through its own recommendation engine, not through a separately created policy initiative.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a SIEM/SOAR tool that ingests security data from multiple sources; while it can create custom alert rules, the question specifically asks for configuration within Defender for Cloud, and Sentinel is a separate Azure service. Option B is wrong because regulatory compliance standards in Defender for Cloud map to frameworks like CIS or PCI DSS and provide compliance scores, but they do not directly generate alerts for missing disk encryption; they only show compliance status. Option D is wrong because an Azure Policy initiative can enforce or audit disk encryption, but it does not generate alerts in Defender for Cloud; Defender for Cloud uses its own security recommendations, not Azure Policy initiatives, to surface alerts.

51
MCQmedium

A security team uses Microsoft Defender for Cloud. They have enabled the integrated vulnerability assessment (VA) solution on their Azure virtual machines. They want to receive alerts when a VM has a vulnerability rated 'Critical' by the VA solution. Which Defender for Cloud plan must be enabled on the subscription?

A.Defender for Servers Plan 1
B.Defender for Servers Plan 2
C.Defender for Cloud Apps
D.Defender for Storage
AnswerB

Plan 2 includes the integrated Qualys vulnerability assessment and generates security alerts for discovered vulnerabilities, including those rated 'Critical'.

Why this answer

Defender for Servers Plan 2 is required because it includes the integrated Qualys-based vulnerability assessment (VA) solution that continuously scans Azure VMs for vulnerabilities and provides security alerts when critical vulnerabilities are found. Plan 1 only offers basic threat detection and does not include the integrated VA scanner or the ability to generate alerts based on VA findings.

Exam trap

The trap here is that candidates often confuse Defender for Servers Plan 1 with Plan 2, assuming both include the integrated VA solution, but Plan 1 only provides basic threat detection and lacks the Qualys-based vulnerability scanning and alerting capabilities.

How to eliminate wrong answers

Option A is wrong because Defender for Servers Plan 1 provides only basic threat detection and does not include the integrated Qualys vulnerability assessment solution, so it cannot generate alerts for critical vulnerabilities from VA scans. Option C is wrong because Defender for Cloud Apps is a CASB (Cloud Access Security Broker) solution focused on SaaS application security and user behavior, not VM vulnerability scanning. Option D is wrong because Defender for Storage is designed to detect threats against Azure Storage accounts (e.g., blob, file shares) and has no capability to perform vulnerability assessments on virtual machines.

52
MCQmedium

A security team uses Microsoft Sentinel. They want to create a playbook that automatically adds a tag 'isolated' to any Azure virtual machine that triggers a high-severity security alert. How should they configure the automation?

A.Create an analytics rule with an automated response
B.Create a playbook in Logic Apps and attach it to the alert as an automation rule
C.Use a workbook to trigger the playbook
D.Configure a data connector
AnswerB

Correct. Automation rules are configured to run playbooks when new incidents are created. The playbook then executes the logic to add the tag.

Why this answer

Option B is correct because Microsoft Sentinel playbooks are built on Azure Logic Apps and can be triggered by automation rules. An automation rule is configured to run when a high-severity alert is generated, and it invokes the playbook, which then uses the Azure Resource Manager connector to add the 'isolated' tag to the triggering virtual machine. This is the native, supported method for automated incident response in Sentinel.

Exam trap

The trap here is confusing analytics rule automated responses (which can only trigger playbooks or change alert properties) with the ability to directly modify Azure resources, leading candidates to incorrectly choose Option A.

How to eliminate wrong answers

Option A is wrong because analytics rules define detection logic and can have automated responses, but they are limited to simple actions like changing alert severity or running a playbook; they cannot directly add tags to Azure resources without a playbook. Option C is wrong because workbooks are visualization tools that display data from queries; they cannot trigger playbooks or execute automation actions. Option D is wrong because data connectors ingest log data from sources into Sentinel; they do not perform post-detection remediation actions like tagging VMs.

53
MCQmedium

A security operations team uses Microsoft Sentinel. They need to collect Syslog messages from on-premises Linux servers for analysis. Which data connector should they use to ingest these logs into Sentinel?

A.Azure Activity Log connector
B.Syslog connector via Log Analytics agent
C.Common Event Format (CEF) connector
D.Windows Security Events connector
AnswerB

This connector uses the Log Analytics agent on Linux to collect Syslog events and send them to Sentinel.

Why this answer

The Syslog connector via Log Analytics agent is the correct choice because it allows Microsoft Sentinel to collect Syslog messages from on-premises Linux servers. The Log Analytics agent (formerly OMS agent) listens on UDP port 514 (or a custom port) for Syslog messages forwarded by the Linux rsyslog or syslog-ng daemon, then forwards them to the Log Analytics workspace. This connector is specifically designed for standard Syslog ingestion without requiring format transformation.

Exam trap

The trap here is that candidates often confuse the Syslog connector (for standard Syslog) with the CEF connector (for formatted security logs), mistakenly thinking CEF is required for any Linux Syslog ingestion, when in fact CEF is only needed for specific security appliances that output CEF-formatted logs.

How to eliminate wrong answers

Option A is wrong because the Azure Activity Log connector ingests subscription-level events from Azure's control plane (e.g., resource creation, policy changes), not Syslog messages from on-premises Linux servers. Option C is wrong because the Common Event Format (CEF) connector is used for security appliances that output CEF-formatted logs (e.g., firewalls, IDS/IPS) and requires a Syslog forwarder to parse and transform the logs, whereas standard Syslog messages do not need this transformation. Option D is wrong because the Windows Security Events connector collects Windows Event Log data (specifically Security events) from Windows machines, not Syslog messages from Linux servers.

54
MCQhard

A Microsoft Sentinel rule should run with minimal delay against supported data sources and produce alerts close to event time. Which rule type should be considered?

A.Fusion rule
B.Near-real-time analytics rule
C.Workbook query
D.Threat intelligence indicator import
AnswerB

Correct for the stated requirement.

Why this answer

Near-real-time (NRT) analytics rules in Microsoft Sentinel are designed to run at 1-minute intervals, providing the minimal delay for alert generation against supported data sources. This rule type queries data with low latency, ensuring alerts are produced close to the event time, which is critical for timely threat detection.

Exam trap

The trap here is that candidates often confuse near-real-time rules with scheduled analytics rules, assuming scheduled rules can be configured for minimal delay, but NRT rules are the only type that guarantees sub-5-minute latency without custom scheduling.

How to eliminate wrong answers

Option A is wrong because Fusion rules are correlation-based and use machine learning to detect multistage attacks, not designed for minimal delay or near-real-time alerting. Option C is wrong because workbook queries are for visualization and reporting, not for generating alerts or running with minimal delay. Option D is wrong because threat intelligence indicator import is a data ingestion process for bringing in threat indicators, not a rule type that runs queries to produce alerts.

55
MCQmedium

A security operations team uses Microsoft Sentinel. They want to create an automation that automatically changes the severity of an incident from 'Medium' to 'High' when a specific indicator of compromise (IOC) is observed in the incident's entities. The playbook should run immediately when the incident is created. Which type of automation rule trigger should they configure?

A.When incident is created
B.When incident is updated
C.When alert is generated
D.Scheduled
AnswerA

This trigger fires automatically as soon as a new incident is created, allowing immediate execution of the playbook.

Why this answer

Option A is correct because the requirement specifies that the automation should run immediately when the incident is created. In Microsoft Sentinel, an automation rule with the trigger 'When incident is created' executes a playbook as soon as the incident is generated, before any updates occur. This allows the playbook to evaluate the incident's entities (e.g., IP addresses, hashes) and change the severity from 'Medium' to 'High' if a specific IOC is present, meeting the real-time response need.

Exam trap

The trap here is that candidates often confuse 'When alert is generated' with incident creation, not realizing that alerts are raw signals and incidents are the correlated case that can have severity changed, leading them to pick Option C instead of A.

How to eliminate wrong answers

Option B is wrong because 'When incident is updated' triggers only after an incident has been modified (e.g., status change, comment added), not at creation time, so it would not run immediately upon incident generation. Option C is wrong because 'When alert is generated' triggers on individual alerts, not incidents; incidents can aggregate multiple alerts, and the playbook needs to run at the incident level to change incident severity. Option D is wrong because 'Scheduled' triggers run on a recurring schedule (e.g., every hour), not in real-time upon incident creation, which fails the 'immediately' requirement.

56
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) for Azure AD roles. They want to require that when a user activates the Security Administrator role, they must provide a justification and the activation must be approved by a member of a specific security group. Which PIM setting should they configure?

A.Require approval to activate
C.Require justification
D.Require Azure AD join
AnswerA

Correct. Enabling 'Require approval to activate' and specifying the security group as approver meets the requirement for manager approval before activation.

Why this answer

Option A is correct because Azure AD PIM allows you to enforce approval workflows for role activation. By configuring 'Require approval to activate' and selecting the specific security group as the approver, you ensure that any user attempting to activate the Security Administrator role must first receive approval from a member of that group, in addition to providing a justification.

Exam trap

The trap here is that candidates often confuse 'Require justification' (a mandatory text field) with the approval workflow, thinking that providing a justification alone satisfies the approval requirement, when in fact a separate approver action is needed.

How to eliminate wrong answers

Option B is wrong because requiring multi-factor authentication (MFA) is a separate PIM setting that enforces additional authentication during activation, but it does not involve an approval workflow or a designated approver group. Option C is wrong because requiring justification is a mandatory text input during activation, but it does not introduce an approval step; the activation would proceed automatically after justification is provided. Option D is wrong because requiring Azure AD join is a device state requirement typically used for Conditional Access policies, not for PIM role activation approval workflows.

57
MCQmedium

A company wants to ensure that users can only access Microsoft 365 services (e.g., Exchange Online, SharePoint Online) from devices that are confirmed to be compliant with corporate security policies (e.g., encryption enabled, antivirus active). Which Azure AD policy type should they create?

A.Conditional Access policy with the 'Require compliant device' grant control.
B.Identity Protection policy with a sign-in risk policy.
C.Access review policy for groups.
D.Privileged Identity Management (PIM) activation policy.
AnswerA

This policy checks device compliance status (based on Intune policies) and blocks access if the device is not compliant.

Why this answer

A is correct because a Conditional Access policy with the 'Require compliant device' grant control enforces device-based access restrictions by checking the device's compliance status reported by Microsoft Intune. This ensures that only devices meeting corporate security policies (e.g., encryption enabled, antivirus active) can access Microsoft 365 services like Exchange Online and SharePoint Online.

Exam trap

The trap here is confusing device compliance (Conditional Access) with sign-in risk (Identity Protection), as both involve 'risk' or 'compliance' terminology but target fundamentally different aspects of security—device state versus authentication risk.

How to eliminate wrong answers

Option B is wrong because Identity Protection sign-in risk policies evaluate the likelihood that a sign-in attempt is unauthorized (e.g., from an anonymous IP or leaked credentials), not the compliance state of the device. Option C is wrong because Access review policies for groups manage periodic attestation of group memberships, not device compliance or access control. Option D is wrong because Privileged Identity Management (PIM) activation policies control the elevation of privileged roles (e.g., Global Admin) and do not enforce device compliance for service access.

58
MCQhard

A Conditional Access policy requiring compliant devices does not apply to Azure PowerShell access. Sign-in logs show the cloud app is excluded. What should be changed?

A.Disable device compliance in Intune
B.Convert the policy to a named location policy
C.Remove MFA from all users
D.Include the relevant cloud app or target all cloud apps after testing exclusions
AnswerD

Correct for the stated requirement.

Why this answer

Option D is correct because Conditional Access policies apply only to cloud apps explicitly included in the policy. Since Azure PowerShell is excluded, the policy does not enforce the 'Require device to be marked as compliant' condition for that app. To fix this, you must either include the specific cloud app (Microsoft Azure PowerShell) or set the policy to target 'All cloud apps' and then test exclusions to ensure the compliant device requirement is applied to Azure PowerShell access.

Exam trap

The trap here is that candidates may assume a Conditional Access policy applies to all cloud apps by default, but in reality, policies only apply to apps explicitly included, and exclusions take precedence over inclusions.

How to eliminate wrong answers

Option A is wrong because disabling device compliance in Intune would remove the compliance status altogether, breaking the policy's intent rather than fixing the exclusion issue. Option B is wrong because converting the policy to a named location policy would change the condition from device compliance to network location, which does not address the missing cloud app inclusion for Azure PowerShell. Option C is wrong because removing MFA from all users is unrelated to the cloud app exclusion; MFA is a separate control and removing it would weaken security without resolving the policy scope problem.

59
MCQmedium

A security operations team uses Microsoft Sentinel. They want to create a custom analytics rule that detects when an Azure virtual machine is created with a public IP address that is not in an approved list. Which type of rule should they use?

A.Scheduled query rule
B.NRT rule
C.Anomaly rule
D.Fusion rule
AnswerA

Correct. Scheduled query rules allow you to run a KQL query on a schedule and create incidents based on the results. This is ideal for checking new VM creations against an approved IP list.

Why this answer

A scheduled query rule is the correct choice because it allows you to define a KQL query that runs on a recurring schedule (e.g., every 5 minutes) to detect when an Azure VM is created with a public IP not in an approved list. This rule type is designed for custom detection logic that requires periodic evaluation of log data, such as AzureActivity logs or Azure Resource Graph, making it ideal for this scenario.

Exam trap

The trap here is that candidates confuse NRT rules with scheduled query rules, assuming NRT's lower latency is always better, but NRT rules lack the ability to reference external data sources like watchlists for dynamic approved IP comparisons.

How to eliminate wrong answers

Option B (NRT rule) is wrong because near-real-time rules are designed for low-latency detection (up to 2 minutes) but do not support the complex KQL logic needed to cross-reference a dynamic approved list; they are better suited for simple, high-frequency patterns. Option C (Anomaly rule) is wrong because anomaly rules use machine learning to detect unusual patterns in time-series data, not static comparisons against an approved list. Option D (Fusion rule) is wrong because fusion rules are prebuilt for multi-stage attack detection across different data sources, not for custom single-condition checks like VM creation with an unapproved public IP.

60
MCQeasy

A company uses Microsoft Defender for Cloud. They want to receive alerts when a virtual machine has a vulnerability that is rated 'Critical' by the integrated vulnerability assessment solution. Which Defender for Cloud plan must be enabled?

A.Defender for Servers plan (P2 or P1)
B.Defender for Cloud's free foundational CSPM
C.Defender for Storage plan
D.Defender for SQL plan
AnswerA

The Defender for Servers plan enables the integrated vulnerability assessment tool that scans VMs and generates alerts for critical vulnerabilities.

Why this answer

The integrated vulnerability assessment solution in Microsoft Defender for Cloud relies on the Qualys or Microsoft Defender Vulnerability Management (MDVM) agent, which is only available with the Defender for Servers plan. The P2 tier includes the full vulnerability assessment capabilities, while P1 provides foundational coverage; both can generate alerts for critical vulnerabilities. Without this plan, the vulnerability assessment engine is not active, so no critical alerts will be produced.

Exam trap

The trap here is that candidates often assume the free foundational CSPM includes vulnerability alerting because it provides a 'secure score' and recommendations, but it does not include the agent-based scanning required to generate critical vulnerability alerts.

How to eliminate wrong answers

Option B is wrong because the free foundational CSPM provides only basic security posture assessments and compliance checks, not the agent-based vulnerability scanning required to detect critical vulnerabilities. Option C is wrong because the Defender for Storage plan is designed to detect threats against Azure Blob, Azure Files, and Data Lake Storage, not to assess OS-level vulnerabilities on virtual machines. Option D is wrong because the Defender for SQL plan focuses on SQL database-specific threats (e.g., SQL injection, brute force) and does not include the vulnerability assessment agent for virtual machines.

61
MCQmedium

A cloud security team wants Defender for Cloud to assess AWS accounts and GCP projects from the same portal used for Azure posture management. What should they configure?

A.Environment settings with multicloud connectors
B.Azure Arc-enabled Kubernetes only
C.Microsoft Sentinel data connector for AWS CloudTrail only
D.Azure Lighthouse delegation
AnswerA

Correct for the stated requirement.

Why this answer

Option A is correct because Defender for Cloud's multicloud connectors allow you to onboard AWS accounts and GCP projects directly into the Azure portal, enabling unified security posture management across all three cloud environments. This feature integrates with AWS Security Hub and GCP Security Command Center to aggregate findings and assessments into a single dashboard, without requiring any migration of workloads.

Exam trap

The trap here is that candidates confuse Defender for Cloud's multicloud posture assessment with Microsoft Sentinel's SIEM data connectors, assuming any cloud integration must go through Sentinel, when in fact Defender for Cloud has its own dedicated multicloud connector for posture management.

How to eliminate wrong answers

Option B is wrong because Azure Arc-enabled Kubernetes only extends Azure management to Kubernetes clusters running outside Azure, not to AWS accounts or GCP projects for cloud posture assessment. Option C is wrong because Microsoft Sentinel's data connector for AWS CloudTrail is designed for security information and event management (SIEM) ingestion, not for continuous cloud security posture assessment and compliance monitoring. Option D is wrong because Azure Lighthouse delegation is used for managing multiple Azure tenants from a single control plane, not for integrating non-Azure cloud providers like AWS or GCP.

62
MCQmedium

A privileged administrator should activate the Security Administrator role only for approved work and for a limited time. What should be configured?

A.Permanent active assignment in Microsoft Entra ID
B.Eligible assignment with activation controls in Privileged Identity Management
C.Owner role at the subscription root
D.Conditional Access session persistence
AnswerB

Correct for the stated requirement.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID allows you to configure eligible assignments for roles like Security Administrator. This means the user must activate the role on demand, with time-bound activation controls (e.g., maximum activation duration, approval, MFA), ensuring the role is used only for approved work and for a limited time. This directly meets the requirement of just-in-time (JIT) access and temporary activation.

Exam trap

The trap here is that candidates often confuse permanent active assignments (Option A) with eligible assignments, mistakenly thinking that permanent assignment is sufficient if the user is trusted, but the question explicitly requires 'limited time' activation, which only PIM can enforce.

How to eliminate wrong answers

Option A is wrong because a permanent active assignment grants the role continuously without any time limit or activation requirement, violating the principle of limited-time access. Option C is wrong because the Owner role at the subscription root is an Azure RBAC role, not a Microsoft Entra ID administrative role, and it does not provide the Security Administrator permissions needed for identity security tasks; it also lacks time-bound activation controls. Option D is wrong because Conditional Access session persistence controls how long a user stays signed in (e.g., browser session persistence), not the activation or duration of a privileged role assignment.

63
MCQmedium

A Defender for Cloud secure score recommendation says storage accounts allow public blob access. What remediation best addresses the root issue?

A.Enable storage account static website hosting
B.Increase Log Analytics retention
C.Disable public blob access at the storage account level and review container ACLs
D.Create an Azure Front Door profile
AnswerC

Correct for the stated requirement.

Why this answer

The secure score recommendation indicates that storage accounts allow public blob access, which is a security risk. The root cause is that anonymous access is enabled at the storage account level, and individual container ACLs may also permit public access. Disabling public blob access at the storage account level (via the 'AllowBlobPublicAccess' property) immediately blocks all anonymous requests, and reviewing container ACLs ensures no residual permissions exist.

This directly addresses the vulnerability by enforcing a deny-by-default posture.

Exam trap

The trap here is that candidates may confuse the storage account-level public access setting with container-level ACLs, thinking that disabling one automatically disables the other, or they may mistakenly believe that enabling static website hosting or using Front Door can override or mitigate the public access vulnerability.

How to eliminate wrong answers

Option A is wrong because enabling static website hosting does not affect public blob access settings; it only serves static content from a specific container ($web) and does not remediate the security recommendation. Option B is wrong because increasing Log Analytics retention only extends the storage duration of diagnostic logs, which does not change access permissions or block anonymous blob access. Option D is wrong because creating an Azure Front Door profile is a content delivery and acceleration service that does not modify storage account access policies or disable public blob access.

64
MCQmedium

A company uses Microsoft Defender for Cloud to manage its security posture. The compliance team wants to monitor the subscription's compliance with the Payment Card Industry Data Security Standard (PCI DSS). They need to view a detailed compliance report and track progress over time. What should they do in Defender for Cloud?

A.Enable the relevant Defender for Cloud plans (e.g., Defender for Servers, Defender for SQL).
B.Add the PCI DSS standard from the regulatory compliance dashboard.
C.Create a custom regulatory compliance initiative based on PCI DSS controls.
D.Configure continuous export to send compliance data to a Log Analytics workspace.
AnswerB

Defender for Cloud provides built-in regulatory compliance standards. Adding PCI DSS from the dashboard enables the compliance monitoring and reporting for that standard.

Why this answer

Option B is correct because the regulatory compliance dashboard in Microsoft Defender for Cloud allows you to add built-in compliance standards like PCI DSS. Once added, the dashboard automatically assesses your subscription against the standard's controls, provides a detailed compliance report, and tracks progress over time with a compliance score and historical trend. This is the direct method to monitor PCI DSS compliance without needing to enable specific Defender plans or create custom initiatives.

Exam trap

The trap here is that candidates often confuse enabling Defender plans (which provide threat detection) with adding a compliance standard (which provides a compliance assessment), leading them to select Option A instead of the correct dashboard action in Option B.

How to eliminate wrong answers

Option A is wrong because enabling Defender for Cloud plans (e.g., Defender for Servers, Defender for SQL) provides security alerts and advanced threat protection but does not by itself add or display a PCI DSS compliance report; the regulatory compliance dashboard must be explicitly configured with the standard. Option C is wrong because creating a custom regulatory compliance initiative based on PCI DSS controls is unnecessary and more complex; Microsoft provides a built-in PCI DSS initiative that is automatically updated and maintained, and custom initiatives are typically used for organization-specific controls, not for adopting a standard already available in the dashboard. Option D is wrong because configuring continuous export to a Log Analytics workspace sends raw security data (e.g., alerts, recommendations) for external analysis or retention, but it does not generate or display the PCI DSS compliance report or track progress within Defender for Cloud's dashboard.

65
Multi-Selectmedium

A Sentinel detection should enrich alerts with business-critical asset context. Which two mechanisms are appropriate?

Select 2 answers
A.Join the query with a watchlist of critical assets
B.Delete low-severity incidents automatically
C.Map entities such as Host, Account, and IP in the analytics rule
D.Disable all built-in analytics templates
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because watchlists in Microsoft Sentinel allow you to store and reference a curated set of critical asset identifiers (e.g., hostnames, IPs, account SIDs). By joining your analytics rule query with a watchlist, you can automatically enrich alerts with business-critical context, ensuring that incidents involving high-value assets are flagged with additional metadata. Option C is correct because mapping entities like Host, Account, and IP in the analytics rule definition enables Sentinel to extract and normalize these identifiers from raw log fields, which then allows playbooks, investigations, and threat intelligence to correlate alerts with asset context.

Exam trap

The trap here is that candidates often confuse incident management actions (like auto-deletion) with enrichment mechanisms, or they mistakenly think disabling templates is a valid configuration step, when in fact both options fail to provide the contextual data needed for alert enrichment.

66
MCQhard

An organization uses Microsoft Defender for Cloud. They want to implement just-in-time (JIT) VM access for a set of production VMs. However, the security team needs to ensure that JIT access requests are always approved by a manager before opening ports. Which configuration should they use?

A.Enable JIT in Defender for Cloud and configure a logic app to send approval emails
B.Use Azure AD Privileged Identity Management (PIM) for JIT activation
C.Enable JIT and configure a custom workflow automation with an approval step
D.Use Conditional Access with session controls
AnswerC

Defender for Cloud allows you to create automation rules that trigger Logic Apps. You can design the Logic App to require an approval (e.g., from a manager) before the JIT policy opens ports.

Why this answer

Option C is correct because Microsoft Defender for Cloud's JIT VM access can be integrated with a custom workflow automation that includes an approval step. This allows the security team to enforce manager approval before ports are opened, meeting the requirement for a formal approval process. The workflow automation can trigger an Azure Logic App or other action that requires a designated approver to authorize the request.

Exam trap

The trap here is confusing Azure AD PIM (which manages role activation) with JIT VM access (which manages network port openings), leading candidates to incorrectly select PIM for VM-level access control.

How to eliminate wrong answers

Option A is wrong because while a logic app can send approval emails, it does not enforce a mandatory approval step before JIT access is granted; the JIT request would still be automatically approved unless the logic app is configured to block it, which is not a native capability. Option B is wrong because Azure AD PIM is designed for managing and approving privileged role activations, not for controlling JIT VM access requests to specific ports on VMs. Option D is wrong because Conditional Access with session controls governs access to applications and data based on conditions like location or device compliance, not for approving JIT port openings on VMs.

67
MCQmedium

A company uses Azure AD Conditional Access. They want to require multi-factor authentication (MFA) for all users accessing the Azure portal, but only when the sign-in risk level is medium or above. Which configuration should they use in the Conditional Access policy?

A.Assignments > Cloud apps > Include > Microsoft Azure Management, Conditions > Sign-in risk > Medium and above, Grant > Require MFA.
B.Assignments > Users > All users, Cloud apps > All cloud apps, Conditions > User risk > Medium, Grant > Require MFA.
C.Assignments > Conditions > Locations > All trusted locations, Grant > Require MFA.
D.Assignments > Cloud apps > Include > All cloud apps, Conditions > Device platforms > iOS, Grant > Require MFA.
AnswerA

This correctly targets the Azure portal and uses sign-in risk condition to trigger MFA.

Why this answer

Option A is correct because it specifically targets the Azure portal via 'Microsoft Azure Management' in Cloud apps, sets the sign-in risk condition to 'Medium and above', and requires MFA. This matches the requirement exactly: MFA is triggered only when accessing the Azure portal and the sign-in risk level is medium or higher.

Exam trap

The trap here is confusing 'User risk' with 'Sign-in risk' — user risk is a persistent score based on past user behavior, while sign-in risk is a session-level assessment, and the question explicitly requires the latter for the current sign-in event.

How to eliminate wrong answers

Option B is wrong because it uses 'User risk' instead of 'Sign-in risk' — user risk is based on historical user behavior, not the current sign-in session, and it applies to all cloud apps, not just the Azure portal. Option C is wrong because it uses 'Locations' with 'All trusted locations', which would require MFA from trusted locations regardless of risk, and does not target the Azure portal or sign-in risk. Option D is wrong because it targets 'All cloud apps' and 'Device platforms > iOS', which would require MFA for all iOS devices accessing any cloud app, not specifically the Azure portal based on sign-in risk.

68
Multi-Selectmedium

Your organization uses Azure AD Privileged Identity Management (PIM) to manage admin roles. Which three of the following are valid configurations for role activation? (Choose three.)

Select 3 answers
.Require Azure AD Multi-Factor Authentication (MFA) during activation
.Set a maximum activation duration in hours
.Require approval from designated approvers
.Disable activation during weekends
.Automatically assign the role without activation
.Require a ticket number from an external ticketing system

Why this answer

Azure AD PIM allows organizations to enforce just-in-time (JIT) access for privileged roles. Requiring Azure AD MFA during activation ensures the user's identity is verified before role elevation. Setting a maximum activation duration (e.g., 1–8 hours) limits the window of elevated privilege.

Requiring approval from designated approvers adds a secondary authorization layer, preventing unauthorized or accidental role assignments.

Exam trap

The trap here is that candidates may confuse PIM's activation settings with Azure AD Conditional Access policies or general role assignment options, leading them to select features like disabling activation on weekends or requiring external ticket numbers, which are not supported in PIM.

69
MCQeasy

A security team uses Microsoft Defender for Cloud. They want to automatically enable the 'vulnerability assessment' solution on all existing and future Azure SQL Database servers that are not already configured. Which Defender for Cloud feature should they use to enforce this configuration across the subscription?

A.Workflow automation
B.Continuous export
C.Azure Policy integration
D.Security policies (initiatives)
AnswerC

Azure Policy (integrated in Defender for Cloud) can enforce compliance and automatically deploy settings (like vulnerability assessment) via DeployIfNotExists policies.

Why this answer

Azure Policy integration is the correct feature because it allows you to create and assign policies that audit or enforce configurations across Azure resources. By using a built-in policy like 'Vulnerability assessment should be enabled on SQL servers', you can automatically remediate non-compliant resources, including future ones, at the subscription scope. This ensures that all existing and new Azure SQL Database servers have the vulnerability assessment solution enabled without manual intervention.

Exam trap

The trap here is confusing the policy definition (initiative) with the enforcement mechanism (Azure Policy integration), leading candidates to select 'Security policies (initiatives)' when the question specifically asks for the feature that enforces the configuration across the subscription.

How to eliminate wrong answers

Option A is wrong because Workflow automation in Defender for Cloud triggers actions (e.g., sending email or creating a ticket) based on alerts or recommendations, but it does not enforce or remediate configurations proactively across resources. Option B is wrong because Continuous export streams security alerts and recommendations to Log Analytics or Event Hubs for external analysis, but it cannot enforce or enable a vulnerability assessment solution on SQL servers. Option D is wrong because Security policies (initiatives) are the high-level definitions of compliance requirements, but they are implemented through Azure Policy; the question asks for the feature that enforces the configuration, which is Azure Policy integration, not the policy definitions themselves.

70
MCQmedium

A company uses Azure Active Directory (Azure AD) and has a conditional access policy that requires multi-factor authentication (MFA) for all external users accessing SharePoint Online. However, the security team wants to enforce that external users must re-authenticate every 30 minutes when accessing SharePoint. Which control should they configure in a new conditional access policy targeting SharePoint Online?

A.Assign the policy to 'All cloud apps' and use a grant control to require multi-factor authentication.
B.Configure a condition for sign-in risk level and set it to 'High'.
C.Add a session control and set 'Sign-in frequency' to 30 minutes.
D.Configure a session control to use 'App enforced restrictions' for SharePoint.
AnswerC

Session controls allow you to enforce re-authentication after a specified time. Setting sign-in frequency to 30 minutes meets the requirement.

Why this answer

Option C is correct because the 'Sign-in frequency' session control in a Conditional Access policy allows administrators to enforce re-authentication at a specified interval. By setting this to 30 minutes and targeting the SharePoint Online app, external users will be prompted to re-authenticate every 30 minutes, meeting the security team's requirement. This control is independent of MFA and specifically addresses the frequency of authentication sessions.

Exam trap

The trap here is that candidates often confuse 'Sign-in frequency' with 'Grant controls' (like MFA) or 'Conditions' (like risk), not realizing that session controls specifically manage the duration of authentication sessions rather than the method of authentication.

How to eliminate wrong answers

Option A is wrong because assigning the policy to 'All cloud apps' and requiring MFA does not enforce a re-authentication frequency; it only mandates MFA at initial sign-in, not every 30 minutes. Option B is wrong because configuring a condition for sign-in risk level set to 'High' triggers MFA or block based on risk, not a fixed 30-minute re-authentication interval. Option D is wrong because 'App enforced restrictions' is a session control that delegates session management to the application (e.g., SharePoint), but it does not enforce a specific re-authentication frequency like 30 minutes.

71
MCQmedium

A security team uses Microsoft Sentinel. They want to create a custom analytics rule that detects when a user account is created in Azure AD and then within 5 minutes attempts to access a sensitive SharePoint site. What should they use to correlate these two events?

A.KQL query with join on UserId
B.Watchlist
C.Automation rule
D.Playbook
AnswerA

KQL allows joining tables on common fields to correlate events across data sources, which is exactly what this scenario requires.

Why this answer

Option A is correct because a KQL query with a join on UserId allows you to correlate two separate tables—such as AuditLogs for user creation and SharePoint access logs—based on a common field (UserId) within a specified time window (5 minutes). This is the standard method in Microsoft Sentinel for creating multi-event detection rules that require temporal correlation between distinct activities.

Exam trap

The trap here is that candidates may confuse a Watchlist (used for static lookups) with a correlation mechanism, or mistakenly think Automation rules or Playbooks can perform event correlation, when in fact only KQL queries with joins can correlate multiple events in a single detection rule.

How to eliminate wrong answers

Option B is wrong because a Watchlist is a static list of items (e.g., IP addresses or account names) used for reference or filtering, not for correlating dynamic events across time. Option C is wrong because an Automation rule in Sentinel triggers a response (e.g., incident creation or playbook execution) based on a single alert or incident, not for correlating two separate events. Option D is wrong because a Playbook is a set of automated actions (often using Azure Logic Apps) triggered by an alert, not a mechanism to correlate events in a detection query.

72
MCQmedium

An organization is required to comply with the Health Insurance Portability and Accountability Act (HIPAA). They use Microsoft Defender for Cloud to manage their Azure security posture. Which feature in Defender for Cloud should they use to view their current compliance status against HIPAA controls?

A.Regulatory compliance dashboard.
B.Security posture dashboard.
C.Recommendations dashboard.
D.Inventory dashboard.
AnswerA

Correct. This dashboard shows compliance status against selected regulatory frameworks.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides a pre-built view of your compliance posture against various standards, including HIPAA. It continuously assesses your Azure environment against HIPAA controls and displays the current compliance status, enabling you to track and improve adherence to regulatory requirements.

Exam trap

The trap here is that candidates often confuse the Security posture dashboard (which shows overall security health) with the Regulatory compliance dashboard, mistakenly thinking the former includes compliance status against specific standards like HIPAA.

How to eliminate wrong answers

Option B is wrong because the Security posture dashboard focuses on the overall security state of your resources (e.g., secure score, attack paths) rather than mapping to specific regulatory frameworks like HIPAA. Option C is wrong because the Recommendations dashboard lists actionable security recommendations to improve your secure score, but it does not organize them by compliance standard or show compliance status against HIPAA controls. Option D is wrong because the Inventory dashboard provides a list of all monitored resources and their configurations, not a compliance-specific view against regulatory standards.

73
MCQmedium

A security team uses Microsoft Defender for Cloud to monitor the security posture of their Azure environment. They want to ensure that the Log Analytics agent is automatically installed on all new Azure virtual machines as soon as they are provisioned, to collect security logs. Which feature should they enable in Defender for Cloud?

A.Data Collection Rules (DCR) in Azure Monitor.
B.Auto-provisioning of the Log Analytics agent in Defender for Cloud's environment settings.
C.Azure Policy 'Deploy Log Analytics agent for Linux/Windows VM'.
D.Use Azure Automation State Configuration.
AnswerB

This setting automatically installs the agent on new VMs and monitors for compliance.

Why this answer

Option B is correct because Defender for Cloud's auto-provisioning feature is specifically designed to automatically install the Log Analytics agent on all existing and new Azure VMs to collect security logs. When enabled in the environment settings, it ensures that any new VM provisioned in the subscription gets the agent installed without manual intervention, directly addressing the requirement for automatic installation on new VMs.

Exam trap

The trap here is that candidates often confuse Azure Policy-based deployment (Option C) with Defender for Cloud's native auto-provisioning, but the question specifically asks for the feature within Defender for Cloud's environment settings, which is auto-provisioning, not a separate policy assignment.

How to eliminate wrong answers

Option A is wrong because Data Collection Rules (DCRs) in Azure Monitor are used to define data collection for the Azure Monitor Agent (AMA), not for the Log Analytics agent, and they do not automatically install agents on new VMs. Option C is wrong because the Azure Policy 'Deploy Log Analytics agent for Linux/Windows VM' is a built-in policy that can deploy the agent, but it requires assignment and evaluation, and it does not automatically trigger on new VM provisioning without policy compliance checks; it is a policy-based remediation, not a native auto-provisioning feature of Defender for Cloud. Option D is wrong because Azure Automation State Configuration is used for managing PowerShell DSC configurations and ensuring VM state compliance, not for automatically installing the Log Analytics agent for security log collection.

74
MCQmedium

A company has Azure AD Identity Protection enabled. The security team wants to automatically block sign-ins that are detected as coming from a known malicious IP address. They have created a Conditional Access policy and assigned it to all users. Which configuration should they add to the policy to trigger the block based on Identity Protection risk?

A.Add a condition for 'Sign-in risk' set to 'High' and a grant control of 'Block access'.
B.Add a condition for 'Locations' and specify the known malicious IP ranges as 'Blocked locations'.
C.Add a condition for 'User risk' set to 'High' and a grant control of 'Require multi-factor authentication'.
D.Add a condition for 'Device state' set to 'Not compliant' and a grant control of 'Block access'.
AnswerA

A sign-in from a known malicious IP is considered high risk by Identity Protection. Using the sign-in risk condition with 'High' and blocking access achieves the requirement.

Why this answer

Option A is correct because Identity Protection detects sign-ins from known malicious IP addresses and assigns a 'Sign-in risk' level (e.g., High). By adding a condition for 'Sign-in risk' set to 'High' and a grant control of 'Block access', the Conditional Access policy will automatically block those sign-ins. This directly uses Identity Protection's risk detection to enforce the block without needing to manually maintain IP address lists.

Exam trap

The trap here is that candidates often confuse 'Sign-in risk' (based on the sign-in event's characteristics like IP) with 'User risk' (based on user account compromise likelihood), leading them to incorrectly choose Option C or to think that manually listing IPs in Locations (Option B) is the correct approach.

How to eliminate wrong answers

Option B is wrong because specifying known malicious IP ranges as 'Blocked locations' in the Locations condition would require manual maintenance of IP lists and does not leverage Identity Protection's dynamic risk detection; it also does not use the 'Sign-in risk' condition. Option C is wrong because 'User risk' is based on user behavior patterns (e.g., leaked credentials), not on the IP address of the sign-in, and 'Require multi-factor authentication' does not block access. Option D is wrong because 'Device state' set to 'Not compliant' checks device compliance status, not the IP address or sign-in risk, and is unrelated to Identity Protection's malicious IP detection.

75
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage the 'Security Administrator' role. They want to require that when a user activates this role, they must provide a support ticket number and a brief justification. Additionally, the activation should have a maximum duration of 4 hours. Which PIM role setting should they configure?

A.Require approval
B.Require MFA
C.Require justification on activation
D.Require Azure AD Identity Protection
AnswerC

Enabling 'Require justification' prompts the user to enter a reason and support ticket number during activation. Duration is set separately, but this directly addresses the requirement for justification and ticket number.

Why this answer

Option C is correct because the 'Require justification on activation' setting in Azure AD PIM allows you to mandate that users provide a support ticket number and a brief justification when activating a role. This setting enforces the collection of business-specific details during activation, which aligns with the requirement. The maximum activation duration of 4 hours is configured separately via the 'Activation maximum duration' setting, not through justification.

Exam trap

The trap here is that candidates confuse 'Require justification on activation' with 'Require approval', mistakenly thinking that a support ticket number implies an approval workflow, but justification is a mandatory input field, not an approval step.

How to eliminate wrong answers

Option A is wrong because 'Require approval' enforces a workflow where a designated approver must approve the activation request, which is not the same as requiring a support ticket number and justification; it adds an approval step rather than a mandatory input field. Option B is wrong because 'Require MFA' enforces multi-factor authentication during activation, which addresses security verification but does not collect a support ticket number or justification. Option D is wrong because 'Require Azure AD Identity Protection' is not a valid PIM role setting; Azure AD Identity Protection is a separate service for risk-based policies and does not apply to PIM activation requirements.

Page 1 of 3 · 177 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage Identity And Access questions.