CCNA Manage Identity And Access Questions

75 of 177 questions · Page 2/3 · Manage Identity And Access topic · Answers revealed

76
MCQeasy

A security analyst uses Microsoft Defender for Cloud. They want to view a list of all security recommendations for their Azure subscription, prioritized by their potential impact. Which Defender for Cloud dashboard should they use?

A.Secure Score
B.Regulatory Compliance
C.Inventory
D.Workload protections
AnswerA

The Secure Score page lists all recommendations sorted by their impact on your security score, helping prioritize actions.

Why this answer

The Secure Score dashboard in Microsoft Defender for Cloud provides a prioritized list of security recommendations based on their potential impact on your overall security posture. Each recommendation is assigned a score contribution, allowing you to focus on the actions that will most improve your secure score. This directly matches the requirement to view recommendations prioritized by impact.

Exam trap

The trap here is that candidates often confuse the Secure Score dashboard with the Regulatory Compliance dashboard, thinking compliance standards inherently prioritize recommendations, but Secure Score is the only dashboard that explicitly ranks recommendations by their potential impact on your security score.

How to eliminate wrong answers

Option B (Regulatory Compliance) is wrong because it focuses on compliance with specific standards (e.g., SOC 2, ISO 27001) and does not prioritize recommendations by impact on secure score. Option C (Inventory) is wrong because it lists all resources in your Azure environment but does not provide security recommendations or prioritization. Option D (Workload protections) is wrong because it shows alerts and threats for specific workloads (e.g., servers, databases) rather than a prioritized list of security recommendations.

77
MCQeasy

A security team uses Microsoft Sentinel. They have created a playbook in Azure Logic Apps that automatically isolates a compromised VM by modifying a network security group. They want the playbook to run automatically whenever an incident of type 'VM Isolation' is created. Which Microsoft Sentinel feature should they use to trigger the playbook automatically?

A.Automation rules.
B.Scheduled analytics rules.
C.Fusion rules.
D.Workbooks.
AnswerA

Correct. Automation rules trigger playbooks when incidents are created or updated.

Why this answer

Automation rules in Microsoft Sentinel are designed to trigger automated responses, such as running a playbook, when an incident is created or updated. In this scenario, the rule can be configured to match incidents of type 'VM Isolation' and automatically execute the Logic Apps playbook to isolate the compromised VM. This is the correct feature for incident-triggered automation without requiring a separate analytics rule.

Exam trap

The trap here is that candidates often confuse automation rules with analytics rules, thinking that a scheduled query rule is needed to trigger a playbook, but automation rules are the dedicated feature for incident-based automation without requiring a separate alert generation rule.

How to eliminate wrong answers

Option B (Scheduled analytics rules) is wrong because they generate alerts based on periodic queries of log data, not directly trigger playbooks on incident creation; they can be used with automation rules but are not the trigger themselves. Option C (Fusion rules) is wrong because they are a correlation engine that combines multiple alerts into a single incident using machine learning, not a mechanism to trigger playbooks automatically. Option D (Workbooks) is wrong because they are for visualizing and analyzing data, not for triggering automated responses or playbooks.

78
MCQhard

A company uses Azure AD Identity Protection. They want to automatically block sign-ins that have a high user risk level, but only for users in the 'Finance' department. They also want to require MFA for medium user risk level for all users (including Finance) when sign-in risk is not blocked. They have already created a Conditional Access policy for the Finance department that has a condition of 'User risk level: High' and a grant control of 'Block access'. What additional configuration is needed to also require MFA for all users with medium user risk?

A.Create a second Conditional Access policy targeting all users with condition 'User risk level: Medium' and grant control 'Require multi-factor authentication'
B.Modify the existing policy to include 'User risk level: Medium' and change the grant control to 'Require multi-factor authentication'
C.Use Identity Protection's 'User risk policy' instead of Conditional Access
D.Create a new Conditional Access policy with condition 'User risk level: Medium' and grant control 'Block access'
AnswerA

A separate policy for medium user risk applied to all users will require MFA when medium risk is detected. The existing policy will continue to block Finance users with high risk. Policy evaluation is not mutually exclusive; the block takes precedence for high risk, and the MFA requirement applies for medium risk.

Why this answer

Option A is correct because Azure AD Conditional Access policies are evaluated independently, and a separate policy is needed to require MFA for medium user risk across all users. The existing policy blocks high-risk sign-ins for Finance only, but does not address medium risk for any user. Creating a second policy targeting all users with 'User risk level: Medium' and grant control 'Require multi-factor authentication' satisfies the requirement without conflicting with the existing block policy, as Conditional Access policies are combined (unless explicitly excluded).

Exam trap

The trap here is that candidates often think a single policy can handle multiple risk levels with different grant controls, but Conditional Access policies enforce a single grant control per policy, so separate policies are required for different risk level actions.

How to eliminate wrong answers

Option B is wrong because modifying the existing policy to include 'User risk level: Medium' and changing the grant control to 'Require multi-factor authentication' would remove the block for high-risk Finance users, violating the requirement to block high-risk sign-ins for Finance. Option C is wrong because Identity Protection's 'User risk policy' is a legacy, tenant-wide risk-based policy that cannot target specific departments like Finance; it also does not support the granularity of Conditional Access for combining risk levels with other conditions. Option D is wrong because creating a new policy with 'User risk level: Medium' and grant control 'Block access' would block medium-risk users instead of requiring MFA, which contradicts the requirement to require MFA for medium risk.

79
MCQmedium

A company uses Microsoft Defender for Cloud. They have assigned a custom regulatory compliance initiative that includes policies to enforce encryption on storage accounts and SQL databases. They want to automatically remediate any non-compliant resources that are discovered, without manual intervention. Which feature should they configure?

A.Enable 'Auto provisioning' for the relevant extensions
B.Enable 'Remediation' for each policy assignment in the custom initiative
C.Enable 'Just-in-time (JIT) VM access'
D.Enable 'Workflow automation' to trigger a Logic App when non-compliance is detected
AnswerB

When you assign a policy with 'DeployIfNotExists' effect, you can enable remediation to automatically create and run remediation tasks to fix non-compliant resources.

Why this answer

Option B is correct because the 'Remediation' setting on a policy assignment in Azure Policy (used by Defender for Cloud custom initiatives) creates a managed identity and a remediation task that automatically applies the required encryption configuration to non-compliant resources. This ensures that when a storage account or SQL database is found without encryption, the policy engine triggers a deployment to enforce encryption without manual intervention.

Exam trap

The trap here is that candidates confuse 'Auto provisioning' (which installs agents for data collection) with automatic remediation of compliance policies, or they assume 'Workflow automation' directly fixes non-compliance when it only triggers a notification or custom action.

How to eliminate wrong answers

Option A is wrong because 'Auto provisioning' in Defender for Cloud installs extensions (like the Log Analytics agent) on VMs to collect security data, not to remediate encryption policies on storage or SQL resources. Option C is wrong because 'Just-in-time (JIT) VM access' controls network access to VMs by opening ports temporarily, which is unrelated to enforcing encryption compliance on storage accounts and SQL databases. Option D is wrong because 'Workflow automation' triggers a Logic App when non-compliance is detected, but it does not automatically remediate the resource; it only sends notifications or runs custom actions, requiring additional setup to perform remediation.

80
MCQmedium

A company wants to use Microsoft Defender for Cloud to continuously assess their Azure resources against the Microsoft cloud security benchmark (MCSB). They need to view the current compliance score and specific recommendations for failing controls. Which feature in Defender for Cloud should they use?

A.Security Policy
B.Regulatory Compliance dashboard
C.Secure Score
D.Workload Protections
AnswerB

The Regulatory Compliance dashboard (sometimes called Compliance) provides a view of compliance against standards like MCSB, including a score and detailed recommendations for controls that are not compliant.

Why this answer

The Regulatory Compliance dashboard in Microsoft Defender for Cloud is specifically designed to assess resources against compliance standards like the Microsoft cloud security benchmark (MCSB). It provides a current compliance score, a breakdown of failing controls, and actionable recommendations to remediate those controls, directly meeting the company's requirement.

Exam trap

The trap here is confusing Secure Score (which shows overall security posture) with Regulatory Compliance (which shows adherence to a specific benchmark), leading candidates to pick Secure Score when the question explicitly asks for compliance against MCSB.

How to eliminate wrong answers

Option A is wrong because Security Policy defines the rules and initiatives applied to resources (e.g., allowed VM SKUs), but it does not display a compliance score or specific failing controls against a benchmark. Option C is wrong because Secure Score aggregates security posture based on security recommendations, but it is not tied to a specific compliance standard like MCSB and does not show per-control compliance status. Option D is wrong because Workload Protections focuses on advanced threat detection and protection for workloads (e.g., servers, databases), not on compliance assessment against benchmarks.

81
MCQhard

An analyst investigates a Defender for Cloud alert for suspicious process execution on a VM. Which next step best preserves evidence while enabling deeper endpoint investigation?

A.Delete the VM immediately to stop the process
B.Pivot to Microsoft Defender for Endpoint device timeline and isolate the device if containment is required
C.Disable all analytics rules in Sentinel
D.Rotate every subscription key before reviewing the process tree
AnswerB

Correct for the stated requirement.

Why this answer

Option B is correct because pivoting to the Microsoft Defender for Endpoint device timeline allows the analyst to investigate the suspicious process execution in a forensically sound manner without disrupting the live environment. Isolating the device from the network, if needed, contains the threat while preserving volatile evidence such as running processes, memory, and registry state. This approach aligns with incident response best practices and leverages Defender for Endpoint's deep endpoint visibility.

Exam trap

The trap here is that candidates may confuse immediate containment with evidence preservation, mistakenly choosing to delete or disable resources instead of using the platform's native investigation and isolation capabilities.

How to eliminate wrong answers

Option A is wrong because deleting the VM immediately destroys all volatile evidence (memory, running processes, network connections) and prevents any forensic analysis or root cause determination. Option C is wrong because disabling analytics rules in Microsoft Sentinel does not preserve evidence or aid investigation; it only stops future alert generation, potentially allowing the threat to propagate undetected. Option D is wrong because rotating subscription keys is a credential hygiene action unrelated to endpoint investigation and does not preserve process execution evidence or enable containment.

82
MCQmedium

A company uses Azure AD Privileged Identity Management (PIM) to manage access to Azure resources. They want to enforce that when a user activates the Contributor role for a specific resource group, they must provide a ticket number as justification and the activation is limited to 4 hours. Which PIM settings should they configure?

A.Configure the role settings for the Contributor role under the resource group in PIM
B.Create a Conditional Access policy for the Privileged Role Administrator role
C.Use Azure AD access reviews to review active role assignments
D.Modify the Azure AD tenant-wide role activation settings
AnswerA

Role settings in PIM are per-role per-scope. By editing the settings for the Contributor role on that resource group, you can require justification and set a maximum activation duration.

Why this answer

Option A is correct because Azure AD PIM allows role settings to be configured at the resource group scope. By editing the role settings for the Contributor role under that specific resource group, you can require justification (e.g., a ticket number) and set a maximum activation duration (e.g., 4 hours). These settings apply only when users activate the role for that resource group via PIM.

Exam trap

The trap here is that candidates confuse Azure AD role activation settings (tenant-wide) with Azure resource role activation settings (scope-specific), leading them to incorrectly select Option D, which only applies to Azure AD administrative roles, not Azure RBAC roles like Contributor on a resource group.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies are used to enforce access controls like MFA or device compliance during sign-in, not to configure PIM activation requirements like justification or duration. Option C is wrong because Azure AD access reviews are for periodic review of role assignments, not for setting activation parameters such as ticket number or time limit. Option D is wrong because Azure AD tenant-wide role activation settings apply to Azure AD roles (e.g., Global Administrator), not to Azure resource roles like Contributor at the resource group level.

83
MCQeasy

A company uses Microsoft Defender for Cloud to protect their Azure virtual machines. They have enabled the integrated vulnerability assessment (VA) solution on all VMs. The security team wants to receive an alert when a VM is found to have a vulnerability rated as 'Critical' by the VA solution. Which Defender for Cloud plan must be enabled on the subscription?

A.Defender for Servers Plan 1
B.Defender for Servers Plan 2
C.Defender for SQL
D.Defender for App Service
AnswerB

Plan 2 includes the integrated VA solution and provides alerts for critical vulnerabilities.

Why this answer

Defender for Servers Plan 2 is required because it includes the integrated vulnerability assessment (VA) solution powered by Qualys, which provides continuous scanning and alerts for critical vulnerabilities. Plan 1 only offers basic threat detection and does not include the VA solution or the ability to generate alerts based on vulnerability severity ratings.

Exam trap

The trap here is that candidates often confuse Defender for Servers Plan 1 with Plan 2, assuming both include the integrated VA solution, but Plan 1 only offers basic threat detection without vulnerability assessment capabilities.

How to eliminate wrong answers

Option A is wrong because Defender for Servers Plan 1 provides only basic threat detection and does not include the integrated vulnerability assessment (VA) solution; it cannot generate alerts for critical vulnerabilities. Option C is wrong because Defender for SQL is designed to protect Azure SQL databases, not Azure virtual machines, and does not include a VA solution for VMs. Option D is wrong because Defender for App Service is focused on protecting web applications running on Azure App Service, not virtual machines, and lacks the VM-specific vulnerability assessment capabilities.

84
MCQhard

A Sentinel rule using a threat intelligence table fires on stale indicators that expired last week. What should be added to the query?

A.A union with Usage
B.A sort by Description
C.A project-away of ConfidenceScore
D.A filter for active indicators whose expiration time is in the future
AnswerD

Correct for the stated requirement.

Why this answer

The rule fires on stale indicators because the query lacks a filter to exclude expired threat intelligence entries. Adding a filter for active indicators whose expiration time is in the future ensures that only current, valid indicators trigger the rule, preventing false positives from outdated data.

Exam trap

The trap here is that candidates may think removing a column (project-away) or sorting data addresses the root cause of stale data, rather than recognizing that a row-level filter is required to exclude expired indicators.

How to eliminate wrong answers

Option A is wrong because a union with Usage would combine data from the Usage table, which tracks billing or resource consumption, not threat intelligence expiration, and does not filter out stale indicators. Option B is wrong because sorting by Description merely reorders results without excluding expired indicators; it does not affect which rows are returned. Option C is wrong because projecting away ConfidenceScore removes a column but does not filter rows; the query would still return stale indicators regardless of confidence score.

85
Multi-Selecthard

A Defender for Cloud alert indicates possible credential theft on a VM. Which two response actions are sensible early containment steps?

Select 2 answers
A.Isolate the affected endpoint or restrict network access if business impact allows
B.Delete all Log Analytics workspaces
C.Reset or revoke suspected compromised credentials
D.Disable Microsoft Defender for Endpoint onboarding
AnswersA, C

Correct for the stated requirement.

Why this answer

Option A is correct because isolating the affected VM or restricting its network access is a fundamental containment step that prevents the attacker from using the compromised credentials to move laterally or exfiltrate data. In Defender for Cloud, this can be achieved by applying a Just-In-Time (JIT) VM access policy or by using network security groups (NSGs) to block all inbound/outbound traffic to the VM, effectively stopping the attack in its tracks while preserving forensic evidence.

Exam trap

The trap here is that candidates may confuse 'containment' with 'remediation' and choose to delete workspaces or disable security tools, which are destructive or counterproductive actions, rather than the correct containment step of network isolation.

86
MCQhard

A Sentinel analyst needs to preserve investigation notes, related entities, and ownership while escalating a case to another analyst. Which object should be updated?

A.A watchlist item
B.A workbook parameter
C.A data connector
D.The Sentinel incident
AnswerD

Correct for the stated requirement.

Why this answer

The Sentinel incident object is the correct entity to update because it serves as the central container for investigation notes, related entities, and ownership assignments during case escalation. Updating the incident preserves the full investigation context—including comments, tags, and assigned owner—ensuring seamless handoff between analysts without data loss.

Exam trap

The trap here is that candidates confuse operational artifacts (watchlists, workbooks, connectors) with the incident object that actually holds case-specific metadata, leading them to select a static or non-persistent option instead of the dynamic incident record.

How to eliminate wrong answers

Option A is wrong because a watchlist item is a static collection of data (e.g., IP addresses or hashes) used for correlation and alerting, not for storing investigation notes or ownership metadata. Option B is wrong because a workbook parameter is a configurable input for visualizations and queries, not a persistent object that tracks case ownership or notes. Option C is wrong because a data connector defines the source and ingestion pipeline for log data; it has no role in storing investigation artifacts or managing case ownership.

87
MCQmedium

A company uses Azure AD Identity Protection. They want to automatically block sign-ins that are detected as having a high sign-in risk. They have created a Conditional Access policy and assigned it to all users. Which configuration should they add to the policy to trigger the block based on the sign-in risk?

A.Condition: Sign-in risk: High, Grant: Block access.
B.Condition: User risk: High, Grant: Block access.
C.Condition: Sign-in risk: High, Grant: Require multi-factor authentication.
D.Condition: User risk: High, Grant: Require multi-factor authentication.
AnswerA

Correct. This configuration blocks sign-ins that Identity Protection marks as high risk at the sign-in level.

Why this answer

Option A is correct because Azure AD Identity Protection assigns a risk level (Low, Medium, High) to each sign-in based on real-time signals. A Conditional Access policy can use the 'Sign-in risk' condition to evaluate this risk level and, when set to 'High', the 'Grant' control can be configured to 'Block access', which immediately prevents the sign-in from completing. This directly meets the requirement to automatically block high-risk sign-ins.

Exam trap

The trap here is confusing 'Sign-in risk' with 'User risk', as both are risk types in Identity Protection, but only sign-in risk applies to the current authentication attempt and can be used to block a specific sign-in in real time.

How to eliminate wrong answers

Option B is wrong because 'User risk: High' reflects the likelihood that a user's identity is compromised based on historical user-level events, not the risk of a specific sign-in session; blocking based on user risk would affect all sign-ins for that user, not just the high-risk sign-in. Option C is wrong because 'Grant: Require multi-factor authentication' does not block access; it only adds an additional authentication step, which still allows the sign-in to proceed if MFA is satisfied, failing the requirement to block. Option D is wrong because it combines the incorrect condition ('User risk: High') with an incorrect grant ('Require multi-factor authentication'), neither of which achieves automatic blocking based on sign-in risk.

88
MCQmedium

A company uses Microsoft Defender for Cloud to monitor security alerts. They receive an alert about a compromised virtual machine and want to automatically execute a playbook that isolates the VM by modifying the network security group. Which Defender for Cloud feature should they use to create this automated response?

A.Workflow automation
B.Security policy
C.Alert suppression
D.Continuous export
AnswerA

Workflow automation triggers a playbook (Logic App) in response to an alert, automating the isolation.

Why this answer

Workflow automation in Microsoft Defender for Cloud allows you to define automated responses to security alerts by triggering Azure Logic Apps. In this scenario, you would create a Logic App that modifies the network security group (NSG) to isolate the compromised VM, and then configure a workflow automation rule to run that Logic App whenever the specific alert is triggered. This provides a no-code, event-driven remediation without manual intervention.

Exam trap

The trap here is that candidates often confuse 'Continuous export' (which sends data to external systems) with 'Workflow automation' (which executes a playbook), assuming any export can trigger a response, but Continuous export only streams data and does not invoke Logic Apps directly.

How to eliminate wrong answers

Option B (Security policy) is wrong because security policies define compliance and configuration requirements (e.g., enforcing encryption or vulnerability assessments), not automated response actions to alerts. Option C (Alert suppression) is wrong because it only hides or dismisses alerts based on rules (e.g., false positives), it does not execute any remediation or playbook. Option D (Continuous export) is wrong because it streams alert data to Event Hubs, Log Analytics, or Azure Monitor for external processing or archiving, but it does not directly trigger a playbook or modify NSGs.

89
MCQmedium

A company uses Azure AD Conditional Access. They need to restrict access to a cloud application such that users with unmanaged devices can only view data but cannot download it. Which Conditional Access session control should they enable?

A.Sign-in frequency
B.Use Conditional Access App Control
C.Session persistence
D.Application consent policy
AnswerB

This session control leverages policy-based access controls from Microsoft Defender for Cloud Apps, enabling real-time session monitoring and restrictions such as blocking download or copy/paste operations.

Why this answer

Option B is correct because Conditional Access App Control (Microsoft Defender for Cloud Apps) provides session-level controls that can enforce restrictions like 'Block Download' based on device compliance. This allows administrators to apply policies that restrict data exfiltration from unmanaged devices while still permitting read-only access to the cloud application.

Exam trap

The trap here is confusing session controls (like sign-in frequency or persistence) with app-level data protection controls, leading candidates to pick a control that manages authentication behavior rather than data exfiltration.

How to eliminate wrong answers

Option A is wrong because Sign-in frequency controls how often a user must re-authenticate, not the ability to download data. Option C is wrong because Session persistence controls whether a browser session remains signed in after the browser is closed, not data download restrictions. Option D is wrong because Application consent policy governs which applications can request permissions to access organizational data, not session-level data handling restrictions.

90
MCQmedium

A security analyst uses Microsoft Defender for Cloud. They need to automatically apply a specific remediation action (e.g., enable audit logging) to a set of Azure SQL servers that are found to be non-compliant with a security policy. Which Defender for Cloud feature should they use?

A.Workflow automation
B.Continuous export
C.Alert suppression rules
D.Regulatory compliance dashboard
AnswerA

Correct. Workflow automation can automatically trigger a Logic App in response to a security recommendation being generated, enabling automated remediation.

Why this answer

Workflow automation in Microsoft Defender for Cloud allows you to trigger Logic Apps based on security alerts or policy compliance changes. By configuring a workflow automation rule that triggers on the 'Non-compliant resource' condition for the specific Azure SQL servers, you can automatically invoke a remediation action, such as enabling audit logging, without manual intervention.

Exam trap

The trap here is that candidates often confuse 'Continuous export' with automation, thinking exporting data to a Log Analytics workspace can trigger remediation, but it only provides raw data for downstream processing, not direct action.

How to eliminate wrong answers

Option B (Continuous export) is wrong because it streams security alerts and recommendations to Log Analytics or Event Hubs for external analysis, but it does not execute any remediation actions. Option C (Alert suppression rules) is wrong because they are designed to suppress low-fidelity or noisy alerts from appearing in the portal, not to trigger automated remediation. Option D (Regulatory compliance dashboard) is wrong because it provides a visual overview of compliance posture against standards (e.g., SOC 2, PCI DSS) but has no capability to automatically apply remediation actions to non-compliant resources.

91
Drag & Dropmedium

Drag and drop the steps to configure Azure Disk Encryption for a Windows VM using Azure Key Vault into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Disk encryption requires Key Vault access and VM disk settings.

92
Matchingmedium

Match each Azure AD authentication method to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Syncs password hashes from on-prem to Azure AD

Validates passwords on-prem without storing hashes in cloud

Redirects authentication to on-prem identity provider

Requires second form of verification

Uses client certificates for authentication

Why these pairings

These are common authentication methods for hybrid identities.

93
MCQmedium

A company uses Azure AD B2B collaboration to invite external partner users to collaborate on a project. The security team wants to ensure that when a partner user's account is disabled in their home Azure AD tenant, the user should immediately lose access to the company's resources, even if the user had a valid session token. Which configuration should they implement in cross-tenant access settings?

A.Configure cross-tenant access settings to trust the user's account status from the home tenant.
B.Configure external collaboration settings to restrict B2B users to specific apps.
C.Assign a conditional access policy that requires device compliance for B2B users.
D.Enable Azure AD Identity Protection for B2B users.
AnswerA

Enabling 'Trust user's account' in inbound settings makes Azure AD validate the account status with the home tenant every time the user signs in, ensuring disabled accounts are blocked immediately.

Why this answer

Option A is correct because configuring cross-tenant access settings to trust the user's account status from the home tenant enables Azure AD to evaluate the external user's account state (enabled/disabled) in their home tenant at each authentication. When the partner user's account is disabled in their home tenant, Azure AD will deny access even if a valid session token exists, because the token's validity is rechecked against the home tenant's account status via the cross-tenant trust policy.

Exam trap

The trap here is that candidates often confuse session token revocation with conditional access policies or app restrictions, failing to realize that only the cross-tenant trust setting directly ties the external user's access to their home tenant's account status, enabling immediate revocation without waiting for token expiry.

How to eliminate wrong answers

Option B is wrong because restricting B2B users to specific apps controls which applications they can access, not whether their account status is honored from the home tenant; it does not enforce immediate revocation when the account is disabled. Option C is wrong because a conditional access policy requiring device compliance checks the device state, not the user account status in the home tenant; it cannot detect or react to a disabled account in the external tenant. Option D is wrong because enabling Azure AD Identity Protection for B2B users provides risk-based conditional access (e.g., risky sign-ins), but it does not directly trust the home tenant's account disabled state; it relies on Microsoft's risk signals, not the partner tenant's directory status.

94
MCQeasy

A security analyst uses Microsoft Sentinel. They want to create a scheduled analytics rule that runs every hour and queries Azure Activity logs to detect deployment of VMs in non-approved regions. They want to generate an incident automatically when suspicious activity is found. Which configuration is required to automatically create an incident?

A.Enable 'Create incident from alerts triggered by this rule' in the Incident settings
B.Configure the 'Alert details' section with the appropriate severity and description
C.Define entity mapping in the 'Entity mapping' tab
D.Connect Azure Activity log to Sentinel via Event Hub
AnswerA

This setting ensures that every alert generated by the rule automatically creates an incident in Sentinel.

Why this answer

Option A is correct because the 'Create incident from alerts triggered by this rule' setting in the Incident settings tab is the specific toggle that instructs Microsoft Sentinel to automatically generate a security incident whenever the scheduled analytics rule fires an alert. Without this setting enabled, the rule will only produce raw alerts that must be manually triaged or routed through a separate automation rule to become incidents. This is the direct configuration required for automatic incident creation from a scheduled query rule.

Exam trap

The trap here is that candidates often confuse the 'Alert details' configuration (which only sets alert metadata) with the incident creation toggle, assuming that defining severity and description automatically generates an incident, when in fact a separate explicit setting is required.

How to eliminate wrong answers

Option B is wrong because configuring the 'Alert details' section (severity and description) only defines the metadata of the alert itself, not the automatic creation of an incident from that alert. Option C is wrong because entity mapping enriches alerts with entity types (e.g., IP, host) for correlation and investigation, but does not control whether an incident is automatically generated. Option D is wrong because connecting Azure Activity log to Sentinel via Event Hub is a data ingestion method, not a configuration for incident creation; the log source must already be connected for the rule to query it, but that step is separate from the incident creation setting.

95
MCQmedium

A company wants to identify excessive permissions across Azure, AWS, and GCP identities. Which Microsoft security capability is designed for cloud infrastructure entitlement management?

A.Azure Monitor metrics
B.Microsoft Purview eDiscovery
C.Azure Front Door WAF
D.Microsoft Entra Permissions Management
AnswerD

Correct for the stated requirement.

Why this answer

Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) solution that provides visibility into permissions assigned to identities across multi-cloud environments (Azure, AWS, GCP). It helps detect and remediate excessive, unused, or risky permissions by analyzing identity activity and entitlement data, enabling least-privilege access control.

Exam trap

The trap here is that candidates may confuse Azure Monitor (a monitoring tool) with a security management tool, or assume a WAF or eDiscovery solution can handle identity permissions, when only a dedicated CIEM like Entra Permissions Management is designed for multi-cloud entitlement visibility.

How to eliminate wrong answers

Option A is wrong because Azure Monitor metrics collect and analyze telemetry data (e.g., CPU usage, request rates) from Azure resources, not identity permissions across clouds. Option B is wrong because Microsoft Purview eDiscovery focuses on legal discovery and compliance searches for content in Microsoft 365, not on managing cloud infrastructure entitlements. Option C is wrong because Azure Front Door WAF is a web application firewall that protects HTTP/HTTPS traffic from common web exploits, not a tool for identity permission analysis.

96
MCQmedium

A Defender for Cloud recommendation requires enabling private endpoints for a storage account. Which security risk is primarily reduced?

A.VM disk fragmentation
B.Public internet exposure of the storage service endpoint
C.Unauthorized changes to Azure AD users
D.Excessive Log Analytics ingestion
AnswerC

Correct for the stated requirement.

Why this answer

Enabling private endpoints for a storage account removes the public endpoint from the service, ensuring that all traffic to the storage account traverses the Microsoft backbone network via a private IP address in your virtual network. This directly mitigates the risk of data exposure to the public internet, which is the primary security concern addressed by this Defender for Cloud recommendation.

Exam trap

The trap here is that candidates may confuse the security benefit of private endpoints (reducing public exposure) with identity-related risks like unauthorized Azure AD changes, but the question specifically asks about the risk primarily reduced by enabling private endpoints for a storage account, which is public internet exposure.

How to eliminate wrong answers

Option A is wrong because VM disk fragmentation is a performance issue related to virtual hard disk (VHD) storage and I/O operations, not a security risk that private endpoints address. Option B is wrong because while private endpoints do reduce public internet exposure, the question asks which risk is primarily reduced, and the correct answer is unauthorized changes to Azure AD users, which is not directly related to private endpoints for storage accounts. Option D is wrong because excessive Log Analytics ingestion is a cost and data volume management concern, not a security risk that private endpoints mitigate.

97
MCQmedium

A security team uses Microsoft Defender for Cloud to monitor Azure virtual machines. They want to automatically install a specific endpoint protection solution on all Windows VMs that are currently missing it, without manual intervention. The solution is not integrated natively with Defender for Cloud. Which feature should they use?

A.Enable the 'Endpoint protection' recommendation and use the 'Fix' option
B.Create an Azure Policy 'DeployIfNotExists' assignment that installs the endpoint protection extension on VMs missing it
C.Configure adaptive application controls to allow the endpoint protection software
D.Enable just-in-time VM access for the VMs
AnswerB

Azure Policy can evaluate compliance and automatically deploy extensions using the 'DeployIfNotExists' effect, even for non-native solutions, as long as there is a template for the extension.

Why this answer

Option B is correct because Azure Policy's 'DeployIfNotExists' effect can automatically deploy a custom endpoint protection extension to Windows VMs that are missing it, even if the solution is not natively integrated with Defender for Cloud. This allows the security team to enforce compliance by installing the specific third-party endpoint protection agent via a policy assignment, without manual intervention.

Exam trap

The trap here is that candidates often assume Defender for Cloud's 'Fix' option can deploy any endpoint protection solution, but it only supports solutions that are natively integrated and listed in the Defender for Cloud dashboard.

How to eliminate wrong answers

Option A is wrong because the 'Endpoint protection' recommendation in Defender for Cloud and its 'Fix' option only work with endpoint protection solutions that are natively integrated (e.g., Microsoft Defender Antivirus, Trend Micro, Symantec); it cannot deploy a non-integrated, custom solution. Option C is wrong because adaptive application controls are a whitelisting feature that controls which applications can run on a VM, not a mechanism to install or deploy software. Option D is wrong because just-in-time VM access manages network access to management ports (e.g., RDP, SSH) to reduce attack surface, not the installation of endpoint protection agents.

98
MCQhard

A security operations team uses Microsoft Sentinel. They have a scheduled analytics rule that generates an incident when a user signs in from an unusual location. They want to automatically assign the incident to the 'Security Engineering' team and set its severity to 'High' when it is created. Which feature should they use?

A.Automation rules
B.Playbooks
C.Incident settings in analytics rule
D.Workbooks
AnswerA

Automation rules can automatically assign incidents to a team owner and change the severity at the time of incident creation.

Why this answer

Automation rules in Microsoft Sentinel allow you to centrally manage the automated handling of incidents, including assigning them to a specific team and setting their severity. When a scheduled analytics rule generates an incident, an automation rule can trigger on incident creation to perform these actions without requiring a playbook or manual intervention.

Exam trap

The trap here is that candidates often confuse playbooks with automation rules, thinking that playbooks are required for any automated action, when in fact automation rules are the native, simpler mechanism for assignment and severity changes without needing Logic Apps.

How to eliminate wrong answers

Option B is wrong because playbooks are collections of actions based on Azure Logic Apps that run in response to alerts or incidents, but they are typically used for more complex, multi-step orchestration and require additional configuration; automation rules are the simpler, built-in feature for direct assignment and severity changes. Option C is wrong because incident settings within an analytics rule only allow you to configure group-related settings (e.g., alert grouping) and entity mapping, not post-creation actions like assignment or severity override. Option D is wrong because workbooks are interactive dashboards for visualizing data and reports, not for automating incident response actions.

99
MCQeasy

A security team uses Microsoft Defender for Cloud to monitor the security posture of their Azure subscription. They want to ensure that whenever a new virtual machine is created, the Log Analytics agent is automatically installed to collect security events. Which feature should they configure in Defender for Cloud?

A.Automation rules
B.Auto-provisioning settings
C.Security contacts
D.Workflow automation
AnswerB

Correct. Auto-provisioning is designed to automatically deploy the Log Analytics agent on Azure VMs (and other supported resources) to enable security monitoring.

Why this answer

Auto-provisioning settings in Microsoft Defender for Cloud automatically deploy the Log Analytics agent to all supported Azure VMs and new ones as they are created. This ensures that security events are collected without manual intervention, directly addressing the requirement for automatic installation on new VMs.

Exam trap

The trap here is confusing 'Auto-provisioning settings' (which installs the agent) with 'Automation rules' (which automate responses in Sentinel), leading candidates to pick a feature from a different service.

How to eliminate wrong answers

Option A is wrong because Automation rules in Microsoft Sentinel (not Defender for Cloud) are used to automate incident response and remediation tasks, not to install agents on VMs. Option C is wrong because Security contacts are used to configure email notifications for security alerts and incidents, not to manage agent deployment. Option D is wrong because Workflow automation in Defender for Cloud triggers Logic Apps in response to security alerts or recommendations, but it does not handle the automatic installation of the Log Analytics agent on new VMs.

100
MCQeasy

A company uses Microsoft Defender for Cloud. They want to automatically implement a specific security recommendation (e.g., 'Enable encryption for Azure SQL Database') on all existing and future SQL Database instances in a subscription. Which feature should they use?

A.Security policy with a custom initiative.
B.Regulatory compliance dashboard.
C.Workload protection plans.
D.Vulnerability assessment.
AnswerA

Correct. Custom initiatives with policies that have 'DeployIfNotExists' or 'Modify' effects automate remediation across resources.

Why this answer

A custom initiative in a security policy allows you to define a set of security recommendations (e.g., 'Enable encryption for Azure SQL Database') and enforce them via Azure Policy. By assigning this initiative at the subscription scope with a 'DeployIfNotExists' or 'Modify' effect, you can automatically remediate non-compliant resources and ensure that all existing and future SQL Database instances have encryption enabled. This is the correct mechanism for automated, continuous compliance with custom security requirements.

Exam trap

The trap here is that candidates often confuse the Regulatory compliance dashboard (which only reports compliance) with the actual enforcement capability of custom initiatives, leading them to choose Option B.

How to eliminate wrong answers

Option B is wrong because the Regulatory compliance dashboard only provides visibility and tracking against built-in compliance standards (e.g., SOC 2, ISO 27001); it does not enforce or automatically implement specific recommendations. Option C is wrong because Workload protection plans (e.g., Defender for SQL) enable advanced threat detection and alerting but do not automatically apply configuration changes like enabling encryption. Option D is wrong because Vulnerability assessment scans databases for security weaknesses and generates reports, but it does not automatically remediate or enforce encryption settings.

101
MCQhard

A compliance team wants evidence that Azure resources are evaluated against the Microsoft Cloud Security Benchmark. Which Defender for Cloud area should they use?

A.Regulatory compliance and security policy assignments
B.Microsoft Entra app consent settings
C.Azure Firewall DNAT rules
D.Log Analytics saved searches only
AnswerA

Correct for the stated requirement.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides continuous monitoring of Azure resources against the Microsoft Cloud Security Benchmark (MCSB). It maps built-in policy assignments to compliance controls, generates a compliance score, and offers remediation steps. This is the designated area for evidence of MCSB evaluation.

Exam trap

The trap here is that candidates may confuse the Regulatory compliance dashboard with general log querying or network security controls, overlooking that the MCSB is specifically enforced through Azure Policy initiatives within Defender for Cloud's compliance monitoring.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra app consent settings manage user consent for application permissions, not compliance evaluation against security benchmarks. Option C is wrong because Azure Firewall DNAT rules configure inbound network address translation for traffic, unrelated to compliance assessment. Option D is wrong because Log Analytics saved searches are used for querying log data, not for providing a structured compliance dashboard against the MCSB.

102
Multi-Selecthard

A security team uses Microsoft Defender for Cloud to centralize security alerts. They want to continuously export all security alerts to a Log Analytics workspace for long-term retention and custom analysis. Which two actions must be taken to achieve this? (Choose two that apply.)

Select 2 answers
A.Enable the continuous export feature in Microsoft Defender for Cloud.
B.Configure diagnostic settings for the subscription to export SecurityAlert logs to the Log Analytics workspace.
C.Create a Log Analytics workspace in the same region as the resources.
D.Assign an Azure Policy definition for 'Deploy export to Log Analytics workspace for Azure Security Center data'.
AnswersA, B

This feature must be turned on to stream alerts and recommendations to a destination like a Log Analytics workspace.

Why this answer

Option A is correct because Microsoft Defender for Cloud's continuous export feature allows you to stream security alerts and recommendations to a Log Analytics workspace or Event Hubs at the subscription or tenant level. This feature is designed specifically for ongoing export, supporting long-term retention and custom analysis without manual intervention.

Exam trap

The trap here is that candidates often confuse the continuous export feature with diagnostic settings for the subscription, but both are actually required—continuous export is the feature name, and diagnostic settings are the underlying mechanism—so the question expects you to recognize that enabling continuous export and configuring diagnostic settings are the same action described differently, making both A and B correct.

103
MCQmedium

A security team uses Microsoft Sentinel. They want to automatically block a user's account in Azure AD when a high-severity incident is created in Sentinel indicating the user's credentials are compromised. Which automation feature should they use?

A.Create a playbook that uses the Azure AD connector to block the user, and associate it with an automation rule for high-severity incidents.
B.Configure the analytic rule for credential compromise to include a script that blocks the user as part of the rule.
C.Use a workbook to monitor incidents and manually block users.
D.Enable the 'User blocking' feature directly in the Microsoft Sentinel settings for all high-severity incidents.
AnswerA

Playbooks can automate response actions; automation rules trigger them based on incident properties.

Why this answer

Option A is correct because Microsoft Sentinel automation rules can trigger a playbook (an Azure Logic Apps workflow) when a high-severity incident is created. The playbook can use the Azure AD connector to call the Microsoft Graph API and block the user account, providing automated response to credential compromise without manual intervention.

Exam trap

The trap here is that candidates may think analytic rules can include scripts or that Sentinel has a native user-blocking toggle, but in reality, automated response requires a separate playbook triggered by an automation rule.

How to eliminate wrong answers

Option B is wrong because analytic rules in Sentinel define detection logic (KQL queries) and cannot contain scripts to perform actions like blocking users; actions are handled separately by automation rules and playbooks. Option C is wrong because workbooks are for visualization and reporting, not for automated response; they require manual monitoring and action, which does not meet the requirement for automatic blocking. Option D is wrong because Microsoft Sentinel does not have a built-in 'User blocking' feature in its settings; blocking users requires integration with Azure AD via a playbook or other external automation.

104
Matchingmedium

Match each Azure AD Conditional Access component to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Context such as user, location, device, and risk

Criteria like user group, app, or sign-in risk

Require MFA, compliant device, or approved app

Limit user session within apps (e.g., app enforced restrictions)

Define trusted IP ranges or countries

Why these pairings

Conditional Access policies enforce access controls based on conditions.

105
Multi-Selectmedium

A security engineer needs to collect custom application logs from Azure VMs using Azure Monitor Agent for Sentinel analysis. Which two components are required?

Select 2 answers
A.A Data Collection Rule that defines the custom log collection
B.A storage account configured for static website hosting
C.Association of the Data Collection Rule with the target machines
D.A Conditional Access policy requiring MFA
AnswersA, C

Correct for the stated requirement.

Why this answer

A Data Collection Rule (DCR) is required to define the schema, transformation, and destination for custom log data ingested by Azure Monitor Agent. Without a DCR, the agent has no configuration for which custom logs to collect or how to process them.

Exam trap

The trap here is that candidates may confuse storage accounts (used for Azure Diagnostics extension or legacy agents) with the modern Azure Monitor Agent requirement, or mistakenly think Conditional Access policies are relevant to log ingestion.

106
MCQhard

A company has Azure AD Conditional Access policies that require multi-factor authentication (MFA) for all users accessing sensitive cloud apps. The security team wants to extend this protection by monitoring and controlling user activities within those applications (e.g., preventing data exfiltration during a session). Which Conditional Access session control should they implement?

A.Grant control: Require MFA
B.Session control: Use app enforced restrictions
C.Session control: Sign-in frequency
D.Session control: Conditional Access Application Control
AnswerD

This control allows administrators to monitor and control user sessions in real time, including blocking downloads or applying data protection policies.

Why this answer

Option D is correct because Conditional Access Application Control (also known as Microsoft Defender for Cloud Apps session control) allows real-time monitoring and control of user activities within cloud apps, such as blocking downloads or preventing data exfiltration. This session control works by redirecting user traffic through Microsoft Defender for Cloud Apps as a reverse proxy, enabling granular policy enforcement during the session. The requirement specifically asks for monitoring and controlling activities inside the app, which goes beyond just requiring MFA at sign-in.

Exam trap

The trap here is that candidates confuse session controls that manage sign-in frequency or app-enforced restrictions with the more advanced session monitoring and data exfiltration prevention capabilities provided by Conditional Access Application Control, which is the only option that offers real-time in-app activity control.

How to eliminate wrong answers

Option A is wrong because Grant control: Require MFA is an access control that enforces multi-factor authentication at sign-in, but it does not provide any monitoring or control of user activities once the session is established. Option B is wrong because Session control: Use app enforced restrictions relies on the cloud app itself to enforce its own controls (e.g., SharePoint IP-based restrictions), but it does not offer the real-time session monitoring or data exfiltration prevention that Microsoft Defender for Cloud Apps provides. Option C is wrong because Session control: Sign-in frequency controls how often a user must reauthenticate during a session, which is a session lifetime control, not a mechanism to monitor or control in-app activities like downloads or copy-paste.

107
MCQmedium

A security operations team uses Microsoft Sentinel for security monitoring. They want to automatically create an incident and send an email to the on-call security engineer when a specific event occurs in Azure Activity Log, such as someone disabling a key vault firewall. Which automation feature should they configure?

A.Automation rules
B.Playbooks (Azure Logic Apps)
C.Scheduled analytics rules
D.Livestream
AnswerB

Playbooks are automated workflows that can send emails, create tickets, and perform custom actions. They can be triggered by automation rules or directly from incidents, and combined with an analytics rule, they can create incidents and send notifications.

Why this answer

Playbooks (Azure Logic Apps) are the correct automation feature because they allow you to define a workflow that triggers on an Azure Sentinel alert or incident, such as when a Key Vault firewall is disabled. This workflow can include sending an email to the on-call security engineer via connectors like Office 365 Outlook. Automation rules can trigger playbooks but cannot directly send emails or perform complex actions; they rely on playbooks for such tasks.

Exam trap

The trap here is that candidates often confuse automation rules with playbooks, thinking automation rules can directly send emails, but they only orchestrate incident management actions and must invoke a playbook for external communication.

How to eliminate wrong answers

Option A is wrong because automation rules are used to automate incident management tasks like assigning, tagging, or changing severity, but they cannot directly send emails or execute custom workflows; they require a playbook to perform those actions. Option C is wrong because scheduled analytics rules are designed to query log data on a recurring schedule to generate alerts, not to react to real-time Azure Activity Log events or send emails. Option D is wrong because Livestream is a feature for real-time monitoring and debugging of log streams, not for automated incident creation or email notification.

108
MCQhard

A security operations team uses Microsoft Sentinel. They have created a playbook that sends an email notification to the security team when a high-severity incident is created by a specific analytics rule named 'CriticalRDPAccess'. They want the playbook to trigger automatically only when the incident has severity 'High' AND the incident was created by the rule named 'CriticalRDPAccess'. Which automation rule configuration should they use?

A.Condition: Incident severity equals High; AND Incident rule name contains 'CriticalRDPAccess'. Action: Run playbook.
B.Condition: Incident severity equals High; OR Incident rule name equals 'CriticalRDPAccess'. Action: Run playbook.
C.Condition: Incident severity equals High; AND Incident rule name equals 'CriticalRDPAccess'. Action: Run playbook.
D.Condition: Incident severity in ['High', 'Critical']; AND Incident rule name equals 'CriticalRDPAccess'. Action: Run playbook.
AnswerC

This correctly uses AND with exact match for both conditions.

Why this answer

Option C is correct because the automation rule must use the AND operator to require both conditions—incident severity equals 'High' AND incident rule name equals 'CriticalRDPAccess'—to trigger the playbook. This ensures the playbook runs only when both criteria are met, matching the requirement exactly. Using 'contains' instead of 'equals' (as in Option A) would incorrectly match rules with 'CriticalRDPAccess' as a substring, potentially triggering on unintended rules.

Exam trap

The trap here is that candidates may confuse 'contains' with 'equals' for rule name matching, or incorrectly use OR instead of AND, leading to unintended playbook triggers for similar rule names or unrelated high-severity incidents.

How to eliminate wrong answers

Option A is wrong because 'Incident rule name contains' uses a substring match, which would trigger the playbook for any rule whose name includes 'CriticalRDPAccess' (e.g., 'CriticalRDPAccessV2'), not just the exact rule name. Option B is wrong because the OR operator means the playbook would trigger if either condition is true—e.g., any high-severity incident or any incident from the rule—violating the requirement for both conditions to be true. Option D is wrong because it includes 'Critical' in the severity list, which would trigger the playbook for critical-severity incidents as well, not just high-severity incidents as specified.

109
MCQeasy

A company uses Microsoft Defender for Cloud to manage the security posture of their Azure workloads. The compliance officer needs to generate a report that shows the current compliance status against the SOC 2 standard, including the pass/fail status of each control. Which feature in Defender for Cloud should they use?

A.Regulatory compliance dashboard
B.Inventory
C.Secure Score
D.Workbooks
AnswerA

The regulatory compliance dashboard provides a comprehensive view of compliance against chosen standards, including SOC 2, showing control status and recommendations.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides a pre-built, continuously updated view of compliance posture against standards like SOC 2. It maps Azure Policy initiatives to specific controls and shows the pass/fail status for each control, enabling the compliance officer to generate the required report directly.

Exam trap

The trap here is that candidates often confuse the Secure Score (which measures overall security posture) with regulatory compliance reporting, not realizing that Secure Score does not map to specific standard controls like SOC 2.

How to eliminate wrong answers

Option B (Inventory) is wrong because it lists Azure resources and their configurations, but does not evaluate or report compliance against specific regulatory standards like SOC 2. Option C (Secure Score) is wrong because it aggregates security recommendations into a single score based on best practices, not a control-by-control pass/fail report for a specific compliance standard. Option D (Workbooks) is wrong because while Workbooks can create custom visualizations from Azure Monitor data, they are not a pre-built feature for regulatory compliance reporting and require manual configuration to map controls.

110
Multi-Selectmedium

A company uses Defender for Servers Plan 2. Which two capabilities are included compared with a basic posture-only configuration?

Select 2 answers
A.Azure Cost Management budget alerts
B.File integrity monitoring or equivalent advanced server protection capabilities
C.Endpoint detection and response integration through Microsoft Defender for Endpoint
D.Microsoft 365 message trace
AnswersB, C

Correct for the stated requirement.

Why this answer

Defender for Servers Plan 2 includes advanced server protection capabilities such as file integrity monitoring (FIM), which tracks changes to critical system files and registry keys, and endpoint detection and response (EDR) integration through Microsoft Defender for Endpoint. These capabilities go beyond the basic posture-only configuration, which only provides vulnerability assessment and security recommendations without real-time threat detection or file change monitoring.

Exam trap

The trap here is that candidates often confuse basic posture-only features (like vulnerability assessment and secure score) with advanced capabilities like FIM and EDR, assuming all Defender for Servers tiers include endpoint detection, when only Plan 2 adds these specific protections.

111
MCQmedium

Security analysts in your company use Microsoft Sentinel to manage incidents. They want to automatically assign any incident with a severity of 'High' or 'Critical' to the senior analyst on duty. Which Microsoft Sentinel feature should they configure to accomplish this?

A.Automation rules
B.Playbooks
C.Workbooks
D.Analytics rules
AnswerA

Automation rules can be configured to trigger on incident creation and set the owner to a specific user or group. This is the simplest way to automate incident assignment.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically assign incidents to specific users or groups based on conditions such as severity. By creating an automation rule that triggers when an incident is created with a severity of 'High' or 'Critical', you can set the owner to the senior analyst on duty, fulfilling the requirement without manual intervention.

Exam trap

The trap here is that candidates often confuse automation rules with playbooks, assuming that any automated response requires a playbook, but Microsoft Sentinel's automation rules natively support direct incident assignment without needing a separate playbook workflow.

How to eliminate wrong answers

Option B is wrong because playbooks are automated workflows (often based on Azure Logic Apps) that perform complex response actions like sending emails or blocking IPs, but they cannot directly assign incident ownership; assignment is a property managed by automation rules. Option C is wrong because workbooks are visualization tools for creating dashboards and reports from Sentinel data, not for automating incident assignment. Option D is wrong because analytics rules are used to generate alerts and incidents from data sources (e.g., scheduled queries or Microsoft Security alerts), but they do not handle post-creation actions like assignment.

112
MCQmedium

An organization has deployed Microsoft Sentinel as their SIEM. They need to ingest audit logs from their Amazon Web Services (AWS) environment, including CloudTrail logs. Which data connector should they use in Microsoft Sentinel to collect these logs?

A.Amazon Web Services connector
B.AWS S3 connector
C.Azure Sentinel to AWS connector
D.CloudTrail connector
AnswerA

The Amazon Web Services connector in Sentinel is specifically designed to ingest CloudTrail logs and other AWS audit logs.

Why this answer

The Amazon Web Services connector is the correct data connector in Microsoft Sentinel for ingesting AWS audit logs, including CloudTrail logs. It establishes a connection to AWS by requiring a role ARN and external ID, enabling Sentinel to pull CloudTrail events via the AWS API. This connector specifically supports CloudTrail management and data events, making it the appropriate choice for audit log ingestion.

Exam trap

The trap here is that candidates may confuse the generic 'AWS S3 connector' with CloudTrail log ingestion, but CloudTrail logs are ingested via the dedicated 'Amazon Web Services' connector, not through direct S3 bucket access.

How to eliminate wrong answers

Option B is wrong because the AWS S3 connector is designed to ingest logs from S3 buckets (e.g., VPC Flow Logs, ELB logs), not specifically CloudTrail audit logs, and requires additional configuration like SQS for event-driven ingestion. Option C is wrong because there is no data connector named 'Azure Sentinel to AWS connector'; the official connector is called 'Amazon Web Services' in the Sentinel data connectors gallery. Option D is wrong because there is no standalone 'CloudTrail connector' in Microsoft Sentinel; CloudTrail logs are ingested through the Amazon Web Services connector, which handles the CloudTrail integration.

113
MCQeasy

A company needs to demonstrate compliance with the Payment Card Industry Data Security Standard (PCI DSS) for their Azure workloads. They use Microsoft Defender for Cloud for security management. Which feature should they use to view their current compliance status against PCI DSS controls and track progress over time?

A.Security policy
B.Recommendations
C.Regulatory compliance dashboard
D.Security incidents
AnswerC

Correct. The Regulatory compliance dashboard provides a detailed view of compliance with regulations like PCI DSS, showing which controls pass and fail, and offers ongoing assessments.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides a pre-built view of compliance posture against standards like PCI DSS. It maps Azure resource configurations to specific PCI DSS controls, shows pass/fail status per control, and tracks compliance score over time, enabling continuous monitoring and evidence collection for auditors.

Exam trap

The trap here is that candidates may confuse the Recommendations blade (which shows individual security findings) with the Regulatory compliance dashboard (which aggregates those findings into a compliance framework view), leading them to select Recommendations instead of the correct dashboard.

How to eliminate wrong answers

Option A is wrong because Security policy defines rules and initiatives for resource compliance but does not provide a dashboard to view current compliance status or track progress against PCI DSS controls. Option B is wrong because Recommendations are individual security findings that suggest actions to improve security posture, but they do not aggregate or map to PCI DSS controls in a compliance dashboard format. Option D is wrong because Security incidents are alerts about detected threats or attacks, not a compliance tracking tool for standards like PCI DSS.

114
MCQmedium

A company uses Azure AD Identity Protection. They have detected a user with a 'High' user risk level due to suspicious activity. The security team wants to automatically block sign-ins for this user only when the sign-in comes from a location that is not in the company's list of trusted IPs. They have created a Conditional Access policy. Which configuration should they use?

A.Assign the user to the policy, set condition 'User risk level: High' and condition 'Locations: All locations except trusted', and set 'Grant' to 'Block access'
B.Assign the user to the policy, set condition 'Sign-in risk level: High' and condition 'Locations: All trusted locations', and set 'Grant' to 'Block access'
C.Assign the user to the policy, set condition 'User risk level: High' and set 'Grant' to 'Require multi-factor authentication'
D.Create a risk detection policy in Identity Protection that triggers a user risk policy, and have Conditional Access use the risk policy
AnswerA

This configuration ensures that the block applies only when both conditions are met: high user risk and an untrusted location.

Why this answer

Option A is correct because it combines the 'User risk level: High' condition (triggered by Identity Protection's user risk detection) with the 'Locations: All locations except trusted' condition, and sets 'Grant' to 'Block access'. This ensures that only sign-ins from untrusted locations are blocked when the user's risk is high, meeting the requirement to allow sign-ins from trusted IPs even for high-risk users.

Exam trap

The trap here is confusing 'User risk level' (associated with the user account's overall risk) with 'Sign-in risk level' (associated with a specific authentication attempt), leading candidates to incorrectly choose Option B which uses sign-in risk and targets trusted locations.

How to eliminate wrong answers

Option B is wrong because it uses 'Sign-in risk level: High' instead of 'User risk level: High', and it targets 'All trusted locations' which would block sign-ins from trusted IPs, the opposite of the requirement. Option C is wrong because it sets 'Grant' to 'Require multi-factor authentication' instead of 'Block access', which does not block sign-ins but only prompts for MFA, failing the requirement to block sign-ins from untrusted locations. Option D is wrong because it describes creating a separate risk detection policy in Identity Protection; Conditional Access policies directly use user risk and sign-in risk conditions without needing an additional risk policy, and this approach adds unnecessary complexity without achieving the specific location-based block.

115
MCQhard

A company uses Azure AD Privileged Identity Management (PIM) to manage the Global Administrator role. They want to require that when a user activates the role, they must be using a device that is compliant with Intune policies (e.g., compliant device) and must provide a justification. The company already has Conditional Access policies in place for regular access. How should they enforce the device compliance requirement specifically during PIM activation?

A.Configure a Conditional Access policy that targets the 'Azure AD Privileged Identity Management' cloud app, requiring compliant device.
B.In PIM settings for the Global Administrator role, enable 'Require Multi-Factor Authentication on activation'.
C.In PIM settings for the Global Administrator role, enable 'Require Azure AD Conditional Access authentication context' and create a Conditional Access policy that requires compliant device when that authentication context is used.
D.Use Azure AD Identity Protection's user risk policy to require device compliance when a high-risk user activates the role.
AnswerC

Correct. This is the recommended method for integrating PIM with Conditional Access. The authentication context is signaled during activation, and a separate CA policy enforces the device compliance requirement.

Why this answer

Option C is correct because Azure AD PIM can integrate with Conditional Access via authentication context. By enabling 'Require Azure AD Conditional Access authentication context' in the PIM role settings and then creating a Conditional Access policy that targets that authentication context with the 'Require compliant device' grant control, you enforce device compliance specifically during role activation. This approach ensures the device compliance check is applied only when the user activates the Global Administrator role, not during regular access.

Exam trap

The trap here is that candidates often confuse applying a Conditional Access policy to the 'Azure AD Privileged Identity Management' cloud app (which controls access to the PIM portal) with enforcing conditions during the actual role activation process, which requires authentication context integration.

How to eliminate wrong answers

Option A is wrong because targeting the 'Azure AD Privileged Identity Management' cloud app in a Conditional Access policy applies the policy to the PIM service itself (e.g., accessing the PIM portal), not to the role activation process; it would not enforce device compliance during activation. Option B is wrong because enabling 'Require Multi-Factor Authentication on activation' only adds an MFA requirement, not a device compliance check; it does not address the device compliance requirement. Option D is wrong because Azure AD Identity Protection's user risk policy evaluates user risk and can require MFA or password change, but it cannot directly enforce device compliance; it is designed for risk-based remediation, not for role activation-specific device compliance.

116
MCQhard

A Defender for Cloud recommendation is valid for most subscriptions but not for a legacy subscription with an approved exception. The team wants secure score to reflect the exception without disabling the recommendation everywhere. What should they do?

A.Delete the built-in initiative from the management group
B.Change the recommendation severity to Low
C.Create an exemption for the affected scope with a justification
D.Disable Defender for Cloud on the legacy subscription
AnswerC

Correct for the stated requirement.

Why this answer

Option C is correct because Azure Policy exemptions allow you to exclude a specific scope (e.g., a subscription or resource group) from a policy or initiative effect while still having the policy enforced elsewhere. By creating an exemption for the legacy subscription with a justification, the Defender for Cloud recommendation remains active for all other subscriptions, and the secure score calculation will correctly reflect the exception without disabling the recommendation globally.

Exam trap

The trap here is that candidates often confuse 'exemption' with 'disabling' or 'removing' the policy, leading them to choose options that either globally disable the recommendation (A or D) or incorrectly assume severity changes can create exceptions (B), when in fact Azure Policy exemptions are the precise mechanism to exclude a specific scope while preserving the policy for all others.

How to eliminate wrong answers

Option A is wrong because deleting the built-in initiative from the management group would remove the policy from all subscriptions under that management group, not just the legacy subscription, and would prevent the secure score from reflecting the recommendation at all. Option B is wrong because changing the recommendation severity to Low does not create an exception; it only adjusts the weight of the recommendation in the secure score, but the recommendation would still apply to the legacy subscription and could generate alerts or compliance failures. Option D is wrong because disabling Defender for Cloud on the legacy subscription would turn off all security monitoring and recommendations for that subscription, which is an overly broad action that goes beyond creating a single exception and could leave the subscription unprotected.

117
MCQhard

A Sentinel analytics rule creates a new incident every time the same brute-force activity is detected for the same account within an hour. The SOC wants one incident that continues to group related alerts. What should be changed?

A.Disable entity mapping for the account entity
B.Configure incident grouping in the scheduled analytics rule
C.Change the rule query to use project-away on TimeGenerated
D.Run the rule as a near-real-time rule
AnswerB

Correct for the stated requirement.

Why this answer

Option B is correct because incident grouping in a scheduled analytics rule allows multiple alerts triggered by the same entity (e.g., the same account) within a specified time window to be combined into a single incident. By configuring the 'Group related alerts into a single incident' setting and setting the grouping window to one hour, the SOC ensures that all brute-force alerts for the same account are merged into one incident, reducing alert fatigue and providing a consolidated view of the attack.

Exam trap

The trap here is that candidates often confuse incident grouping with alert suppression or think that disabling entity mapping will reduce noise, but entity mapping is actually required for grouping to work correctly.

How to eliminate wrong answers

Option A is wrong because disabling entity mapping for the account entity would prevent the rule from identifying the specific account involved, breaking the grouping logic and potentially causing alerts to not be correlated at all. Option C is wrong because using project-away on TimeGenerated would remove the timestamp column from the query results, which is essential for time-based grouping and would break the rule's ability to correctly evaluate the 1-hour window. Option D is wrong because running the rule as a near-real-time rule (NRT) does not support incident grouping; NRT rules run every few minutes and create separate incidents for each detection, which is the opposite of what the SOC wants.

118
MCQmedium

A security operations team uses Microsoft Sentinel. They want to automatically assign incidents to different tiers of analysts based on severity when incidents are created. Which feature should they configure?

A.Fusion - Advanced Multistage Attack Detection
B.Analytics rules with scheduled queries
C.Automation rules
D.Playbooks
AnswerC

Automation rules allow you to automatically trigger actions like assigning an incident to a specific user or team, changing severity, adding tags, or running a playbook. This is the correct feature to automatically assign incidents based on severity.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically assign incidents to specific analysts or teams based on criteria such as severity. When an incident is created, the automation rule triggers and can set the owner (assignee) to a predefined user or group, enabling tiered assignment without manual intervention.

Exam trap

The trap here is that candidates often confuse automation rules with playbooks, assuming playbooks are required for any automated action, but automation rules are the correct feature for simple, rule-based incident assignment without the overhead of a full Logic App workflow.

How to eliminate wrong answers

Option A is wrong because Fusion - Advanced Multistage Attack Detection is a correlation engine that detects multistage attacks by combining alerts, not a mechanism for incident assignment. Option B is wrong because analytics rules with scheduled queries generate alerts based on log queries, but they do not include incident assignment or ownership logic. Option D is wrong because playbooks are automated workflows (often using Azure Logic Apps) that can respond to incidents, but they are triggered by automation rules or analytics rules and are not the feature used to directly assign incidents to analysts.

119
MCQmedium

A security operations team uses Microsoft Sentinel. They create a playbook that changes the severity of an incident from 'Medium' to 'High' when a specific indicator of compromise (IOC) is detected within the incident's entities. The team wants this playbook to run automatically as soon as the incident is created, without manual intervention. Which type of automation rule trigger should they configure to invoke the playbook?

A.When incident is created
B.When incident is updated
C.When alert is created
D.On a time schedule
AnswerA

This trigger runs the automation rule immediately when a new incident is generated. The rule can check conditions and then run the playbook to change the severity.

Why this answer

Option A is correct because the 'When incident is created' trigger in Microsoft Sentinel automation rules is designed to invoke a playbook immediately upon incident generation, without requiring any manual action. This matches the requirement for automatic execution as soon as the incident is created, allowing the playbook to evaluate entities and change severity from 'Medium' to 'High' based on the IOC detection.

Exam trap

The trap here is that candidates may confuse 'When alert is created' with incident creation, not realizing that incidents are higher-level constructs that can aggregate multiple alerts, and the playbook must run at the incident scope to change severity based on entities across all alerts.

How to eliminate wrong answers

Option B is wrong because 'When incident is updated' triggers only after an incident is modified (e.g., status change or comment), not at creation time, so it would not run automatically on the initial creation. Option C is wrong because 'When alert is created' triggers on alert generation, not incident creation; incidents can aggregate multiple alerts, and the playbook needs to run at the incident level, not per alert. Option D is wrong because 'On a time schedule' is a recurring trigger (e.g., every hour) that does not respond to real-time incident creation events, making it unsuitable for immediate automated response.

120
MCQhard

A Sentinel playbook fails to update incidents even though the Logic App runs successfully. The playbook uses a managed identity. What is the most likely missing configuration?

A.The managed identity lacks Microsoft Sentinel Responder or Contributor permissions on the workspace
B.The analytics rule does not include MITRE ATT&CK tactics
C.The Log Analytics workspace is not linked to Azure Monitor Private Link
D.The incident title does not contain an entity mapping
AnswerA

Correct for the stated requirement.

Why this answer

The managed identity assigned to the Logic App must have at least Microsoft Sentinel Responder or Contributor permissions on the workspace to update incidents. Without these RBAC roles, the Logic App's API calls to modify incident properties (e.g., status, severity) are denied, even if the Logic App itself runs without errors.

Exam trap

The trap here is that candidates assume a successful Logic App run means permissions are correct, but the playbook can complete without errors while the incident update silently fails due to missing RBAC on the managed identity.

How to eliminate wrong answers

Option B is wrong because MITRE ATT&CK tactics are metadata for rule classification and do not affect the playbook's ability to update incidents. Option C is wrong because Azure Monitor Private Link controls network access to the workspace, not authorization for managed identity actions. Option D is wrong because entity mappings are used for alert enrichment, not for granting permissions to modify incidents.

121
Multi-Selectmedium

You are configuring Azure AD Conditional Access policies for a company that uses Microsoft Intune for mobile device management. Which three of the following conditions can be used to enforce access controls in a Conditional Access policy? (Choose three.)

Select 3 answers
.Device compliance status
.User sign-in risk level
.Application sensitivity labels
.Azure AD role membership
.Network location based on public IP address
.Operating system version of the client device

Why this answer

Device compliance status is a correct condition because Conditional Access can evaluate whether a device is marked as compliant by Intune, enforcing access only from managed devices. User sign-in risk level is correct as it leverages Azure AD Identity Protection to detect compromised credentials or anomalous sign-in behavior. Application sensitivity labels are correct because Conditional Access can integrate with Microsoft Information Protection to restrict access based on the sensitivity label applied to a document or email, controlling actions like download or edit.

Exam trap

The trap here is that candidates confuse 'conditions' with 'controls' or 'assignments' — for example, Azure AD role membership is an assignment (who the policy applies to), not a condition (what triggers the policy), and operating system version is a compliance detail, not a native Conditional Access condition.

122
MCQhard

A SOC analyst needs a Sentinel query that detects multiple failed sign-ins followed by a successful sign-in for the same user. Which table is the best primary source?

A.SecurityAlert
B.AzureActivity
C.DeviceNetworkEvents
D.SigninLogs
AnswerD

Correct for the stated requirement.

Why this answer

SigninLogs is the correct primary source because it captures both failed and successful user sign-in events from Azure AD, including interactive and non-interactive logins. This table provides the necessary fields like ResultType (e.g., 0 for success, 50125 for failure) and UserPrincipalName to build a KQL query that detects a sequence of failed sign-ins followed by a successful one for the same user.

Exam trap

The trap here is that candidates often confuse AzureActivity (which logs administrative actions) with sign-in logs, or assume SecurityAlert contains raw event data, when in fact only SigninLogs provides the granular authentication events needed for this detection pattern.

How to eliminate wrong answers

Option A is wrong because SecurityAlert contains pre-built security alerts (e.g., from Microsoft Defender for Cloud), not raw sign-in event logs, so it cannot be used to query individual sign-in success/failure sequences. Option B is wrong because AzureActivity logs control plane operations (e.g., resource creation, RBAC changes) and does not include user authentication events like sign-ins. Option C is wrong because DeviceNetworkEvents logs network-level events (e.g., connections, DNS queries) from Microsoft Defender for Endpoint, not Azure AD authentication events.

123
Multi-Selectmedium

You are a security engineer for a global enterprise that uses Microsoft Entra ID (formerly Azure Active Directory). The company requires that all administrative access to Azure resources be secured using Privileged Identity Management (PIM) and that access reviews are conducted regularly. You need to implement a solution that meets the following requirements: - Administrators must be able to activate their roles only during approved time windows. - All role activations must require Azure AD Multi-Factor Authentication (MFA). - Role activations must be limited to a maximum of 4 hours. - Access reviews must be performed every 90 days for all privileged roles. Which four of the following actions should you take to meet the requirements? (Choose four.)

Select 4 answers
.Configure a role-assignable group in Entra ID and add it to the privileged role.
.In PIM settings for each privileged role, set the activation maximum duration to 4 hours.
.Configure an access review in Entra ID that reviews members of the privileged roles every 90 days.
.In PIM settings for each privileged role, require Azure AD MFA on activation.
.Create an Entra ID Conditional Access policy that requires MFA for all users when accessing Azure Resource Manager.
.In PIM settings for each privileged role, configure an approval workflow and define a time window for activation.

Why this answer

Configuring the activation maximum duration to 4 hours in PIM settings directly enforces the requirement that role activations are limited to a maximum of 4 hours. Requiring Azure AD MFA on activation in PIM settings ensures that all role activations are protected by MFA. Configuring an access review every 90 days for privileged roles meets the access review requirement.

Defining an approval workflow with a time window for activation in PIM settings allows administrators to activate roles only during approved time windows, fulfilling that specific requirement.

Exam trap

The trap here is that candidates may confuse a broad Conditional Access policy requiring MFA for Azure Resource Manager with the PIM-specific MFA requirement on activation, or think that a role-assignable group can enforce activation time windows and duration limits, which it cannot.

124
MCQmedium

A security analyst is using Microsoft Sentinel to detect multi-stage attacks. They want to create an analytics rule that correlates a user sign-in from an unusual location with a subsequent data exfiltration attempt from Azure Blob Storage within one hour. Which type of analytics rule should they use?

A.Scheduled query rule with entity mapping.
B.Fusion rule.
C.Microsoft Security incident rule.
D.Anomaly rule.
AnswerA

Correct. Scheduled rules allow custom KQL to correlate events from different data sources within a time window.

Why this answer

A scheduled query rule with entity mapping is correct because it allows the security analyst to write a KQL query that correlates two distinct events—a sign-in from an unusual location and a subsequent data exfiltration from Azure Blob Storage—within a defined time window (one hour). Entity mapping enables the rule to link these events by common entities (e.g., user account or IP address), which is essential for detecting multi-stage attacks. This rule type runs on a schedule, making it ideal for time-bound correlation queries.

Exam trap

The trap here is that candidates often confuse Fusion rules (which also correlate events) with scheduled queries, but Fusion rules are limited to pre-built correlations from Microsoft security products, whereas scheduled queries allow custom KQL logic across any data source.

How to eliminate wrong answers

Option B (Fusion rule) is wrong because Fusion rules are designed to automatically correlate alerts from multiple Microsoft security products (e.g., Microsoft Defender for Cloud Apps, Azure AD Identity Protection) into a single incident, not to run custom KQL queries that correlate raw log data like sign-in logs and storage logs. Option C (Microsoft Security incident rule) is wrong because it creates incidents from alerts generated by Microsoft security services (e.g., Microsoft Defender for Endpoint), not from custom log analytics queries. Option D (Anomaly rule) is wrong because anomaly rules use machine learning to detect unusual patterns in a single data source over time, not to correlate two specific event types across different data sources within a fixed time window.

125
MCQhard

An organization wants to detect when a privileged Azure role assignment is created outside the approved change window. Which log source should a Sentinel rule query?

A.Heartbeat
B.AzureActivity
C.Perf
D.StorageBlobLogs
AnswerB

Correct for the stated requirement.

Why this answer

AzureActivity logs capture all control-plane operations on Azure resources, including role assignment creations (e.g., 'Microsoft.Authorization/roleAssignments/write'). By querying AzureActivity in a Sentinel rule, you can detect when a privileged role assignment is made outside an approved change window. Heartbeat, Perf, and StorageBlobLogs do not record Azure RBAC changes.

Exam trap

The trap here is that candidates may confuse data-plane logs (StorageBlobLogs) or agent health logs (Heartbeat, Perf) with control-plane activity logs, failing to recognize that only AzureActivity captures RBAC changes at the subscription scope.

How to eliminate wrong answers

Option A is wrong because Heartbeat logs are used for agent health monitoring and do not contain Azure RBAC activity. Option C is wrong because Perf logs contain performance counters (CPU, memory, disk) and have no role assignment data. Option D is wrong because StorageBlobLogs record data-plane operations on blob storage (e.g., reads, writes) and not control-plane role assignments.

126
MCQmedium

A company uses Microsoft Defender for Cloud to monitor its security posture. The compliance team wants to receive email notifications immediately when a control in the ISO 27001 regulatory compliance standard fails. They want to be alerted only when specific controls change from 'compliant' to 'non-compliant'. Which feature should they configure?

A.Security Alerts from Microsoft Defender for Cloud
B.Regulatory Compliance dashboard with continuous export
C.Workflow automation based on regulatory compliance assessment changes
D.Custom recommendations in Microsoft Defender for Cloud
AnswerC

Workflow automation rules in Defender for Cloud can trigger actions (such as email notifications) when a regulatory compliance assessment changes, enabling proactive alerts for control failures.

Why this answer

Option C is correct because workflow automation in Microsoft Defender for Cloud can be configured to trigger based on regulatory compliance assessment changes, specifically when a control transitions from 'compliant' to 'non-compliant'. This allows the compliance team to receive immediate email notifications for ISO 27001 control failures without manual polling or dashboard monitoring.

Exam trap

The trap here is that candidates often confuse Security Alerts (which are threat-focused) with compliance state change notifications, or assume the Regulatory Compliance dashboard's continuous export can directly send real-time email alerts, but it only exports data to external sinks without built-in notification logic.

How to eliminate wrong answers

Option A is wrong because Security Alerts in Defender for Cloud are triggered by threat detection events (e.g., suspicious activities, vulnerabilities), not by regulatory compliance control state changes. Option B is wrong because the Regulatory Compliance dashboard with continuous export sends data to Log Analytics or Event Hubs for archival and analysis, but it does not natively support immediate email notifications based on specific control state transitions. Option D is wrong because custom recommendations are used to define additional security best practices or policies, not to trigger notifications on compliance control changes.

127
Matchingmedium

Match each Azure security feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Just-in-time privileged access and role activation

Unified security management and threat protection

Safeguard cryptographic keys and secrets

Classify and protect documents and emails

Managed, cloud-based network security service

Why these pairings

These are core Azure security services covered in AZ-500.

128
MCQmedium

A company has an on-premises web application that they want to expose to external users over the internet without requiring a VPN. External users must authenticate with Modern Authentication (e.g., using Azure Multi-Factor Authentication) and access policies must be enforced via Conditional Access. The application does not support SAML or OAuth. Which Azure service should they use to publish this application securely?

A.Azure AD B2C (Business-to-Consumer).
B.Azure Application Gateway with Web Application Firewall (WAF).
C.Azure AD Application Proxy.
D.Azure Front Door.
AnswerC

Application Proxy is specifically designed for this scenario: it allows on-premises HTTP/HTTPS applications to be published through Azure AD, providing pre-authentication, MFA, and Conditional Access.

Why this answer

Azure AD Application Proxy is the correct choice because it allows publishing on-premises web applications to external users without requiring a VPN, supports Modern Authentication (including Azure MFA), and enforces Conditional Access policies. It works by installing a connector on-premises that proxies traffic through Azure AD, enabling authentication and policy enforcement even for legacy applications that do not support SAML or OAuth.

Exam trap

The trap here is that candidates often confuse Azure AD Application Proxy with Azure Application Gateway, assuming that WAF provides authentication, but Application Gateway does not integrate with Azure AD for Modern Authentication or Conditional Access enforcement.

How to eliminate wrong answers

Option A is wrong because Azure AD B2C is designed for customer-facing identity management with social logins and custom policies, not for publishing internal on-premises applications with Conditional Access enforcement. Option B is wrong because Azure Application Gateway with WAF provides layer 7 load balancing and web application firewall protection but does not handle Modern Authentication or Conditional Access policies for legacy apps. Option D is wrong because Azure Front Door is a global load balancer and CDN service that accelerates web traffic but does not provide identity-based authentication or Conditional Access integration for on-premises applications.

129
MCQhard

A Sentinel scheduled rule runs every 5 minutes and looks back 1 hour. Analysts see repeated alerts for the same event. Which change best prevents duplicate detections without missing late-arriving logs?

A.Reduce the query lookback to 1 minute
B.Use an ingestion-time or event-time exclusion window in the query
C.Disable alert grouping
D.Change the workspace retention period
AnswerB

Correct for the stated requirement.

Why this answer

Option B is correct because using an ingestion-time or event-time exclusion window in the query allows the rule to skip events that have already generated an alert within a specific time range, preventing duplicate detections while still accommodating late-arriving logs. This approach leverages the query logic to filter out duplicates based on a time-based deduplication key, ensuring that only new or unique events trigger alerts without altering the lookback period.

Exam trap

The trap here is that candidates often confuse reducing the lookback period (Option A) as a quick fix, not realizing it will miss late-arriving logs, while the correct solution uses a query-level exclusion window that preserves the lookback for completeness.

How to eliminate wrong answers

Option A is wrong because reducing the query lookback to 1 minute would cause the rule to miss late-arriving logs that arrive after the initial 5-minute run window, defeating the purpose of the 1-hour lookback and potentially missing critical events. Option C is wrong because disabling alert grouping would not prevent duplicate detections; it would simply stop grouping similar alerts into a single incident, potentially increasing alert noise without addressing the root cause of repeated alerts for the same event. Option D is wrong because changing the workspace retention period affects how long data is stored, not how alerts are deduplicated or how queries handle late-arriving logs, so it has no impact on duplicate alert prevention.

130
Multi-Selectmedium

A team enables Microsoft Defender for Storage. Which two threats can the plan help detect?

Select 2 answers
A.Access from suspicious IP addresses to storage accounts
B.Expired Azure AD PIM role assignments
C.Public IP address creation on virtual machines
D.Malware uploaded to Blob Storage when malware scanning is enabled
AnswersA, D

Correct for the stated requirement.

Why this answer

Microsoft Defender for Storage detects anomalous activities that could indicate threats to storage accounts. Option A is correct because the service analyzes incoming requests to identify access from suspicious IP addresses, such as known malicious IPs or Tor exit nodes, using threat intelligence feeds. Option D is correct because when malware scanning is enabled, Defender for Storage can detect malware uploaded to Blob Storage by scanning files for known malicious signatures.

Exam trap

The trap here is that candidates may confuse Defender for Storage with broader Defender for Cloud capabilities, incorrectly assuming it monitors identity or networking threats outside the storage data plane.

131
MCQmedium

A DevOps team wants Defender for Cloud to identify secrets exposed in GitHub repositories. What should be configured?

A.Azure Bastion native client
B.Defender for Cloud DevOps Security connector
C.Sentinel Syslog connector
D.Azure Storage lifecycle management
AnswerB

Correct for the stated requirement.

Why this answer

Defender for Cloud's DevOps Security connector integrates with GitHub to scan repositories for exposed secrets (e.g., API keys, tokens) using Microsoft's secret scanning engine. This connector enables Defender for Cloud to monitor commits and pull requests, alerting on secrets detected in code. It is the correct solution because it directly addresses the requirement to identify secrets in GitHub repositories within the Defender for Cloud ecosystem.

Exam trap

The trap here is that candidates may confuse the Defender for Cloud DevOps Security connector with GitHub's own secret scanning (which requires GitHub Advanced Security), but the question specifically asks for a Defender for Cloud configuration, making the connector the correct choice.

How to eliminate wrong answers

Option A is wrong because Azure Bastion native client is a secure RDP/SSH connectivity service for virtual machines, not a tool for scanning GitHub repositories for secrets. Option C is wrong because Sentinel Syslog connector ingests syslog events from on-premises or cloud devices into Azure Sentinel for security monitoring, but it does not scan GitHub repositories for secrets. Option D is wrong because Azure Storage lifecycle management automates tiering or deletion of blobs based on age or rules, and has no capability to scan GitHub code for exposed secrets.

132
MCQmedium

A company uses Azure AD B2B collaboration to invite external vendors. They want to restrict the vendors to only be able to access a specific application, and prevent them from discovering other users or applications in the directory. Which configuration should they apply to the external users?

A.Configure a Conditional Access policy targeting guest users
B.Enable 'External Identities' cross-tenant access settings
C.Set the 'Guest user access' level to 'Guest user access is limited to properties and memberships of directory objects'
D.Assign the Application User role to the vendor users
AnswerC

This setting restricts guest users from browsing the directory, preventing them from seeing other users or applications beyond those they have access to.

Why this answer

Option C is correct because setting the 'Guest user access' level to 'Guest user access is limited to properties and memberships of directory objects' restricts external B2B users from enumerating the full directory, including other users and applications. This configuration ensures vendors can only access the specific application they are invited to, while preventing discovery of other directory objects, which aligns with the principle of least privilege for external identities.

Exam trap

The trap here is that candidates often confuse Conditional Access policies (which control authentication conditions) with directory-level authorization settings (which control what guest users can see in the tenant), leading them to select Option A instead of the correct directory restriction configuration.

How to eliminate wrong answers

Option A is wrong because a Conditional Access policy targeting guest users can enforce controls like MFA or device compliance, but it does not limit the directory visibility or prevent user/application discovery; it operates at the authentication and access level, not directory permissions. Option B is wrong because 'External Identities' cross-tenant access settings control inbound/outbound trust and collaboration policies between Azure AD tenants, but they do not directly restrict the directory scope for individual guest users within the resource tenant. Option D is wrong because assigning the Application User role grants administrative permissions to manage application registrations, which is excessive and does not restrict directory discovery; it actually increases the user's privileges rather than limiting them.

133
MCQhard

A company has a partner organization in another Azure AD tenant. They want to allow users from the partner tenant to access their Azure resources through Azure AD B2B collaboration. They also want the partner's Multi-Factor Authentication (MFA) claims to be trusted when partner users access their resources, so that they do not need to perform MFA again. Which configuration in cross-tenant access settings should they enable?

A.Trust multi-factor authentication from the partner tenant (inbound trust).
B.Trust device compliance from the partner tenant.
C.Enable a Conditional Access policy that grants access to the partner tenant.
D.Configure identity synchronization with the partner tenant.
AnswerA

This setting accepts MFA claims from the partner tenant, avoiding redundant MFA prompts.

Why this answer

Option A is correct because cross-tenant access settings in Azure AD allow you to configure inbound trust for MFA from an external Azure AD tenant. When enabled, Azure AD B2B collaboration will accept the partner tenant's MFA claims, so partner users who have already satisfied MFA in their home tenant will not be prompted again when accessing your resources. This is configured under 'Cross-tenant access settings' > 'Inbound trust settings' for the specific partner tenant.

Exam trap

The trap here is that candidates often confuse Conditional Access policies with cross-tenant trust settings, thinking they can use a Conditional Access policy to 'trust' external MFA, when in fact the trust must be explicitly configured in the cross-tenant access settings for inbound MFA claims.

How to eliminate wrong answers

Option B is wrong because trusting device compliance from the partner tenant is a separate inbound trust option that applies to device state (e.g., compliant or hybrid Azure AD joined), not to MFA claims; it does not address the requirement to skip MFA re-prompting. Option C is wrong because a Conditional Access policy that grants access to the partner tenant does not control trust of MFA claims; it defines conditions and access controls (like requiring MFA) but cannot make your tenant trust the partner's MFA claims—that is a cross-tenant trust setting. Option D is wrong because identity synchronization with the partner tenant is not supported for B2B collaboration; Azure AD B2B uses federation or invitation-based relationships, not synchronization, and synchronizing identities would create duplicate or conflicting objects without enabling MFA claim trust.

134
MCQeasy

A company uses Microsoft Defender for Cloud. They want to automatically apply a security recommendation (such as enabling encryption on storage accounts) to all existing resources that are found to be non-compliant without manual intervention. Which Defender for Cloud feature should they configure?

A.Workflow automation
B.Continuous export
C.Email notifications
D.Security policies
AnswerA

Workflow automation triggers actions (e.g., Logic Apps playbooks) when a recommendation is generated, allowing automatic remediation.

Why this answer

Workflow automation in Microsoft Defender for Cloud allows you to trigger automated actions (e.g., Azure Logic Apps) based on security recommendations or regulatory compliance changes. By configuring a workflow automation rule that triggers on the 'recommendation' event for a specific recommendation (like 'Storage accounts should use customer-managed key for encryption'), you can automatically remediate non-compliant resources without manual intervention, for example by invoking a Logic App that enables encryption on the storage account.

Exam trap

The trap here is that candidates often confuse 'security policies' (which define rules) with 'workflow automation' (which executes actions), mistakenly thinking that setting a policy automatically remediates existing resources, when in fact policies only evaluate and flag non-compliance unless paired with a 'deployIfNotExists' effect or a separate automation trigger.

How to eliminate wrong answers

Option B is wrong because Continuous export is designed to stream security alerts and recommendations to Log Analytics workspaces or Event Hubs for external monitoring or SIEM integration, not to automatically remediate non-compliant resources. Option C is wrong because Email notifications only send alert or recommendation summaries to specified recipients; they do not perform any automated remediation actions. Option D is wrong because Security policies define the desired configuration state (e.g., which recommendations are enforced) but do not include any built-in mechanism to automatically apply remediation to existing non-compliant resources; they only evaluate compliance and generate recommendations.

135
MCQmedium

A company wants Defender for Cloud to automatically open a Logic App when a high-severity alert is generated for a subscription. Which feature should be configured?

A.Regulatory compliance dashboard
B.Secure score recommendation exemption
C.Workflow automation
D.Continuous export
AnswerC

Correct for the stated requirement.

Why this answer

Workflow automation in Defender for Cloud allows you to trigger a Logic App automatically in response to specific security alerts, such as high-severity alerts. This feature uses Azure Event Grid to listen for alert creation events and invoke the Logic App via an HTTP trigger, enabling automated remediation or notification workflows without manual intervention.

Exam trap

The trap here is that candidates often confuse Continuous export with workflow automation, thinking that exporting alerts to a Log Analytics workspace can directly trigger a Logic App, but Continuous export only sends data to a destination and requires a separate Azure Monitor alert rule or Logic App connector to process the exported data.

How to eliminate wrong answers

Option A is wrong because the Regulatory compliance dashboard is a reporting tool that shows compliance posture against standards like ISO 27001 or SOC 2, not a mechanism to trigger automated actions on alerts. Option B is wrong because Secure score recommendation exemption is used to exclude specific recommendations from affecting your secure score, not to automate responses to alerts. Option D is wrong because Continuous export streams security data (e.g., alerts, recommendations) to Log Analytics or Event Hubs for external analysis, but it does not directly invoke a Logic App or any automated action upon alert generation.

136
MCQeasy

A company uses Azure AD Privileged Identity Management (PIM) for the 'Security Administrator' role. They want to ensure that when a user activates the role, they must provide a justification, and the activation requires approval from a designated security group. Which PIM role settings should they configure?

A.Require justification on activation (Yes), Require approval (Yes), Select approver(s) (the security group).
B.Require justification on activation (No), Require approval (Yes), Select approver(s) (the security group).
C.Expiration > Maximum activation duration (4 hours).
D.On activation, require Azure MFA registration.
AnswerA

This satisfies both conditions: justification and approval.

Why this answer

Option A is correct because PIM role settings allow administrators to enforce both justification and approval workflows for role activation. Setting 'Require justification on activation' to 'Yes' ensures the user provides a reason, and setting 'Require approval' to 'Yes' with the designated security group as the approver enforces the approval requirement. This combination directly meets the company's stated requirements.

Exam trap

The trap here is that candidates may confuse activation duration settings (Option C) or MFA registration (Option D) with the justification and approval workflow, but only the combination of justification and approval settings directly addresses the stated requirements.

How to eliminate wrong answers

Option B is wrong because setting 'Require justification on activation' to 'No' would bypass the justification requirement, which the company explicitly needs. Option C is wrong because configuring 'Maximum activation duration' controls how long the role remains active, not the activation workflow of justification or approval. Option D is wrong because requiring Azure MFA registration is a separate security control for authentication, not a mechanism for justification or approval during activation.

137
MCQmedium

A security team wants to visualize MITRE ATT&CK coverage for Microsoft Sentinel analytics rules. Which Sentinel experience should they use?

A.Hunting bookmarks
B.Watchlists
C.MITRE ATT&CK coverage in analytics/content hub views
D.Data collection endpoints
AnswerC

Correct for the stated requirement.

Why this answer

The MITRE ATT&CK coverage view in the Microsoft Sentinel analytics/content hub provides a direct mapping between configured analytics rules and specific MITRE ATT&CK techniques. This allows security teams to visually identify gaps in detection coverage by seeing which techniques are covered by active rules and which are not, enabling targeted rule deployment.

Exam trap

The trap here is that candidates confuse the MITRE ATT&CK coverage view with other Sentinel features like Hunting or Watchlists, which are unrelated to analytics rule mapping, leading them to select a plausible-sounding but incorrect option.

How to eliminate wrong answers

Option A is wrong because Hunting bookmarks are used to save and annotate specific query results for later investigation, not to visualize MITRE ATT&CK coverage of analytics rules. Option B is wrong because Watchlists are collections of data (e.g., IP addresses, hostnames) used for correlation and enrichment in queries, not for mapping analytics rules to MITRE ATT&CK techniques. Option D is wrong because Data collection endpoints are configuration objects for ingesting data from sources like Azure Monitor Agent, unrelated to analytics rule coverage mapping.

138
Multi-Selectmedium

A company manages Azure AD roles with Privileged Identity Management (PIM). They want to enforce that when a user activates the Global Administrator role, they must provide a justification and also use Multi-Factor Authentication. Which PIM settings should they configure? (Choose two.)

Select 2 answers
A.Require approval on activation.
B.Require Multi-Factor Authentication on activation.
C.Require justification on activation.
D.Extend activation duration.
AnswersB, C

This setting enforces MFA when a user activates the role, meeting the security requirement.

Why this answer

Option B is correct because PIM allows you to enforce Multi-Factor Authentication (MFA) as a mandatory step during role activation, ensuring the user's identity is verified beyond just a password. Option C is correct because PIM's 'Require justification on activation' setting forces the user to provide a business reason for activating the Global Administrator role, which is a common compliance requirement. Together, these two settings satisfy the requirement for both MFA and justification during activation.

Exam trap

The trap here is that candidates often confuse 'Require approval on activation' with 'Require justification on activation'—approval involves a separate approver, while justification is simply a text input from the user, and the question specifically asks for justification, not approval.

139
MCQeasy

A company has a subscription with Azure Active Directory (Azure AD). They want to enable a conditional access policy that requires all users to use multi-factor authentication (MFA) when accessing the Azure portal. The policy should only apply to users who are members of a group called 'AllUsers'. Which assignment should they configure in the policy?

A.Assign the 'AllUsers' group to the 'Cloud apps' section and select 'Azure portal' as the application
B.Assign the 'AllUsers' group to the 'Users' section and select 'Azure portal' as the cloud app
C.Add a condition for 'Client apps' specifying 'Browser' only
D.Create two policies: one for users and one for the Azure portal
AnswerB

Correct. The policy targets users in the group and applies when accessing the Azure portal cloud app.

Why this answer

Option B is correct because in an Azure AD Conditional Access policy, the 'Users' section is where you specify which users or groups the policy applies to, and the 'Cloud apps' section is where you select the target application (Azure portal). By assigning the 'AllUsers' group to 'Users' and selecting 'Azure portal' as the cloud app, the policy enforces MFA for all members of that group when they access the Azure portal.

Exam trap

The trap here is that candidates confuse the 'Users' assignment with the 'Cloud apps' assignment, mistakenly thinking that groups are assigned to applications rather than to the user scope of the policy.

How to eliminate wrong answers

Option A is wrong because the 'AllUsers' group should be assigned to the 'Users' section, not the 'Cloud apps' section; the 'Cloud apps' section is for selecting the target application (e.g., Azure portal), not for user assignment. Option C is wrong because restricting to 'Browser' client apps would only enforce MFA for browser-based access, but the requirement is to enforce MFA for all access to the Azure portal, including PowerShell, CLI, or mobile apps; this condition would be too narrow. Option D is wrong because a single Conditional Access policy can include both user assignment and cloud app selection; creating two separate policies is unnecessary and could lead to conflicting or overlapping rules.

140
MCQmedium

A company uses Microsoft Defender for Cloud to manage security posture. The security team wants to receive alerts when a virtual machine has a vulnerability rated as 'Critical' by the integrated vulnerability assessment solution. Which Defender for Cloud plan must be enabled for the subscription to receive these alerts?

A.Defender for Servers Plan 1
B.Defender for Servers Plan 2
C.Defender for Storage
D.Defender for Databases
AnswerB

Plan 2 includes all capabilities of Plan 1 plus integrated vulnerability assessment, allow listing, and just-in-time (JIT) VM access. This plan generates alerts for critical vulnerabilities.

Why this answer

Defender for Servers Plan 2 is required because it includes the integrated Qualys-based vulnerability assessment solution that automatically scans VMs and generates security alerts for critical vulnerabilities. Plan 1 only provides basic threat detection and does not include the vulnerability assessment engine or the corresponding alerting capability.

Exam trap

The trap here is that candidates often assume Defender for Servers Plan 1 is sufficient because it provides basic threat alerts, but they overlook that the integrated vulnerability assessment (Qualys) and its critical vulnerability alerts are exclusive to Plan 2.

How to eliminate wrong answers

Option A is wrong because Defender for Servers Plan 1 only offers basic threat detection and does not include the integrated vulnerability assessment solution (Qualys) that generates alerts for critical vulnerabilities. Option C is wrong because Defender for Storage is designed to protect Azure Storage accounts from threats like malware and data exfiltration, not to assess VM vulnerabilities. Option D is wrong because Defender for Databases focuses on database services (e.g., Azure SQL, Azure Database for PostgreSQL) and does not provide vulnerability scanning for virtual machines.

141
MCQmedium

A security team uses Microsoft Defender for Cloud. They want to receive a weekly email summary of the Secure Score, top recommendations, and new alerts for their subscription. Which feature should they configure?

A.Enable the 'Weekly email summary' option in the Defender for Cloud email notifications settings.
B.Configure continuous export to export all security data to a Log Analytics workspace and use a workbook to create a summary.
C.Create a workflow automation that triggers on a schedule and uses a Logic App to send an email summary.
D.Enable the 'Security Policy' default initiative to automatically send reports.
AnswerA

Defender for Cloud can email a summary report on a weekly or daily basis with Secure Score, recommendations, and alerts.

Why this answer

Option A is correct because Defender for Cloud includes a built-in 'Email notifications' settings page where you can enable a weekly email summary that automatically delivers the Secure Score, top recommendations, and new alerts. This feature is designed specifically for periodic, high-level security posture summaries without requiring custom infrastructure.

Exam trap

The trap here is that candidates confuse the built-in 'Weekly email summary' with custom automation solutions (Logic Apps, continuous export) or policy-based reporting, assuming a scheduled email requires external orchestration when Defender for Cloud already provides a native, one-click configuration.

How to eliminate wrong answers

Option B is wrong because continuous export to a Log Analytics workspace is used for real-time streaming of security data for custom analytics or retention, not for generating a pre-built weekly email summary; it requires additional manual setup (e.g., workbooks, scheduled queries) to produce an email. Option C is wrong because workflow automation in Defender for Cloud triggers on specific events (e.g., alert generation, recommendation state change), not on a schedule; using a Logic App on a schedule would be a custom workaround, not the native feature designed for this purpose. Option D is wrong because the 'Security Policy' default initiative (e.g., Azure Security Benchmark) defines compliance controls and remediation logic, but it does not include any capability to automatically send reports or email summaries.

142
MCQeasy

A security analyst uses Microsoft Defender for Cloud to monitor the security posture of their Azure subscription. They want to receive an email notification whenever a high-severity security alert is generated for any of their Azure resources. What should they configure in Defender for Cloud?

A.Create an alert rule in Azure Monitor that triggers an email when a security alert is raised.
B.Configure email notifications in the Defender for Cloud settings under 'Notifications'.
C.Use a Logic Apps playbook to send an email when a new alert is generated.
D.Set up a workflow automation rule in Microsoft Sentinel to forward alerts to email.
AnswerB

Defender for Cloud's email notification feature is specifically designed to send alerts to designated email addresses. You can set the severity level and recipients directly in the portal.

Why this answer

Option B is correct because Microsoft Defender for Cloud has a built-in 'Email notifications' setting under its environment settings that allows you to configure email recipients for high-severity alerts directly, without needing external services. This feature sends real-time email notifications for security alerts based on severity levels you define, making it the simplest and most direct method for this requirement.

Exam trap

The trap here is that candidates often confuse Defender for Cloud's native email notification settings with Azure Monitor alert rules or Logic Apps playbooks, assuming that security alerts must be routed through external services to trigger email, when in fact Defender for Cloud provides a direct configuration option for this purpose.

How to eliminate wrong answers

Option A is wrong because Azure Monitor alert rules can trigger on metrics or logs, but they cannot directly consume Defender for Cloud security alerts as a signal source; security alerts are managed within Defender for Cloud's own alert pipeline, not Azure Monitor metric/log alerts. Option C is wrong because Logic Apps playbooks are typically used for automated response actions (e.g., remediation) triggered by Defender for Cloud alerts, but they require additional configuration and are not the native email notification mechanism for alert generation. Option D is wrong because Microsoft Sentinel workflow automation rules are designed for incident creation and orchestration within Sentinel, not for forwarding Defender for Cloud alerts to email; Sentinel can ingest Defender for Cloud alerts, but email notification for those alerts is not a direct feature of Sentinel's automation rules.

143
MCQmedium

A security team uses Microsoft Sentinel. They want to automatically assign a severity level and an owner to every incident that is created from a specific analytics rule. The owner should be a specific security operations group. Which Microsoft Sentinel feature should they configure to achieve this automation?

A.Modify the analytics rule to include a custom script that runs upon alert generation.
B.Create an automation rule that triggers when an incident is created and sets the severity and owner fields.
C.Use a Logic Apps playbook connected to the analytics rule's alert generation trigger.
D.Configure a workbook to filter and manually assign incidents.
AnswerB

Automation rules are designed to perform actions (such as changing severity, assigning owner, or running playbooks) automatically when specific conditions are met (e.g., incident creation from a specific analytics rule).

Why this answer

Automation rules in Microsoft Sentinel allow you to centrally manage incident handling by triggering actions when incidents are created or updated. By configuring an automation rule that triggers on incident creation from the specific analytics rule, you can automatically set the severity and assign the incident to a security operations group (via an Azure AD group or user) without custom scripting or manual intervention.

Exam trap

The trap here is that candidates often confuse automation rules with playbooks, assuming that any automation requires a Logic Apps playbook, but automation rules are the correct, lightweight feature for simple field assignments like severity and owner.

How to eliminate wrong answers

Option A is wrong because analytics rules do not support embedding custom scripts directly; they generate alerts or incidents, and automation is handled separately via automation rules or playbooks. Option C is wrong because while a Logic Apps playbook can be triggered by an analytics rule, it is typically used for complex, multi-step orchestration (e.g., enrichment or response actions), not for simply setting severity and owner fields, which is more efficiently done with an automation rule. Option D is wrong because workbooks are visualization and reporting tools, not automation mechanisms; they cannot assign severity or ownership to incidents.

144
Multi-Selecthard

A security team is reviewing risky OAuth applications in Microsoft Entra ID. Which two actions reduce future consent risk?

Select 2 answers
A.Restrict user consent to verified publishers and low-risk permissions
B.Grant tenant-wide admin consent to all existing apps
C.Delete all enterprise applications including Microsoft first-party apps
D.Use admin consent workflow for permissions requiring review
AnswersA, D

Correct for the stated requirement.

Why this answer

Option A is correct because restricting user consent to verified publishers and low-risk permissions reduces the likelihood of users approving malicious or overly permissive OAuth apps. This policy, configured in Microsoft Entra ID (Azure AD), ensures that only apps from verified publishers requesting low-risk permissions can be consented to by users, thereby mitigating consent-based attacks like OAuth consent phishing.

Exam trap

The trap here is that candidates may think admin consent to all apps (Option B) is a security measure, but it actually bypasses user consent controls and increases exposure to risky apps.

145
MCQhard

A SOC wants a Sentinel rule to include account, host, and IP entities so analysts can pivot during investigation. What should be configured in the analytics rule?

A.Custom details only
B.Entity mapping
C.Suppression rules
D.Workbook parameters
AnswerB

Correct for the stated requirement.

Why this answer

Entity mapping is the correct configuration because it explicitly links the analytics rule's results to known entity types (account, host, IP) in Microsoft Sentinel. This enables analysts to pivot directly from an alert to related entities in the investigation graph, enriching context without manual cross-referencing. Without entity mapping, the rule would generate alerts but lack the structured entity data needed for seamless pivot actions.

Exam trap

The trap here is that candidates confuse 'custom details' with 'entity mapping' because both involve extracting data from query results, but custom details only add flat key-value pairs to the alert, whereas entity mapping creates structured, pivotable objects that the investigation graph can traverse.

How to eliminate wrong answers

Option A is wrong because custom details only allow you to extract and display specific fields from the query results in the alert, but they do not create structured entity objects (account, host, IP) that Sentinel's investigation graph can use for pivoting. Option C is wrong because suppression rules are used to temporarily stop generating alerts for a rule after a certain number of occurrences, which is unrelated to entity enrichment or pivot capabilities. Option D is wrong because workbook parameters are used to customize visualizations in Azure Workbooks, not to define entities within an analytics rule for investigation pivoting.

146
MCQmedium

A security team uses Microsoft Defender for Cloud. They want to ensure that all Azure virtual machines have the guest configuration extension installed to apply a security baseline automatically. They need to remediate non-compliant VMs without manual intervention. Which Defender for Cloud feature should be configured?

A.Assign a security policy (built-in initiative) that includes a policy with DeployIfNotExists effect
B.Enable automatic provisioning of the Log Analytics agent
C.Create an Automation rule that triggers a runbook when a recommendation appears
D.Configure a workflow automation scheduled task
AnswerA

Such policies automatically deploy the required extension (like Guest Configuration) to VMs that are missing it, without manual intervention.

Why this answer

Option A is correct because the guest configuration extension is deployed automatically via a DeployIfNotExists policy effect within a built-in initiative (such as the Azure Security Benchmark). This effect evaluates VMs for the extension and, if missing, deploys it without manual intervention, ensuring the security baseline is applied. Defender for Cloud uses this policy-driven approach to remediate non-compliant resources at scale.

Exam trap

The trap here is that candidates confuse automatic provisioning of the Log Analytics agent (which collects logs) with the guest configuration extension (which applies baselines), or they assume that Automation rules or scheduled tasks can proactively deploy extensions, when only a DeployIfNotExists policy can enforce deployment without manual steps or external triggers.

How to eliminate wrong answers

Option B is wrong because automatic provisioning of the Log Analytics agent collects security data but does not install the guest configuration extension or apply a security baseline. Option C is wrong because an Automation rule triggers a runbook only after a recommendation appears, requiring the recommendation to exist first and introducing latency; it is not a proactive, policy-driven deployment. Option D is wrong because a workflow automation scheduled task runs on a timer, not in response to compliance state, and cannot deploy extensions dynamically based on policy evaluation.

147
MCQhard

A team wants Sentinel to ingest firewall logs from an appliance that emits Common Event Format over Syslog. Which connector pattern is most appropriate?

A.CEF connector using a Linux log forwarder or AMA-supported collection path
B.Azure Activity connector
C.Microsoft Entra ID Protection connector
D.Office 365 connector
AnswerA

Correct for the stated requirement.

Why this answer

The Common Event Format (CEF) over Syslog is a standard logging format used by many security appliances. Sentinel's CEF connector is specifically designed to ingest these logs, typically using a Linux log forwarder (rsyslog or syslog-ng) or the Azure Monitor Agent (AMA) with a Data Collection Rule to parse and forward the CEF messages to the Log Analytics workspace.

Exam trap

The trap here is that candidates confuse CEF with other log formats (e.g., Windows Event Log or JSON) and select a connector that ingests cloud-native logs instead of recognizing that CEF over Syslog requires a dedicated forwarder or AMA-based collection path.

How to eliminate wrong answers

Option B is wrong because the Azure Activity connector ingests Azure subscription-level operational logs (e.g., resource creation, policy changes), not third-party firewall syslog data. Option C is wrong because the Microsoft Entra ID Protection connector ingests risk detection and user risk events from Entra ID, not firewall logs. Option D is wrong because the Office 365 connector ingests audit and activity logs from Exchange, SharePoint, and Teams, not syslog-based firewall events.

148
MCQmedium

A company uses Azure AD. They want to ensure that all users enroll in Azure Multi-Factor Authentication (MFA) within 14 days of their first sign-in. After 14 days, any user who has not enrolled must be blocked from accessing applications. Which configuration should they implement?

A.Use Azure AD Identity Protection to create a sign-in risk policy that requires MFA registration for medium and above risks.
B.Create a Conditional Access policy targeting all users and all cloud apps, with the grant control 'Require multi-factor authentication registration' and configure the grace period in the MFA registration settings.
C.Enable security defaults for the directory.
D.Configure the Azure AD audit logs to send an alert when a user has not registered for MFA after 14 days, then manually block them.
AnswerB

Correct. This policy forces users to register for MFA when they sign in. The grace period (time before blocking) is configured in the Azure AD MFA registration settings, allowing 14 days.

Why this answer

Option B is correct because it combines a Conditional Access policy requiring MFA registration with a configured grace period in the MFA registration settings. The 'Require multi-factor authentication registration' grant control forces users to register during sign-in, and the grace period (set in the MFA service settings) allows up to 14 days before blocking access. This meets the requirement to block unregistered users after 14 days.

Exam trap

The trap here is that candidates confuse the MFA registration grace period (set in MFA settings) with the Conditional Access grant control, thinking they are separate features, when in fact they work together to enforce the deadline.

How to eliminate wrong answers

Option A is wrong because Azure AD Identity Protection sign-in risk policies evaluate risk levels (e.g., medium and above) to trigger MFA, but they do not enforce a registration deadline or block users who haven't registered within a specific timeframe. Option C is wrong because security defaults enforce MFA registration for all users within 14 days, but they do not allow customization of the grace period or granular control over blocking behavior; they apply a fixed 14-day grace period and cannot be tailored to block after exactly 14 days. Option D is wrong because relying on audit logs and manual blocking is not automated, does not enforce the 14-day deadline, and contradicts the requirement for an automated configuration.

149
MCQhard

A security team uses Microsoft Sentinel. They create a scheduled analytics rule that queries Azure Activity Logs to detect virtual machines deployed in non-approved regions. The rule generates an incident. The team wants the incident to be automatically assigned to the 'Infrastructure' team and its severity set to 'High' when it is created. Which automation feature should they use?

A.Create an automation rule with trigger 'When incident is created' and actions to assign the incident to an owner and set severity
B.Create a playbook triggered by alert creation that performs the assignment and severity change
C.Use an automation rule with trigger 'When incident is updated' and condition on alert type
D.Configure the analytics rule directly to set severity and owner
AnswerA

Automation rules are designed for these simple incident management actions. They run immediately upon incident creation without needing a playbook.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel allow you to define triggers such as 'When incident is created' and then perform actions like assigning the incident to an owner and setting its severity. This is the native, no-code way to automate incident management without requiring a playbook or modifying the analytics rule itself.

Exam trap

The trap here is that candidates often confuse playbooks (which are triggered by alerts and require Logic Apps) with automation rules (which are triggered by incident lifecycle events and are simpler to configure), leading them to select Option B instead of the correct automation rule approach.

How to eliminate wrong answers

Option B is wrong because playbooks are triggered by alerts, not by incident creation, and they require additional configuration and logic apps, making them more complex than necessary for simple assignment and severity changes. Option C is wrong because the trigger 'When incident is updated' would not fire at incident creation time, so the assignment and severity would not be applied automatically when the incident is first generated. Option D is wrong because analytics rules do not have native settings to directly assign an owner or set severity; those properties are managed at the incident level, not within the rule definition.

150
MCQmedium

A security team uses Microsoft Sentinel. They have created a playbook that isolates a virtual machine by modifying a network security group rule. They want this playbook to execute automatically whenever a new incident of type 'Suspicious VM activity' is created. Which Microsoft Sentinel feature should they use to trigger the playbook?

A.Analytics rule
B.Automation rule
C.Playbook
D.Hunt
AnswerB

Automation rules can be configured to trigger on incident creation and run a specified playbook as an action.

Why this answer

Automation rules in Microsoft Sentinel allow you to define triggers that automatically run playbooks when incidents are created or updated. In this scenario, the automation rule can be configured to trigger on incident creation with the condition 'Suspicious VM activity' and then execute the playbook that modifies the NSG rule to isolate the VM. This is the correct mechanism because automation rules are designed specifically for incident-based triggers, unlike analytics rules which generate alerts or incidents.

Exam trap

The trap here is confusing the playbook (the action) with the trigger (automation rule), leading candidates to select 'Playbook' as the trigger instead of recognizing that automation rules are the mechanism to invoke playbooks automatically on incident creation.

How to eliminate wrong answers

Option A is wrong because analytics rules are used to generate alerts or incidents from data sources, not to trigger playbooks in response to existing incidents. Option C is wrong because a playbook is the set of actions (like modifying an NSG rule) that runs, not the trigger mechanism itself; playbooks must be invoked by an automation rule or manually. Option D is wrong because Hunts are manual, ad-hoc investigations to find threats, not automated triggers for incident response.

← PreviousPage 2 of 3 · 177 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage Identity And Access questions.