Sample questions
Microsoft Cybersecurity Architect practice questions
Refer to the exhibit. You are reviewing a Conditional Access policy in Azure AD. The policy requires MFA and a compliant device for all users and all cloud apps. Some users report that they are able to access apps without being prompted for MFA even though their devices are compliant. What is the most likely reason?
Exhibit
{
"policy": {
"tenantId": "contoso.onmicrosoft.com",
"displayName": "Require MFA for all users",
"state": "enabled",
"conditions": {
"applications": {
"includeApplications": ["All"]
},
"users": {
"includeUsers": ["All"]
}
},
"grantControls": {
"builtInControls": ["mfa", "compliantDevice"]
}
}
}Trap 1: The policy does not include all cloud apps
The policy includes 'All' applications.
Trap 2: The policy excludes specific locations
No location exclusion is shown in the policy.
Trap 3: The policy does not include session controls to enforce MFA…
Session controls are not required for MFA; the grant control itself triggers MFA.
- A
The policy does not include all cloud apps
Why wrong: The policy includes 'All' applications.
- B
The policy is set to 'Report-only' mode
In report-only mode, policies are not enforced, so users are not prompted for MFA.
- C
The policy excludes specific locations
Why wrong: No location exclusion is shown in the policy.
- D
The policy does not include session controls to enforce MFA re-prompt
Why wrong: Session controls are not required for MFA; the grant control itself triggers MFA.
A company, Fabrikam, has a hybrid identity environment with on-premises Active Directory synchronized to Azure AD using Azure AD Connect. They have implemented a Zero Trust strategy that includes requiring multi-factor authentication (MFA) for all users accessing cloud applications. They use Conditional Access policies to enforce MFA. Recently, they noticed that users who authenticate from the on-premises network are not being prompted for MFA when accessing cloud apps, even though the Conditional Access policy is configured to require MFA for all users. The network location is not excluded in the policy. The Conditional Access policy is enabled and in 'Enforce' mode. The users' devices are not domain-joined. What is the most likely reason for this behavior?
Trap 1: Azure AD Connect is not configured for Pass-through Authentication
Pass-through Authentication is not required for MFA; password hash sync works and MFA is still enforced.
Trap 2: The Conditional Access policy does not include session controls
Session controls are not required for MFA; grant controls are sufficient.
Trap 3: The Conditional Access policy is not targeting the correct user…
The policy targets all users, so this is not the issue.
- A
Azure AD Connect is not configured for Pass-through Authentication
Why wrong: Pass-through Authentication is not required for MFA; password hash sync works and MFA is still enforced.
- B
The Conditional Access policy does not include session controls
Why wrong: Session controls are not required for MFA; grant controls are sufficient.
- C
The Conditional Access policy is not targeting the correct user group
Why wrong: The policy targets all users, so this is not the issue.
- D
Users are using legacy authentication protocols that do not support MFA
Legacy authentication protocols like POP, IMAP, SMTP do not support MFA and can bypass Conditional Access policies if not blocked.
A company is deploying Microsoft Defender for Cloud to secure their hybrid cloud environment. They need to ensure that regulatory compliance with PCI DSS is continuously monitored and reported. Which solution should they use to automatically assess and report compliance posture?
Trap 1: Azure Policy
Azure Policy is used for policy enforcement, not for continuous compliance assessment and reporting.
Trap 2: Microsoft Purview Information Protection
Microsoft Purview Information Protection is for data classification and labeling, not for compliance reporting.
Trap 3: Microsoft Entra ID Governance
Microsoft Entra ID Governance manages identity lifecycle and access reviews, not cloud compliance.
- A
Azure Policy
Why wrong: Azure Policy is used for policy enforcement, not for continuous compliance assessment and reporting.
- B
Microsoft Purview Information Protection
Why wrong: Microsoft Purview Information Protection is for data classification and labeling, not for compliance reporting.
- C
Regulatory compliance dashboard in Microsoft Defender for Cloud
The regulatory compliance dashboard in Defender for Cloud continuously monitors compliance with standards like PCI DSS and generates reports.
- D
Microsoft Entra ID Governance
Why wrong: Microsoft Entra ID Governance manages identity lifecycle and access reviews, not cloud compliance.
A company is planning their Zero Trust data protection strategy. They want to classify and protect sensitive data stored in SharePoint Online. Which Microsoft tool should they use?
Trap 1: Microsoft Intune
Intune manages devices and mobile application management, not data classification.
Trap 2: Microsoft Defender for Cloud Apps
Defender for Cloud Apps provides cloud app security but does not perform data classification.
Trap 3: Azure Policy
Azure Policy enforces compliance rules on Azure resources, not data classification.
- A
Microsoft Intune
Why wrong: Intune manages devices and mobile application management, not data classification.
- B
Microsoft Defender for Cloud Apps
Why wrong: Defender for Cloud Apps provides cloud app security but does not perform data classification.
- C
Microsoft Purview Information Protection
Purview Information Protection provides data classification and labeling.
- D
Azure Policy
Why wrong: Azure Policy enforces compliance rules on Azure resources, not data classification.
An organization is implementing a Zero Trust identity strategy. They have a mix of on-premises Active Directory and Azure AD. They want to enforce conditional access policies that require device compliance for accessing sensitive apps. However, some users report that their devices are not being evaluated for compliance even though they are enrolled in Microsoft Intune. What should the organization check first?
Trap 1: Ensure Intune compliance policies are assigned to the correct user…
Compliance policies are needed but the device must be registered first.
Trap 2: Confirm that devices are Azure AD Joined
Azure AD Registered devices can also be evaluated for compliance; Azure AD Join is not mandatory.
Trap 3: Check if users have enabled multi-factor authentication
MFA is a separate control and does not affect device compliance evaluation.
- A
Ensure Intune compliance policies are assigned to the correct user groups
Why wrong: Compliance policies are needed but the device must be registered first.
- B
Confirm that devices are Azure AD Joined
Why wrong: Azure AD Registered devices can also be evaluated for compliance; Azure AD Join is not mandatory.
- C
Check if users have enabled multi-factor authentication
Why wrong: MFA is a separate control and does not affect device compliance evaluation.
- D
Verify that devices are registered in Azure AD
Device registration in Azure AD is required for conditional access to evaluate device compliance.
A company is implementing a Zero Trust identity strategy. They want to ensure that only compliant and managed devices can access corporate resources. Which THREE components should they include in their solution? (Choose three.)
Trap 1: Azure AD Application Proxy
Application Proxy is for publishing on-premises apps, not device compliance.
Trap 2: Azure AD B2B collaboration
B2B is for external user identities, not device management.
- A
Microsoft Intune for device management and compliance policies
Intune manages device compliance and enforces policies.
- B
Azure AD device registration
Device registration in Azure AD is needed for device identity.
- C
Azure AD Conditional Access policies
Conditional Access can require compliant devices for access.
- D
Azure AD Application Proxy
Why wrong: Application Proxy is for publishing on-premises apps, not device compliance.
- E
Azure AD B2B collaboration
Why wrong: B2B is for external user identities, not device management.
A company is implementing a Zero Trust network strategy using Azure Virtual Network Manager (AVNM). They need to ensure that all traffic between virtual networks is encrypted and inspected by a firewall. Which configuration should they use?
Trap 1: Enable VNet peering between all VNets and use network security…
VNet peering does not encrypt traffic and NSGs do not provide inspection.
Trap 2: Use a mesh topology with direct connectivity between VNets
Mesh topology does not force traffic through a firewall.
Trap 3: Configure service endpoints for each VNet
Service endpoints are for accessing Azure PaaS services, not for inter-VNet traffic inspection.
- A
Enable VNet peering between all VNets and use network security groups
Why wrong: VNet peering does not encrypt traffic and NSGs do not provide inspection.
- B
Use a mesh topology with direct connectivity between VNets
Why wrong: Mesh topology does not force traffic through a firewall.
- C
Use a hub-and-spoke topology with a firewall appliance in the hub
Hub-and-spoke with firewall ensures traffic is routed through the firewall for inspection.
- D
Configure service endpoints for each VNet
Why wrong: Service endpoints are for accessing Azure PaaS services, not for inter-VNet traffic inspection.
A company is designing a Zero Trust security posture for their Azure environment. They need to assess and improve their security posture. Which TWO actions should they take? (Choose two.)
Trap 1: Enable Azure Update Management for all VMs
Update Management is for patching, not a comprehensive posture assessment.
Trap 2: Deploy Microsoft Entra Permissions Management
Permissions Management focuses on identity permissions, not overall security posture.
Trap 3: Use Microsoft Security Copilot to generate security policies
Security Copilot assists with investigations, not posture assessment.
- A
Enable Azure Update Management for all VMs
Why wrong: Update Management is for patching, not a comprehensive posture assessment.
- B
Use Azure Policy to enforce security configurations
Azure Policy can enforce compliance and security baselines.
- C
Deploy Microsoft Entra Permissions Management
Why wrong: Permissions Management focuses on identity permissions, not overall security posture.
- D
Review and implement recommendations from Microsoft Defender for Cloud Secure Score
Secure Score provides recommendations to improve security posture.
- E
Use Microsoft Security Copilot to generate security policies
Why wrong: Security Copilot assists with investigations, not posture assessment.
A large enterprise is implementing Microsoft Defender for Cloud to improve their security posture. Which TWO actions should they take to prioritize and remediate security recommendations effectively? (Choose two.)
Trap 1: Assign each recommendation to a specific team member manually
Manual assignment is less efficient than automated prioritization.
Trap 2: Ignore recommendations with low severity to save time
Ignoring low severity can lead to risk accumulation.
Trap 3: Disable recommendations that generate security alerts
Disabling recommendations hides potential issues.
- A
Assign each recommendation to a specific team member manually
Why wrong: Manual assignment is less efficient than automated prioritization.
- B
Enable automatic remediation for high-priority recommendations
Automation ensures quick fixes for critical issues.
- C
Review Secure Score and focus on recommendations that improve it most
Secure Score directly reflects risk reduction.
- D
Ignore recommendations with low severity to save time
Why wrong: Ignoring low severity can lead to risk accumulation.
- E
Disable recommendations that generate security alerts
Why wrong: Disabling recommendations hides potential issues.
An organization is planning to use Microsoft Defender for Cloud's regulatory compliance dashboard to track adherence to PCI DSS. The security team wants to ensure that all Azure resources are covered by the compliance assessment. What is the first step?
Trap 1: Configure the compliance dashboard to show PCI DSS controls.
The dashboard can show controls only after resources are assessed.
Trap 2: Create a custom regulatory compliance standard for PCI DSS.
Custom standards are not necessary; the built-in one is available. The first step is onboarding.
Trap 3: Enable the built-in PCI DSS policy initiative in Azure Policy.
The initiative exists, but it will only assess resources that are onboarded to Defender for Cloud.
- A
Enable Microsoft Defender for Cloud on all subscriptions and ensure resources are covered.
Resources must be onboarded to Defender for Cloud to be assessed against the regulatory compliance standard.
- B
Configure the compliance dashboard to show PCI DSS controls.
Why wrong: The dashboard can show controls only after resources are assessed.
- C
Create a custom regulatory compliance standard for PCI DSS.
Why wrong: Custom standards are not necessary; the built-in one is available. The first step is onboarding.
- D
Enable the built-in PCI DSS policy initiative in Azure Policy.
Why wrong: The initiative exists, but it will only assess resources that are onboarded to Defender for Cloud.
A company has a Microsoft Sentinel workspace that ingests data from multiple sources. The SOC team wants to improve the efficiency of investigating incidents by using UEBA capabilities. Which two actions should the team take to enable and configure UEBA in Sentinel?
Trap 1: Install the UEBA data connector from the Sentinel content hub.
There is no UEBA data connector; UEBA is a feature enabled in the workspace settings.
Trap 2: Create an analytics rule that uses the UEBA template.
UEBA is not enabled through an analytics rule; it's a workspace setting.
Trap 3: Define a time range for entity behavior baselines.
Time range is configured in analytics rules, not in UEBA settings.
- A
Install the UEBA data connector from the Sentinel content hub.
Why wrong: There is no UEBA data connector; UEBA is a feature enabled in the workspace settings.
- B
Create an analytics rule that uses the UEBA template.
Why wrong: UEBA is not enabled through an analytics rule; it's a workspace setting.
- C
Define a time range for entity behavior baselines.
Why wrong: Time range is configured in analytics rules, not in UEBA settings.
- D
Set the entity behavior analytics to 'Active' in the Sentinel configuration.
Setting it to 'Active' enables UEBA for the workspace.
- E
Navigate to Sentinel Settings, select Entity behavior analytics, and enable the feature per workspace.
This is the correct procedure to enable UEBA.
A company uses Azure Policy to audit storage accounts for secure transfer (HTTPS) enforcement. The policy is set to 'AuditIfNotExists' but compliance shows 0% non-compliant storage accounts even though some accounts have secure transfer disabled. What is the most likely cause?
Trap 1: The policy is in 'audit' mode and does not evaluate
Audit mode evaluates compliance.
Trap 2: The storage accounts are in a different region
Region does not affect compliance.
Trap 3: The policy assignment scope does not include the non-compliant…
Scope would affect which accounts are evaluated.
- A
The policy is in 'audit' mode and does not evaluate
Why wrong: Audit mode evaluates compliance.
- B
The policy should use 'Audit' or 'Deny' effect instead of 'AuditIfNotExists'
AuditIfNotExists is for existence of a resource, not property.
- C
The storage accounts are in a different region
Why wrong: Region does not affect compliance.
- D
The policy assignment scope does not include the non-compliant accounts
Why wrong: Scope would affect which accounts are evaluated.
A company stores sensitive data in Azure Blob Storage. They want to prevent data exfiltration by blocking public access and restricting network access to only their on-premises data center via VPN. Which two features should they use?
Trap 1: Enable firewall and add on-premises IP range
On-premises traffic appears as VPN public IP, not internal IP range.
Trap 2: Disable public access and use RBAC
RBAC controls identity, not network.
- A
Enable firewall and add on-premises IP range
Why wrong: On-premises traffic appears as VPN public IP, not internal IP range.
- B
Disable public access and use RBAC
Why wrong: RBAC controls identity, not network.
- C
Disable public access and configure a service endpoint with a firewall rule for the VPN subnet
Service endpoint restricts to subnet, firewall blocks other traffic.
- D
Disable public access and configure a private endpoint
Private endpoint uses private IP, but VPN is needed for connectivity.
A company is designing a defense-in-depth strategy for their Azure environment. They want to ensure that if a virtual machine is compromised, the attacker cannot move laterally to other VMs in the same virtual network. Which security control should they prioritize?
Trap 1: Enable Azure DDoS Protection on the virtual network
DDoS protection only mitigates volumetric attacks, not lateral movement.
Trap 2: Enable multi-factor authentication (MFA) for all admin accounts
MFA is important for identity security but does not prevent lateral movement after a VM is compromised.
Trap 3: Deploy Azure Bastion for secure remote access
Azure Bastion secures RDP/SSH access but does not segment network traffic.
- A
Enable Azure DDoS Protection on the virtual network
Why wrong: DDoS protection only mitigates volumetric attacks, not lateral movement.
- B
Implement network segmentation using NSGs and application security groups
Network segmentation restricts east-west traffic, limiting lateral movement.
- C
Enable multi-factor authentication (MFA) for all admin accounts
Why wrong: MFA is important for identity security but does not prevent lateral movement after a VM is compromised.
- D
Deploy Azure Bastion for secure remote access
Why wrong: Azure Bastion secures RDP/SSH access but does not segment network traffic.
You are designing a security strategy for a hybrid identity infrastructure that uses Microsoft Entra ID. The company requires that all administrative access to on-premises servers be secured using least-privilege principles and just-in-time (JIT) access. You plan to implement Microsoft Entra Privileged Identity Management (PIM) for Azure resources, but on-premises servers are not Azure resources. Which solution should you use to provide JIT access to on-premises servers?
Trap 1: Install Azure Arc agents on the on-premises servers and use Azure…
Azure Arc does not natively provide JIT access via PIM.
Trap 2: Deploy Windows Admin Center and integrate with Microsoft Entra ID…
Windows Admin Center does not provide JIT or PIM integration.
Trap 3: Configure Azure Bastion to connect to on-premises servers via a…
Azure Bastion is for Azure VMs, not on-premises servers.
- A
Install Azure Arc agents on the on-premises servers and use Azure Policy to enforce JIT access.
Why wrong: Azure Arc does not natively provide JIT access via PIM.
- B
Deploy Windows Admin Center and integrate with Microsoft Entra ID for authentication.
Why wrong: Windows Admin Center does not provide JIT or PIM integration.
- C
Configure Azure Bastion to connect to on-premises servers via a site-to-site VPN.
Why wrong: Azure Bastion is for Azure VMs, not on-premises servers.
- D
Use Microsoft Entra Privileged Identity Management (PIM) for Groups to manage membership of an on-premises Active Directory group that has administrative privileges on the servers.
PIM for Groups can be used to manage on-premises AD group membership, enabling JIT access to on-premises servers.
A global organization uses Microsoft Sentinel for SIEM and Microsoft Defender for Cloud for cloud security posture management. The security team notices that critical alerts from Azure Active Directory Identity Protection are not triggering automated response playbooks in Sentinel. The team needs to ensure that all high-severity Identity Protection risk detections automatically create incidents in Sentinel and trigger a playbook to block the user. What should the team configure?
Trap 1: Enable the Azure Active Directory Identity Protection data…
Enabling the connector only ingests the alerts; you still need an analytics rule to create incidents.
Trap 2: Configure diagnostic settings on Azure AD to stream logs to…
Diagnostic settings are not needed if the connector is used; also missing the analytics rule step.
Trap 3: Configure the Identity Protection connector with the 'Create…
The 'Create incidents' toggle is not part of the connector; it is part of the analytics rule.
- A
Enable the Identity Protection data connector and create a Microsoft Security incident creation rule for Identity Protection.
This ensures alerts are ingested and incidents are created automatically.
- B
Enable the Azure Active Directory Identity Protection data connector in Sentinel.
Why wrong: Enabling the connector only ingests the alerts; you still need an analytics rule to create incidents.
- C
Configure diagnostic settings on Azure AD to stream logs to Sentinel and create a playbook automation rule.
Why wrong: Diagnostic settings are not needed if the connector is used; also missing the analytics rule step.
- D
Configure the Identity Protection connector with the 'Create incidents' toggle enabled.
Why wrong: The 'Create incidents' toggle is not part of the connector; it is part of the analytics rule.
A company is designing a security operations strategy using Microsoft Sentinel. They want to prioritize triage of incidents that involve critical assets. The SOC manager suggests using the entity behavior analytics feature. Which capability of entity behavior analytics helps achieve this goal?
Trap 1: It combines multiple alerts into a single incident using Fusion.
Fusion is a correlation engine that reduces alert fatigue, not UEBA.
Trap 2: It uses threat intelligence to correlate with known bad actors.
Threat intelligence correlation is separate; UEBA focuses on behavioral baselines.
Trap 3: It automatically groups incidents by severity and asset criticality.
This is a basic feature of incident management, not UEBA.
- A
It combines multiple alerts into a single incident using Fusion.
Why wrong: Fusion is a correlation engine that reduces alert fatigue, not UEBA.
- B
It uses threat intelligence to correlate with known bad actors.
Why wrong: Threat intelligence correlation is separate; UEBA focuses on behavioral baselines.
- C
It profiles entities and assigns an anomaly score based on deviations from baseline behaviors.
This is the core of UEBA: creating baselines and scoring anomalies to identify risky entities.
- D
It automatically groups incidents by severity and asset criticality.
Why wrong: This is a basic feature of incident management, not UEBA.
A SOC team uses Microsoft Sentinel for incident management. They need to ensure that when a high-severity incident is created, a Teams message is sent to the security team and an email is sent to the IT manager. What is the most efficient way to achieve this?
Trap 1: Configure the analytics rule to send notifications when an incident…
Analytics rules do not have direct notification capabilities.
Trap 2: Use a workbook to display incidents and have a manual process to…
Workbooks are for reporting, not automation.
Trap 3: Enable incident creation in the data connector settings.
Data connectors only ingest data; they don't trigger notifications.
- A
Configure the analytics rule to send notifications when an incident is created.
Why wrong: Analytics rules do not have direct notification capabilities.
- B
Create an automation rule in Sentinel that triggers a playbook to send the notifications.
Automation rules are designed to respond to incidents with playbooks.
- C
Use a workbook to display incidents and have a manual process to send notifications.
Why wrong: Workbooks are for reporting, not automation.
- D
Enable incident creation in the data connector settings.
Why wrong: Data connectors only ingest data; they don't trigger notifications.
A company has a hybrid identity infrastructure with on-premises Active Directory synchronized to Azure AD using Azure AD Connect. The security team wants to use Microsoft Defender for Identity (MDI) to detect on-premises attacks. They have installed the MDI sensor on all domain controllers. However, they notice that some alerts are missing. What is the most likely cause?
Trap 1: MDI is not integrated with Microsoft Sentinel.
Integration with Sentinel is optional and not required for MDI to generate alerts.
Trap 2: Azure AD Connect is not syncing frequently enough.
Sync frequency does not affect MDI's ability to detect on-premises attacks.
Trap 3: The sensor is not licensed for all detection types.
Licensing determines which features are available, but if the sensor is installed, basic detections should work.
- A
MDI is not integrated with Microsoft Sentinel.
Why wrong: Integration with Sentinel is optional and not required for MDI to generate alerts.
- B
Azure AD Connect is not syncing frequently enough.
Why wrong: Sync frequency does not affect MDI's ability to detect on-premises attacks.
- C
The sensor is not licensed for all detection types.
Why wrong: Licensing determines which features are available, but if the sensor is installed, basic detections should work.
- D
The necessary Windows event logs are not being forwarded to the MDI sensor.
MDI relies on specific event logs; without them, many detections are not possible.
A company uses Azure Front Door to load balance traffic across two origin servers in different Azure regions. They notice that failover is not working when one origin becomes unhealthy. What is the most likely cause?
Trap 1: Both origins are in the same region.
The scenario states they are in different regions, so this is not the issue.
Trap 2: Caching is enabled on the Front Door profile.
Caching affects content delivery, not failover.
Trap 3: Session affinity is enabled.
Session affinity ensures traffic is directed to the same origin; it does not prevent failover.
- A
Both origins are in the same region.
Why wrong: The scenario states they are in different regions, so this is not the issue.
- B
Caching is enabled on the Front Door profile.
Why wrong: Caching affects content delivery, not failover.
- C
Session affinity is enabled.
Why wrong: Session affinity ensures traffic is directed to the same origin; it does not prevent failover.
- D
The health probe path is set to an incorrect endpoint on the origin servers.
An incorrect health probe path can cause Front Door to consider the origin healthy when it is not, or vice versa.
A company uses Microsoft Defender for Cloud to assess compliance with Azure Security Benchmark (ASB). The security team wants to ensure that all recommendations are being followed. Which three actions should the team take to manage and remediate recommendations effectively?
Trap 1: Manually remediate all high-severity recommendations each month.
Manual remediation is not efficient; automatic remediation should be used where possible.
Trap 2: Disable recommendations that are not applicable to the environment.
Disabling recommendations is not recommended; use exemptions instead.
- A
Enable continuous export of compliance data to Log Analytics or Event Hubs.
Continuous export allows for long-term retention and analysis of compliance data.
- B
Manually remediate all high-severity recommendations each month.
Why wrong: Manual remediation is not efficient; automatic remediation should be used where possible.
- C
Create exemption rules for resources that are compliant by other means.
Exemptions help avoid false positives for resources that meet the intent of the recommendation.
- D
Enable automatic provisioning of the Log Analytics agent for all supported VMs.
This ensures that the necessary data is collected for ASB recommendations.
- E
Disable recommendations that are not applicable to the environment.
Why wrong: Disabling recommendations is not recommended; use exemptions instead.
Order the steps to configure Azure Policy to enforce tagging on resources.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
A company uses Azure Firewall to inspect outbound traffic from a hub virtual network. They need to ensure that traffic from a spoke virtual network to a specific SaaS application (api.contoso.com) bypasses the firewall for performance reasons. What is the most efficient way to achieve this?
Trap 1: Configure an application rule in Azure Firewall with a 'Bypass'…
Azure Firewall does not have a bypass action; rules are either allow or deny.
Trap 2: Enable service endpoints for Microsoft.Storage in the spoke subnet.
Service endpoints are for Azure PaaS services, not for SaaS applications like api.contoso.com.
Trap 3: Create a network rule in Azure Firewall to allow traffic to…
This would still route traffic through the firewall, not bypass it.
- A
Configure an application rule in Azure Firewall with a 'Bypass' action for api.contoso.com.
Why wrong: Azure Firewall does not have a bypass action; rules are either allow or deny.
- B
Add a user-defined route (UDR) in the spoke virtual network's route table with destination api.contoso.com and next hop type 'Internet'.
This bypasses the firewall by routing traffic directly to the internet.
- C
Enable service endpoints for Microsoft.Storage in the spoke subnet.
Why wrong: Service endpoints are for Azure PaaS services, not for SaaS applications like api.contoso.com.
- D
Create a network rule in Azure Firewall to allow traffic to api.contoso.com and deny all other traffic.
Why wrong: This would still route traffic through the firewall, not bypass it.
A company deploys Azure Bastion in a VNet. They want to allow a security engineer to connect to a Windows VM in a peered VNet using Azure Bastion. The engineer can see the VM in the portal but cannot connect. Which configuration is most likely missing?
Trap 1: The Azure Bastion subnet size is /28.
The required size is /26 or larger; a /28 would prevent deployment, not connectivity.
Trap 2: The VM's subnet does not have an inbound NSG rule allowing RDP…
Azure Bastion does not require inbound RDP rules on the VM subnet; it connects via private IP using the Bastion service.
Trap 3: The VM does not have Azure AD authentication enabled.
Azure Bastion supports local username/password or SSH keys; Azure AD authentication is optional.
- A
The Azure Bastion subnet size is /28.
Why wrong: The required size is /26 or larger; a /28 would prevent deployment, not connectivity.
- B
The peered VNet does not have 'Allow Azure Bastion Communication' enabled on the peering connection.
This setting must be enabled on both sides of the peering for Bastion to connect to VMs in the peered VNet.
- C
The VM's subnet does not have an inbound NSG rule allowing RDP (3389) from the Azure Bastion subnet.
Why wrong: Azure Bastion does not require inbound RDP rules on the VM subnet; it connects via private IP using the Bastion service.
- D
The VM does not have Azure AD authentication enabled.
Why wrong: Azure Bastion supports local username/password or SSH keys; Azure AD authentication is optional.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.