Microsoft Cybersecurity Architect (SC-100) — Questions 175

969 questions total · 13pages · All types, answers revealed

Page 1 of 13

Page 2
1
MCQeasy

You are a security architect for a retail company that uses Microsoft 365 and Azure. The company has a large number of remote employees who use both company-managed and personal devices. You need to design a solution to ensure that only compliant devices can access corporate email (Exchange Online) and files (SharePoint Online). The company has Microsoft Intune and Microsoft Entra ID P1 licenses. You need to implement device-based conditional access. What should you do?

A.Deploy app protection policies (MAM) in Intune to protect data in Exchange Online and SharePoint Online.
B.Enroll devices in Intune, create compliance policies, and configure Conditional Access policies in Entra ID to require compliant devices.
C.Require all devices to be enrolled in Intune using automatic enrollment via Group Policy.
D.Use Microsoft Endpoint Configuration Manager to manage device compliance and integrate with Entra ID.
AnswerB

Combines device compliance with conditional access.

Why this answer

Option B is correct because Intune compliance policies define device health requirements, and Conditional Access policies enforce access based on compliance. Option A is wrong because app protection policies are for mobile application management (MAM) without device enrollment, but the requirement is device-based. Option C is wrong because device enrollment itself does not enforce compliance.

Option D is wrong because Configuration Manager is for on-premises management, not cloud devices.

2
MCQmedium

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel to find high-risk sign-ins. The query returns no results, but they know there were high-risk sign-ins. What is the most likely reason?

A.The value 'high' should be 'High' (capitalized)
B.The query uses double equals instead of single equals
C.The field name is incorrect; it should be 'RiskLevel'
D.The time range should be 'ago(7d)'
AnswerA

Risk level values are case-sensitive and stored as 'High'.

Why this answer

The query uses 'RiskLevelDuringSignIn' and 'RiskLevelAggregated' but filters on 'RiskLevelDuringSignIn'. However, in the schema, the field is named 'RiskLevelDuringSignIn' correctly. But the query uses 'where RiskLevelDuringSignIn == "high"' but the field may store values as 'High' (capitalized).

Option C is correct. Option A is wrong because the field exists. Option B is wrong because the query is valid syntax.

Option D is wrong because the time range is last 1 day.

3
Multi-Selecthard

Which TWO of the following are true about Azure Policy initiatives?

Select 2 answers
A.Initiatives cannot be assigned to a management group
B.Initiatives can be assigned to management groups, subscriptions, or resource groups
C.An initiative can only contain one policy definition
D.Initiatives are predefined and cannot be customized
E.Initiatives help to organize policies by grouping them under a common goal
AnswersB, E

Initiatives have the same assignment scopes as policies.

Why this answer

Azure Policy initiatives (also known as policy sets) are designed to group multiple policy definitions together to achieve a common compliance goal. They can be assigned at the management group, subscription, or resource group scope, which allows for broad or granular enforcement of compliance rules across the Azure hierarchy.

Exam trap

The trap here is that candidates often confuse initiatives with single policy definitions, assuming they cannot be customized or assigned broadly, when in fact initiatives are designed for grouping and flexible assignment across multiple scopes.

4
MCQhard

Refer to the exhibit. An administrator is reviewing a just-in-time (JIT) access request in Microsoft Entra Privileged Identity Management (PIM) for Azure resources. The request was approved. What does the roleDefinitionId 'b24988ac-6180-42a0-ab88-20f7382dd24c' correspond to?

A.Storage Blob Data Contributor
B.Storage Account Contributor
C.Contributor
D.Reader
AnswerB

Correct: The GUID matches the built-in Storage Account Contributor role.

Why this answer

The roleDefinitionId 'b24988ac-6180-42a0-ab88-20f7382dd24c' is the GUID for the 'Storage Account Contributor' role in Azure RBAC. This is a built-in role that allows management of storage accounts, including access to storage account keys. The request is for temporary access to a storage account, and the role provides the necessary permissions.

5
MCQeasy

Refer to the exhibit. You are deploying an ARM template that creates a network security group (NSG) named nsg-backend. What is the effect of this NSG on inbound traffic?

A.Only inbound traffic on port 80 is denied
B.All inbound traffic is allowed because no default deny rule is present
C.Only inbound traffic from 10.0.1.0/24 on port 80 is allowed; all other inbound traffic is denied
D.All inbound traffic is allowed except from 10.0.1.0/24
AnswerC

The allow rule permits specific traffic, and the deny rule blocks everything else.

Why this answer

Option B is correct. The NSG has two rules: AllowHTTPFromFrontend with priority 100 allows TCP 80 from 10.0.1.0/24, and DenyAllInbound with priority 1000 denies all other inbound traffic. Since the allow rule has a higher priority (lower number), traffic from the frontend subnet on port 80 is allowed, and all other inbound traffic is denied.

Option A is wrong because traffic from 10.0.1.0/24 on port 80 is allowed. Option C is wrong because the explicit deny rule exists. Option D is wrong because the deny rule is not the only rule.

6
MCQmedium

Refer to the exhibit. You run the PowerShell command in Microsoft Entra ID to find compliance roles. You need to assign the Compliance Administrator role to a user. What is the correct parameter to use in the Add-AzureADMSRoleAssignment cmdlet?

A.-ObjectId "173a97e2-97f2-4c7a-8e7c-7e2f1c1e2f1c"
B.-RoleName "Compliance Administrator"
C.-RoleId "173a97e2-97f2-4c7a-8e7c-7e2f1c1e2f1c"
D.-RoleDefinitionId "173a97e2-97f2-4c7a-8e7c-7e2f1c1e2f1c"
AnswerD

The correct parameter to specify the role ID.

Why this answer

The `Add-AzureADMSRoleAssignment` cmdlet requires the `-RoleDefinitionId` parameter to specify the role by its unique identifier (GUID). The exhibit shows that the Compliance Administrator role has the ObjectId `173a97e2-97f2-4c7a-8e7c-7e2f1c1e2f1c`, which is the role's definition ID, not a user or group object ID. Therefore, option D correctly uses `-RoleDefinitionId` with that GUID.

Exam trap

The trap here is that candidates confuse the `-ObjectId` parameter (which identifies the assignee) with the role's identifier, or assume a friendly `-RoleName` parameter exists, when in fact the cmdlet strictly requires the role's GUID via `-RoleDefinitionId`.

How to eliminate wrong answers

Option A is wrong because `-ObjectId` is used to specify the user or group receiving the role assignment, not the role itself. Option B is wrong because `-RoleName` is not a valid parameter for `Add-AzureADMSRoleAssignment`; the cmdlet does not accept a role name string. Option C is wrong because `-RoleId` is not a parameter of `Add-AzureADMSRoleAssignment`; the correct parameter for the role's GUID is `-RoleDefinitionId`.

7
MCQmedium

Your organization is a large healthcare provider that uses Microsoft 365 and Azure. You need to design a compliance solution that meets HIPAA requirements. The solution must automatically classify and protect electronic protected health information (ePHI) in Exchange Online, SharePoint Online, and OneDrive for Business. It must also provide reports on data access and sharing activities for auditors. The following requirements must be met: (1) Detect ePHI using built-in sensitive info types, (2) Apply encryption automatically to emails containing ePHI, (3) Prevent unauthorized sharing of ePHI in SharePoint, (4) Generate activity reports for auditors, (5) Use machine learning to improve classification accuracy. Which Microsoft Purview capabilities should you use?

A.Information Protection and Insider Risk Management
B.Compliance Manager and eDiscovery
C.eDiscovery and Communication Compliance
D.Data Loss Prevention (DLP) and Audit
AnswerD

DLP detects ePHI, encrypts emails, blocks sharing; Audit provides activity reports.

Why this answer

Option C is correct because Microsoft Purview Data Loss Prevention (DLP) can detect ePHI using HIPAA sensitive info types, automatically encrypt emails, and block unauthorized sharing in SharePoint. Audit logs in Purview provide activity reports. Machine learning in Purview Information Protection improves classification.

Option A is wrong because Compliance Manager is for assessments, not protection. Option B is wrong because Information Protection alone does not prevent sharing. Option D is wrong because eDiscovery is for legal discovery, not real-time protection.

8
Multi-Selecthard

Your company is designing a secure access strategy for a SaaS application that supports SAML 2.0. You need to enforce phishing-resistant authentication. Which THREE of the following methods meet the requirement?

Select 3 answers
A.Microsoft Authenticator push notifications
B.FIDO2 security keys
C.Passkeys (FIDO2) stored on user devices
D.Certificate-based authentication (CBA)
E.SMS one-time passcode (OTP)
AnswersB, C, D

Phishing-resistant hardware-based authentication.

Why this answer

FIDO2 security keys (Option B) are phishing-resistant because they use public-key cryptography and are bound to a specific web origin, preventing credential reuse on fake sites. The WebAuthn protocol ensures the private key never leaves the device, and the hardware key provides strong multi-factor authentication that cannot be intercepted or relayed.

Exam trap

The trap here is that candidates often confuse 'multi-factor' with 'phishing-resistant,' assuming any second factor (like push notifications or SMS) is sufficient, but only FIDO2, passkeys, and certificate-based authentication meet the strict definition of phishing resistance per NIST AAL3.

9
MCQhard

You are designing a data security solution for a Microsoft 365 tenant that contains highly confidential files. You need to ensure that these files are encrypted and can only be accessed by authorized users, even if the files are downloaded and stored on a personal device. Which technology should you use?

A.Office 365 Message Encryption
B.Microsoft Purview Information Protection with encryption and usage rights
C.BitLocker Drive Encryption
D.Azure Information Protection
AnswerB

This protects files persistently, even when downloaded.

Why this answer

Option D is correct: Microsoft Purview Information Protection with encryption and usage rights restricts access even after download, because the protection travels with the file. Option A is wrong: BitLocker encrypts the device, not individual files. Option B is wrong: Office 365 Message Encryption is for email, not files.

Option C is wrong: Azure Information Protection (now part of Purview) is the correct technology, but the more specific answer is Purview Information Protection.

10
MCQhard

A large financial services company is migrating its customer-facing web application to Azure. The application handles sensitive personal data and must comply with PCI DSS. The solution will use Azure App Service (Linux) with a custom container, Azure SQL Database, and Azure Redis Cache. The security architect mandates that all data in transit be encrypted using the latest TLS version, and that the application must be protected against common web vulnerabilities. The company also wants to ensure that only authenticated users can access the Redis cache. Users will authenticate via Microsoft Entra ID. The operations team needs to be able to monitor for SQL injection attempts and anomalous access patterns. You need to design the security configuration. Which of the following is the most comprehensive approach that meets all requirements?

A.Configure App Service to enforce TLS 1.2 as minimum. Deploy Azure Application Gateway with WAF enabled in front of App Service. Enable Azure AD authentication for Azure Redis Cache. Enable Microsoft Defender for SQL for Azure SQL Database.
B.Use Azure Front Door with custom domain and enforce TLS 1.2. Configure IP firewall on Redis Cache. Use Azure SQL Database with VNet service endpoints.
C.Deploy App Service with HTTPS only enabled. Use Azure API Management with WAF. Use Redis Cache with access keys. Enable SQL audit logging.
D.Enable TLS 1.3 on App Service. Use Azure CDN with WAF. Configure Redis Cache with a firewall rule allowing only App Service outbound IPs.
AnswerA

Covers all: TLS, WAF, Redis auth, and SQL threat detection.

Why this answer

Azure App Service enforces TLS 1.2/1.3 by default. Azure WAF (Web Application Firewall) in front of App Service protects against OWASP Top 10. Azure AD authentication for Redis Cache is supported via Azure AD RBAC for Redis (currently in preview but available).

Microsoft Defender for SQL detects SQL injection and anomalous access. Option A covers all requirements. Option B uses Application Gateway without WAF.

Option C uses Redis firewall which doesn't enforce authentication. Option D uses Azure Front Door without WAF.

11
MCQeasy

Your organization stores sensitive customer data in Azure Blob Storage. You need to implement data classification and labeling using Microsoft Purview. Which resource should you use to automatically scan and classify the data?

A.Azure Policy
B.Microsoft Purview Data Map
C.Microsoft Purview Information Protection
D.Microsoft Purview Data Loss Prevention
AnswerB

Data Map scans assets and applies classification rules automatically.

Why this answer

Option A is correct because Microsoft Purview Data Map provides automated scanning and classification of data assets across Azure and on-premises. Option B is wrong because Purview Information Protection focuses on labeling and protection policies, not scanning. Option C is wrong because Purview Data Loss Prevention (DLP) monitors and prevents data exfiltration.

Option D is wrong because Azure Policy enforces organizational standards, not data classification.

12
Multi-Selecthard

Which THREE components are required to implement a secure hybrid network with Azure using a site-to-site VPN?

Select 3 answers
A.Public IP address for the VPN device
B.ExpressRoute circuit
C.VPN gateway (route-based)
D.Virtual network gateway
E.Local network gateway
AnswersC, D, E

Required for the Azure side of the VPN connection.

Why this answer

A route-based VPN gateway (option C) is required for site-to-site VPN connections because it uses dynamic routing (BGP) and supports IKEv2, enabling automatic failover and policy-based traffic selectors. This is essential for secure hybrid networking as it allows Azure to route traffic to on-premises networks via the VPN tunnel without static route limitations.

Exam trap

The trap here is that candidates confuse the VPN gateway (the Azure resource) with the Virtual Network Gateway (the parent resource type), or mistakenly think a public IP is a separate component when it is actually a property of the VPN gateway, leading them to select option A instead of recognizing that the three required components are the VPN gateway, Virtual Network Gateway, and Local Network Gateway.

13
MCQmedium

Your company uses Microsoft Defender for Cloud Apps and wants to prevent users from uploading sensitive files to personal cloud storage apps. What should you configure?

A.Activity policy
B.App connector
C.Session policy
D.File policy
AnswerC

Session policies control user activities in real time, including blocking uploads to unsanctioned apps.

Why this answer

Session policy in Microsoft Defender for Cloud Apps allows real-time monitoring and control of user activities based on app and content inspection. By configuring a session policy, you can block or restrict uploads of sensitive files to personal cloud storage apps like Dropbox or Google Drive during the user's session, leveraging reverse proxy capabilities to inspect and intervene in traffic.

Exam trap

The trap here is that candidates confuse 'File policy' (which governs files at rest) with 'Session policy' (which governs files in motion), leading them to select D, even though real-time upload prevention requires session-level control via reverse proxy.

How to eliminate wrong answers

Option A is wrong because Activity policies are used for auditing and generating alerts on specific activities (e.g., multiple failed logins), not for real-time blocking of file uploads. Option B is wrong because App connectors enable API-based visibility and control for connected apps (e.g., retrieving logs), but they cannot intercept and block uploads in real time during a user session. Option D is wrong because File policies are designed for scanning and governing files already stored in cloud apps (e.g., detecting DLP violations in SharePoint), not for preventing uploads at the point of action.

14
MCQmedium

You are designing a secure hybrid network architecture for a company that uses Azure and an on-premises datacenter. The company requires that all traffic between Azure and on-premises traverses Microsoft's backbone network and never the public internet. Additionally, the solution must provide automatic failover if the primary connection fails. Which Azure service should you include in the design?

A.Azure ExpressRoute with redundant circuits
B.Azure Virtual WAN
C.Azure Front Door
D.Azure VPN Gateway
AnswerA

ExpressRoute uses Microsoft's backbone and redundant circuits provide automatic failover.

Why this answer

Azure ExpressRoute with redundant circuits meets the requirement of using Microsoft's backbone and automatic failover. VPN Gateway uses the public internet. Azure Virtual WAN can use ExpressRoute but is not a direct answer.

Azure Front Door is for global load balancing of web applications.

15
MCQhard

A multinational corporation is designing a secure infrastructure for their Azure Kubernetes Service (AKS) clusters. They require network policies to restrict pod-to-pod communication based on namespaces and label selectors. They also need to integrate with Azure Policy for compliance. Which network policy engine should they use?

A.kubenet
B.Cilium
C.Calico through Azure Policy add-on
D.Azure Firewall
AnswerC

Correct: Azure Policy for AKS uses Calico for network policies.

Why this answer

Azure Policy for AKS supports the Calico network policy engine for advanced network policies. Cilium is not natively integrated with Azure Policy. Azure Firewall is for cluster ingress/egress, not pod-level policies. kubenet is a basic networking plugin that does not support network policies.

16
MCQeasy

Your company uses Microsoft Purview Data Loss Prevention (DLP). You need to ensure that credit card numbers are not shared externally via email. What should you configure?

A.Create a sensitivity label that applies encryption to emails containing credit card numbers.
B.Create a DLP policy that detects credit card numbers and blocks external sharing.
C.Configure auto-labeling for credit card numbers in Microsoft 365.
D.Create a retention policy for credit card data.
AnswerB

DLP policies can detect sensitive data and enforce actions like block.

Why this answer

Option A is correct because DLP policies can detect sensitive information like credit card numbers and block external sharing. Option B is incorrect because sensitivity labels are for classification, not blocking. Option C is incorrect because retention policies manage retention, not sharing.

Option D is incorrect because auto-labeling applies labels, but DLP enforces actions.

17
Multi-Selectmedium

Your organization uses Microsoft Defender for Cloud Apps. You need to detect and prevent the use of unsanctioned cloud apps. The solution should generate alerts when users access high-risk apps and block access to very high-risk apps. Which three actions should you take? (Choose three.)

Select 3 answers
A.Configure Conditional Access policies in Microsoft Entra ID to block unsanctioned apps
B.Unsanction high-risk apps using the app catalog
C.Create a session or access policy to block unsanctioned apps
D.Enable Cloud Discovery in Defender for Cloud Apps to discover app usage
E.Create a DLP policy to prevent data upload to unsanctioned apps
AnswersB, C, D

Unsanctioning marks apps as blocked.

Why this answer

Options A, C, and D are correct because to detect and block unsanctioned apps, you need to discover them via Cloud Discovery, sanction or unsanction them, and create policies to block unsanctioned apps. Option B is wrong because Conditional Access policies are for identity, not app blocking. Option E is wrong because DLP policies are for data protection, not app control.

18
MCQmedium

Your organization is deploying a new application on Azure that will process personal data for European Union residents. The compliance team requires that the application encrypts all data at rest and in transit, that access to the data is logged and auditable, and that the data is not stored outside the EU. You need to design a solution that meets these requirements while following security best practices. The solution must also minimize operational overhead. You have decided to use Azure SQL Database, Azure Storage, and Azure Key Vault. Which design should you recommend?

A.Use Azure SQL Database with Always Encrypted using Azure Key Vault. Use Azure Storage with encryption at rest. Enforce TLS 1.2. Use Azure Traffic Manager to route traffic to EU regions. Enable SQL Auditing and export logs to an on-premises SIEM.
B.Use Azure SQL Database with Always Encrypted using client-managed keys stored in a config file. Enforce TLS 1.2. Use Azure Storage with client-side encryption. Store keys in Azure Key Vault. Configure LRS in EU. Enable SQL Auditing.
C.Use Azure SQL Database with SQL Server encryption (cell-level). Use Azure Storage with encryption at rest. Store keys in application code. Use Azure Backup for long-term retention. Enable auditing on SQL Database.
D.Use Azure SQL Database with Transparent Data Encryption (TDE) using service-managed keys. Enforce TLS 1.2 for connections. Use Azure Storage with encryption at rest using Microsoft-managed keys. Store keys in Azure Key Vault. Configure geo-redundant storage (GRS) in an EU region. Enable diagnostic settings to send logs to a Log Analytics workspace in the EU.
AnswerD

Meets all requirements with minimal overhead: built-in encryption, key management, geo-restriction, and logging.

Why this answer

Option D is correct because it uses Transparent Data Encryption (TDE) with service-managed keys for Azure SQL Database, which encrypts data at rest with minimal operational overhead, and enforces TLS 1.2 for data in transit. Azure Storage encryption at rest with Microsoft-managed keys meets the encryption requirement without management burden. Geo-redundant storage (GRS) within an EU region ensures data residency, and diagnostic settings sending logs to a Log Analytics workspace in the EU provides auditable logging while keeping logs within the EU, all aligning with security best practices and minimizing operational overhead.

Exam trap

The trap here is that candidates often choose Always Encrypted or client-side encryption thinking they provide stronger security, but for minimizing operational overhead with data at rest encryption, TDE with service-managed keys is the correct choice because it is fully managed by Azure and meets compliance requirements without the complexity of key management or client-side encryption.

How to eliminate wrong answers

Option A is wrong because Azure Traffic Manager routes traffic based on performance or priority, not data residency, and exporting logs to an on-premises SIEM increases operational overhead and may violate data residency if the SIEM is outside the EU. Option B is wrong because storing client-managed keys in a config file is insecure and violates best practices; client-side encryption for Azure Storage adds unnecessary complexity and overhead, and Always Encrypted with client-managed keys in a config file does not meet the requirement for auditable key management. Option C is wrong because cell-level encryption is deprecated and not recommended for new deployments; storing keys in application code is a critical security flaw, and Azure Backup does not address encryption at rest or in transit requirements.

19
Multi-Selecthard

A company uses Microsoft Defender for Cloud to secure multicloud environments. They want to assess compliance with SOC 2. Which THREE steps should they take?

Select 3 answers
A.Enable just-in-time (JIT) VM access
B.Monitor the secure score for SOC 2 recommendations
C.Set up continuous export to send compliance data to a third-party GRC tool
D.Create Azure Policy definitions for SOC 2 controls
E.Enable the SOC 2 regulatory compliance standard in Defender for Cloud
AnswersB, C, E

Secure score reflects compliance posture.

Why this answer

Option A is correct because Defender for Cloud has built-in regulatory compliance standards. Option B is correct because secure score helps track compliance. Option C is correct because continuous export sends data to other tools.

Option D is incorrect because Azure Policy is for Azure resources, not multicloud. Option E is incorrect because JIT is a security control, not compliance assessment.

20
MCQmedium

Refer to the exhibit. You are deploying an Azure Storage container for storing compliance records. The ARM template snippet above configures the container. Which statement accurately describes the configuration?

A.The container allows protected append writes.
B.Blob versioning is disabled for the container.
C.The container allows anonymous read access.
D.Blobs cannot be modified or deleted for 365 days after creation.
AnswerD

Immutability policy enforces a 365-day retention period.

Why this answer

Option D is correct. The snippet sets publicAccess to 'None', so no anonymous access is allowed. It enables immutable storage with versioning and sets an immutability period of 365 days, meaning blobs cannot be deleted or modified for 365 days after creation.

Option A is wrong because public access is set to None. Option B is wrong because allowProtectedAppendWrites is false, so append blobs cannot be written. Option C is wrong because versioning is enabled.

21
Multi-Selectmedium

Your organization is deploying Microsoft Defender for Cloud Apps. Which THREE capabilities are included in Defender for Cloud Apps? (Select three.)

Select 3 answers
A.Session controls
B.App governance
C.Cloud Discovery
D.Data Loss Prevention (DLP) policies
E.Conditional Access
AnswersA, B, C

Provides real-time monitoring and control of user sessions.

Why this answer

Defender for Cloud Apps provides Cloud Discovery (discover shadow IT), app governance (control app permissions), and session controls (protect data in real time). Conditional Access is an Entra ID feature, and DLP policies are part of Microsoft Purview, though Cloud Apps can integrate with them.

22
Multi-Selecthard

Your organization uses Microsoft Sentinel and wants to improve threat hunting efficiency. Which THREE actions should you take?

Select 3 answers
A.Enable UEBA (User and Entity Behavior Analytics)
B.Integrate Microsoft Defender XDR for cross-domain hunting
C.Create custom hunting queries using KQL
D.Use watchlists to filter out known benign IPs
E.Reduce data retention period to improve query speed
AnswersA, B, C

UEBA helps identify anomalies.

Why this answer

UEBA (User and Entity Behavior Analytics) in Microsoft Sentinel uses machine learning models to establish baseline behavioral patterns for users, hosts, and other entities. It then detects anomalous activities such as unusual logon times, impossible travel, or abnormal data exfiltration, which directly enhances threat hunting by surfacing suspicious behaviors that might otherwise go unnoticed.

Exam trap

The trap here is that candidates often confuse passive data enrichment tools (like watchlists) with active hunting techniques, or mistakenly think reducing data retention improves security operations, when in fact it hinders long-term threat detection and forensic analysis.

23
Multi-Selectmedium

Which TWO actions should you take to protect Azure Virtual Machines from ransomware attacks? (Choose two.)

Select 2 answers
A.Configure Azure Firewall to block all outbound traffic.
B.Enable Azure Backup for all VMs.
C.Use auto-shutdown schedules for VMs.
D.Disable RDP access from the internet.
E.Deploy Microsoft Defender Antivirus with real-time protection.
AnswersB, E

Backups allow recovery from ransomware.

Why this answer

Options A and C are correct. Option A: Backups (Azure Backup) are essential for recovery. Option C: Antimalware (Microsoft Defender Antivirus) helps prevent infection.

Option B is wrong because disabling public RDP reduces attack surface but is not specific to ransomware. Option D is wrong because Azure Firewall is for network segmentation, not direct ransomware protection. Option E is wrong because auto-shutdown does not prevent ransomware.

24
MCQmedium

Your organization uses Microsoft Purview Information Protection to label and protect sensitive emails and documents. You need to ensure that when a user applies a 'Highly Confidential' label, the content is automatically encrypted and a watermark is added. Which configuration should you use?

A.Use Azure Information Protection scanner to apply labels automatically.
B.Create a DLP policy that blocks sharing of highly confidential content.
C.Configure a sensitivity label with encryption and watermark settings.
D.Enable Microsoft 365 Message Encryption for all emails.
AnswerC

Sensitivity labels can include protection actions like encryption and watermarks.

Why this answer

Option B is correct because a label with protection settings can enforce encryption and apply a watermark. Option A is wrong because the label itself can be configured, not requiring a separate policy. Option C is wrong because DLP policies prevent sharing but do not add watermarks.

Option D is wrong because Azure Information Protection is the underlying technology, but the configuration is done via sensitivity labels.

25
MCQmedium

Refer to the exhibit. You are reviewing a Microsoft Purview Data Map resource pattern for scanning. What is this pattern intended to do?

A.Scan all resources in the onmicrosoft.com domain for classification.
B.Block access to resources in USGov regions.
C.Automatically apply sensitivity labels to resources matching the pattern.
D.Enforce retention policies on scanned resources.
AnswerC

The pattern specifies sensitivity labels to apply.

Why this answer

Option C is correct because the pattern targets all *.onmicrosoft.com resources in Global and USGov regions and applies sensitivity labels. Option A is wrong because it applies labels, not just scans. Option B is wrong because it does not block access.

Option D is wrong because it does not enforce retention.

26
MCQhard

Your organization uses Microsoft Sentinel as a SIEM. You need to design a solution to detect advanced persistent threats (APTs) by correlating data from multiple sources, including network logs, endpoint data, and threat intelligence feeds. The solution must use machine learning to identify anomalies and reduce false positives. Which analytics rule type should you configure?

A.ML Behavior Analytics
B.Fusion
C.Anomaly detection rules
D.Scheduled query rules
AnswerB

Fusion uses ML to correlate alerts from multiple sources and detect APTs.

Why this answer

Option A is correct because Fusion uses ML to correlate alerts from multiple sources and detect multi-stage attacks, reducing false positives. Option B is wrong because Scheduled query rules are rule-based and do not use ML. Option C is wrong because Anomaly detection rules are for individual data source anomalies.

Option D is wrong because ML Behavior Analytics is not an analytics rule type in Sentinel.

27
MCQmedium

Your organization uses Microsoft Defender for Identity (MDI) to protect on-premises Active Directory. You need to integrate MDI with Microsoft Sentinel to centralize detection and response. What is the required configuration?

A.Deploy the MDI sensor on an Azure VM to send data to Sentinel.
B.Integrate Microsoft Entra ID Protection with Sentinel instead.
C.Enable the Microsoft Defender for Identity data connector in Microsoft Sentinel.
D.Configure MDI to forward logs to a Syslog server, then use the Syslog connector in Sentinel.
AnswerC

This connector ingests MDI alerts into Sentinel.

Why this answer

Option A is correct because the MDI data connector in Sentinel enables ingestion of MDI alerts. Option B is wrong because MDI does not use Syslog for its native alerts; it uses a specific connector. Option C is wrong because Azure AD Identity Protection is for cloud identities, not on-premises AD.

Option D is wrong because the MDI sensor is already deployed on-premises; no need to deploy it in Azure.

28
Multi-Selecthard

You are designing a secure access strategy for Azure SQL Database. The solution must use Microsoft Entra authentication and ensure that only specific client IP addresses can connect. Additionally, all connections must be encrypted in transit. Which THREE components should you configure?

Select 3 answers
A.Enable Always Encrypted for sensitive columns
B.Microsoft Entra authentication for the SQL server
C.Enforce TLS 1.2 for connections
D.A server-level firewall rule allowing specific client IP ranges
E.Configure an Azure Private Endpoint for the SQL server
AnswersB, C, D

Required for identity-based access control.

Why this answer

Microsoft Entra authentication is required for identity-based access. A server-level firewall rule allows specific IPs. Enforcing TLS 1.2 ensures encryption in transit.

Private endpoint is not required for IP-based filtering. Azure AD admin is a user, not a component. Always Encrypted is for column-level encryption, not network security.

29
MCQeasy

Your organization is using Microsoft Defender for Cloud to assess the security posture of Azure resources. You need to ensure that the highest severity recommendations are addressed first. Which dashboard or feature in Defender for Cloud should you use to view the most critical security issues?

A.Azure Security Center dashboard
B.Inventory
C.Secure Score
D.Security alerts
AnswerC

Secure Score shows recommendations grouped by severity and impact, helping prioritize critical issues.

Why this answer

The Secure Score dashboard in Microsoft Defender for Cloud provides a prioritized list of security recommendations based on their impact on your overall security posture. By sorting recommendations by score impact, you can identify and address the highest severity issues first, as they contribute most significantly to improving your secure score.

Exam trap

The trap here is that candidates confuse 'Security alerts' (which deal with active threats) with 'Secure Score' (which deals with configuration-based recommendations), leading them to choose D instead of C.

How to eliminate wrong answers

Option A is wrong because the Azure Security Center dashboard is a legacy interface that has been replaced by Defender for Cloud; it does not offer the same prioritized recommendation view as Secure Score. Option B is wrong because the Inventory feature lists all monitored resources but does not rank them by severity or provide a prioritized action plan. Option D is wrong because Security alerts focus on active threats and incidents, not on configuration-based recommendations that affect your secure score.

30
MCQhard

Refer to the exhibit. You are reviewing an Azure Policy definition that uses a 'modify' effect. The policy is intended to automatically enable transparent data encryption (TDE) on Azure SQL databases after they are created. Which condition must be met for the modify effect to work?

A.The policy must be assigned at the management group scope.
B.A managed identity must be associated with the policy assignment and have permissions to modify TDE.
C.The database must be newly created.
D.The SQL database must be using the General Purpose service tier.
AnswerB

Modify effect uses a managed identity to make changes.

Why this answer

Option D is correct because the modify effect requires a managed identity with the appropriate role (e.g., SQL DB Contributor) to perform the remediation. Option A is wrong because the modify effect does not require a specific SKU. Option B is wrong because the policy can be applied at any scope, including subscription.

Option C is wrong because TDE can be enabled on any database, not just new ones.

31
MCQhard

Your organization uses Azure API Management (APIM) to expose APIs to external partners. You need to ensure that only authorized partners can access the APIs and that the API requests are rate-limited to prevent abuse. What should you implement?

A.Use a validate JWT policy to authenticate partners and a rate-limit by key policy to control request rates.
B.Configure client certificate authentication and set a global rate limit in the APIM service.
C.Require a subscription key for each partner and configure IP whitelisting.
D.Use OAuth 2.0 tokens and store partner API keys in Azure Key Vault.
AnswerA

JWT validation ensures partner identity, rate limit by subscription key restricts usage.

Why this answer

Option D is correct because APIM policies can validate JWT tokens for authorization and use rate limiting policy to control request rates. Option A is wrong because subscription keys alone are not secure for partner authentication. Option B is wrong because OAuth 2.0 with API keys is not standard; APIM supports OAuth via policies.

Option C is wrong because Client certificates are another method but not combined with rate limiting as effectively as policy.

32
MCQhard

You are the security architect for Contoso Ltd., a company that runs a critical e-commerce application on Azure Kubernetes Service (AKS). The application consists of multiple microservices that communicate over HTTP. The application uses Azure SQL Database for transactional data and Azure Redis Cache for session state. Recently, a security audit revealed that several microservices are vulnerable to SQL injection attacks because they construct SQL queries by concatenating user input. Additionally, the Redis cache is exposed to the internet with no firewall rules, and the connection string is stored in plain text in the application configuration file. The development team is concerned about performance and wants to minimize changes to the codebase. You need to design a strategy to mitigate these vulnerabilities with minimal code changes. Which of the following is the best course of action?

A.Deploy Azure Web Application Firewall (WAF) on Application Gateway to protect against SQL injection, configure Azure Redis Cache with a private endpoint and disable public network access, and use Azure Key Vault with a managed identity to inject the Redis connection string into the application.
B.Enable Azure Web Application Firewall (WAF) on an Application Gateway in front of AKS to block SQL injection, move Redis to a private endpoint with a firewall rule, and use Azure Key Vault with a managed identity to inject the Redis connection string.
C.Move all SQL queries to stored procedures, enable Redis persistence with AOF, and store the connection string in a Kubernetes secret.
D.Refactor the microservices to use parameterized SQL queries, configure Azure Redis Cache firewall to allow only AKS node IPs, and store the connection string in Azure Key Vault with a managed identity.
AnswerA

WAF blocks SQL injection without code changes, private endpoint secures Redis, Key Vault with managed identity protects secrets.

Why this answer

Option A is correct because it addresses all three vulnerabilities with minimal code changes: Azure WAF on Application Gateway provides network-layer SQL injection protection without modifying application code; configuring Azure Redis Cache with a private endpoint and disabling public network access secures the cache without code changes; and using Azure Key Vault with a managed identity injects the Redis connection string securely at runtime, eliminating plain-text storage without altering the application's configuration loading logic.

Exam trap

The trap here is that candidates often choose a technically correct but code-heavy solution (like parameterized queries) over a network-layer defense (WAF) that achieves the same goal with minimal code changes, failing to prioritize the 'minimal code changes' constraint in the question.

How to eliminate wrong answers

Option B is wrong because it suggests moving Redis to a private endpoint 'with a firewall rule' — private endpoints inherently disable public network access and do not use firewall rules; the phrase 'firewall rule' indicates a misunderstanding of private endpoint behavior. Option C is wrong because moving SQL queries to stored procedures requires significant codebase refactoring, contradicting the requirement for minimal code changes, and storing the connection string in a Kubernetes secret still stores it in plain text within the cluster's etcd, failing to address the plain-text vulnerability. Option D is wrong because refactoring microservices to use parameterized SQL queries requires extensive code changes, violating the minimal code changes constraint, and configuring Redis firewall to allow only AKS node IPs still leaves the cache exposed to the internet if the firewall is misconfigured or if node IPs change.

33
Multi-Selecteasy

Which TWO of the following are components of Microsoft Defender XDR (Extended Detection and Response)?

Select 2 answers
A.Microsoft Sentinel
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Office 365
D.Microsoft Intune
E.Microsoft Purview
AnswersB, C

Defender for Endpoint is a core component of Defender XDR.

Why this answer

Microsoft Defender XDR (Extended Detection and Response) is a unified security operations platform that natively integrates signals from Microsoft Defender for Endpoint (endpoint detection and response) and Microsoft Defender for Office 365 (email and collaboration security). These two components provide the core telemetry for cross-domain threat correlation and automated response within the Defender XDR portal.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) as part of Defender XDR, but Sentinel is a separate Azure service that can ingest Defender XDR alerts, not a component of the XDR platform itself.

34
MCQmedium

Your company uses Microsoft Intune to manage corporate devices. The security team wants to prevent users from copying sensitive data from corporate apps to personal apps on mobile devices. Which Intune policy should you configure?

A.Device configuration policies
B.App protection policies
C.Windows Information Protection
D.Device compliance policies
AnswerB

MAM policies restrict data transfer between managed and unmanaged apps.

Why this answer

App protection policies (APP) are the correct Intune policy to prevent data transfer from corporate apps to personal apps on mobile devices. These policies apply at the application layer, allowing you to configure data protection settings such as 'Restrict cut, copy, and paste' and 'Allow app to transfer data to other apps' specifically for managed apps, regardless of the device enrollment state.

Exam trap

The trap here is confusing device-level policies (compliance or configuration) with app-level data protection, leading candidates to select device compliance policies or device configuration policies instead of app protection policies.

How to eliminate wrong answers

Option A is wrong because device configuration policies manage device-level settings (e.g., Wi-Fi, VPN, certificates) and do not control data sharing between apps on mobile devices. Option C is wrong because Windows Information Protection (WIP) is a Windows-only feature for desktop devices and does not apply to mobile platforms like iOS or Android. Option D is wrong because device compliance policies enforce device-level security requirements (e.g., jailbreak detection, minimum OS version) and do not restrict app-to-app data transfer.

35
MCQeasy

Your organization uses Microsoft Intune for mobile device management. You need to ensure that only devices compliant with security policies can access corporate email. What should you implement?

A.Conditional Access policy requiring compliant device
B.Microsoft Purview Data Lifecycle Management
C.Microsoft Defender for Endpoint integration
D.Microsoft Intune App Protection Policies
AnswerA

This enforces device compliance before granting access.

Why this answer

A is correct because a Conditional Access policy in Microsoft Entra ID can evaluate device compliance status reported by Intune before granting access to corporate email. By configuring a policy that requires a device to be marked as compliant, only devices that meet your security policies (e.g., encryption, OS version, threat level) will be allowed to authenticate and access email. This directly enforces the requirement that only compliant devices can access corporate email.

Exam trap

The trap here is that candidates often confuse Intune App Protection Policies (MAM) with device-based compliance, but MAM policies protect data at the app level and do not require the device itself to be compliant, so they do not meet the requirement of 'only compliant devices'.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Data Lifecycle Management governs data retention and deletion policies, not real-time access control based on device compliance. Option C is wrong because Microsoft Defender for Endpoint integration provides threat detection and response on endpoints, but does not itself block access to email based on compliance status; it can feed signals into Conditional Access but is not the primary control. Option D is wrong because Intune App Protection Policies (MAM) protect data within apps without requiring device enrollment or compliance, so they do not ensure that only compliant devices can access email—they apply to apps on any device, including non-compliant ones.

36
Multi-Selectmedium

A company is designing a data security strategy using Microsoft Purview. They need to identify sensitive data across their data estate, including on-premises SQL Server, Azure SQL Database, and Amazon S3. Which THREE components should they use? (Choose three.)

Select 3 answers
A.Microsoft Purview Data Estate Insights
B.Microsoft Purview External Identities
C.Microsoft Purview Data Catalog
D.Microsoft Purview Compliance Manager
E.Microsoft Purview Data Map
AnswersA, C, E

Data Estate Insights provides monitoring and reporting.

Why this answer

Microsoft Purview Data Estate Insights provides visibility into data estate health and security posture, including sensitive data discovery across on-premises SQL Server, Azure SQL Database, and Amazon S3. It aggregates scan results and offers dashboards to identify where sensitive data resides, enabling targeted classification and protection actions.

Exam trap

The trap here is that candidates confuse Compliance Manager (a compliance posture tool) with data discovery capabilities, or think External Identities (an identity feature) is relevant to scanning data sources, when in fact only Data Map, Data Catalog, and Data Estate Insights form the core trio for sensitive data identification across hybrid estates.

37
MCQeasy

Your organization is planning to deploy a new web application on Azure VMs. The security team requires that all incoming traffic to the VMs be inspected by a network virtual appliance (NVA) before reaching the VMs. Which Azure networking solution should you use to route traffic through the NVA?

A.Azure Firewall
B.Azure Load Balancer
C.Network Security Groups (NSGs)
D.User Defined Routes (UDRs)
AnswerD

UDRs allow custom routing to force traffic through an NVA.

Why this answer

Option B is correct because User Defined Routes (UDRs) allow you to override Azure's default routing to force traffic through an NVA. Option A is wrong because Azure Firewall is a managed firewall service, not a routing mechanism. Option C is wrong because Azure Load Balancer distributes traffic but does not enforce routing through an NVA.

Option D is wrong because NSGs filter traffic but do not route it.

38
MCQmedium

Your company uses Microsoft Intune to manage devices. You need to ensure that corporate data is wiped from a device if it reports a jailbroken status. What is the best approach?

A.Create a device compliance policy that marks jailbroken devices as noncompliant, then use Conditional Access to require compliance
B.Use the remote wipe action from Intune when a jailbreak is reported
C.Deploy an app protection policy that wipes data if jailbreak is detected
D.Configure a device configuration policy to block jailbroken devices
AnswerA

Noncompliant devices can be blocked from access; you can also configure a wipe action as part of the policy.

Why this answer

Option C is correct because a compliance policy can mark the device as noncompliant if jailbroken, and a conditional access policy can then trigger a wipe. Option A is too broad. Option B is incorrect because remote wipe is manual.

Option D is incorrect because app protection policies target app data, not device.

39
MCQmedium

Refer to the exhibit. You are reviewing an Azure Policy definition. What is the effect of this policy?

A.Denies creation of Windows VMs that have automatic updates enabled
B.Audits Windows VMs that have automatic updates disabled
C.Audits Linux VMs that have automatic updates enabled
D.Denies creation of Windows VMs without automatic updates enabled
AnswerD

Denies if the property 'enableAutomaticUpdates' does not exist.

Why this answer

Option B is correct: The policy denies the creation of virtual machines that do not have automatic updates enabled on Windows. Option A is wrong because the policy applies to all VMs, not just Linux. Option C is wrong because the effect is deny, not audit.

Option D is wrong because the condition checks for the absence of the property, not its value being false.

40
MCQeasy

Refer to the exhibit. You are reviewing an Azure Policy definition. What does this policy do?

A.Denies creation of any virtual machine that has a network interface attached to a specific subnet.
B.Denies creation of any virtual machine that is attached to a public IP address.
C.Denies creation of any virtual machine that does not have a network interface.
D.Allows creation of virtual machines only if they have a network interface attached to a specific subnet.
AnswerB

The policy denies VMs where the NIC field is present, which implies public IP attachment.

Why this answer

Option A is correct because the policy denies creation of virtual machines that have any network interface (NIC) attached to a public IP (by checking the NIC's id field, which would be present if attached). Option B is wrong because the policy does not target VMs without a NIC. Option C is wrong because the policy denies VMs with NICs, not VMs without NICs.

Option D is wrong because the policy does not check for a specific subnet.

41
MCQmedium

Refer to the exhibit. You are reviewing an Azure Policy definition. What does this policy do?

A.Requires all virtual machines to use encryption at host
B.Allows only virtual machines with unmanaged disks
C.Denies virtual machines with managed disks if the OS disk type is not Standard_LRS or Premium_LRS
D.Denies all virtual machines without managed disks
AnswerC

The policy denies non-compliant disk types.

Why this answer

Option D is correct. The policy rule denies virtual machines if the OS disk managed disk storage account type is not Standard_LRS or Premium_LRS. It checks if the VM uses managed disks, and if so, only allows Standard_LRS or Premium_LRS.

Option A is wrong because it does not deny all VMs, only those with non-allowed disk types. Option B is wrong because it does not allow any disk type. Option C is wrong because it does not require encryption.

42
MCQmedium

A company uses Microsoft Sentinel for security operations. They want to collect logs from a custom application running on Azure Virtual Machines. The application writes logs to a local file. Which data connector should they use?

A.Application Insights
B.Syslog
C.Windows Event Forwarding
D.Custom Logs via Log Analytics agent
AnswerD

The Log Analytics agent can ingest custom log files from Windows or Linux VMs.

Why this answer

The Log Analytics agent (or Azure Monitor Agent) can collect custom log files from VMs. Option C is correct. Option A is wrong because Syslog is for Linux, but the application writes to a file, not syslog.

Option B is wrong because Windows Event Log is for Windows event logs, not custom file logs. Option D is wrong because Application Insights is for application performance monitoring, not log file collection.

43
MCQhard

A security team is designing a Microsoft Sentinel deployment. They need to minimize costs while ensuring critical alerts are always processed. Which data retention and ingestion strategy should they use?

A.Use Basic Logs for all data and retain for 90 days
B.Use Analytics Logs for all data and retain for 30 days
C.Use Basic Logs for critical alerts and retain for 30 days
D.Use Basic Logs for high-volume low-value data and Analytics Logs for critical alerts
AnswerD

This balances cost and performance: cheap storage for bulk data, fast access for critical alerts.

Why this answer

Option D is correct because it aligns with cost optimization and reliability requirements by using Basic Logs for high-volume, low-value data (e.g., firewall logs) and reserving Analytics Logs for critical alerts that require full query capabilities and interactive retention. This tiered approach ensures critical alerts are always processed with full fidelity while reducing storage costs for less important data.

Exam trap

The trap here is that candidates assume all data must be in Analytics Logs for security monitoring, overlooking the cost-saving strategy of tiered ingestion where Basic Logs handle high-volume, low-value data without sacrificing critical alert processing.

How to eliminate wrong answers

Option A is wrong because using Basic Logs for all data prevents critical alerts from being processed with full Analytics Logs features (e.g., advanced KQL queries, scheduled analytics rules), and 90-day retention on Basic Logs incurs unnecessary cost for low-value data. Option B is wrong because using Analytics Logs for all data maximizes cost (Analytics Logs are more expensive per GB) and 30-day retention may not meet compliance or investigation needs for critical alerts. Option C is wrong because using Basic Logs for critical alerts means they lose access to Analytics Logs capabilities (e.g., near-real-time detection, custom detections), and 30-day retention is insufficient for forensic analysis of critical incidents.

44
Multi-Selectmedium

Which TWO actions should you take to protect Azure Virtual Machines from ransomware? (Choose two.)

Select 2 answers
A.Deploy Azure Firewall to block all inbound traffic.
B.Configure Azure Site Recovery for all VMs.
C.Enable Azure Backup with immutable vault.
D.Assign Azure Policy to require encryption at rest.
E.Enable Microsoft Defender for Servers.
AnswersC, E

Immutable backups prevent deletion and modification by ransomware.

Why this answer

Option A is correct because Azure Backup provides immutable backups that cannot be deleted, protecting against ransomware. Option C is correct because Microsoft Defender for Servers (in Defender for Cloud) provides threat detection and alerts for ransomware. Option B is wrong because Azure Site Recovery is for disaster recovery, not backup.

Option D is wrong because Azure Firewall is a network firewall, not a backup or detection solution. Option E is wrong because Azure Policy enforces compliance, not direct ransomware protection.

45
MCQhard

Your organization uses Microsoft Sentinel and has deployed the Analytics rule 'TI map IP entity to AzureActivity' to detect suspicious activities based on threat intelligence. The SOC team reports that the rule has a high false positive rate because it matches benign IP addresses used by legitimate services. What design change should you recommend to reduce false positives while maintaining detection coverage?

A.Increase the alert threshold to require multiple occurrences within a time window.
B.Disable the rule and rely on manual hunting queries.
C.Create a watchlist of trusted IP addresses and modify the rule to exclude those IPs.
D.Create a separate analytics rule that suppresses alerts when the source IP is in a trusted list.
AnswerC

Watchlist exclusion reduces false positives while keeping the rule active.

Why this answer

Option C is correct because creating a watchlist of trusted IP addresses and modifying the TI map IP entity to AzureActivity rule to exclude those IPs directly addresses the high false positive rate caused by benign IPs. This approach preserves detection coverage for all other threat intelligence matches while filtering out known legitimate services, leveraging Sentinel's watchlist feature for dynamic exclusion without disabling the rule.

Exam trap

The trap here is that candidates may choose Option D, thinking a separate suppression rule is needed, but Microsoft Sentinel's analytics rules support direct exclusion via watchlists in the query logic, making a separate rule redundant and less reliable.

How to eliminate wrong answers

Option A is wrong because increasing the alert threshold to require multiple occurrences within a time window does not address the root cause—benign IPs matching threat intelligence—and may delay detection of genuine threats or miss single-occurrence attacks. Option B is wrong because disabling the rule and relying on manual hunting queries eliminates automated detection entirely, increasing risk and workload, which contradicts the goal of maintaining detection coverage. Option D is wrong because creating a separate analytics rule that suppresses alerts when the source IP is in a trusted list introduces unnecessary complexity and potential race conditions; suppression logic should be integrated into the original rule via exclusion, not handled as a separate rule that may not suppress alerts in time or could conflict with other rules.

46
MCQhard

Refer to the exhibit. You have deployed the automation shown in the exhibit in Microsoft Defender for Cloud. The automation triggers a Logic App when a high-severity alert is generated. Users report that the Logic App is not being triggered for some high-severity alerts. What is the most likely cause?

A.The trigger condition uses 'Equals' instead of 'Contains' for severity.
B.The Logic App resource ID is incorrect.
C.Some high-severity alerts are generated from a different event source not included in the 'sources' array.
D.The automation is configured to trigger on 'Alerts' but should be 'SecurityPolicies'.
AnswerC

Defender for Cloud alerts can come from multiple sources; the automation only includes 'Alerts'.

Why this answer

Option B is correct because the automation is configured to trigger on 'Alerts' source, but Defender for Cloud also generates 'RegulatoryComplianceAssessment' and other sources. Some high-severity alerts may come from a different event source that is not included. Option A is incorrect because the event source is 'Alerts', not 'SecurityPolicies'.

Option C is incorrect because severity value is correct. Option D is incorrect because the trigger condition is correct.

47
MCQeasy

Your organization uses Microsoft Sentinel as its SIEM. The security team needs to detect brute-force attacks against Azure VMs by analyzing Windows Security Event logs. Which data connector should you enable?

A.Office 365 connector
B.Azure Activity log connector
C.Microsoft Defender for Cloud connector
D.Windows Security Events via AMA connector
AnswerD

This connector ingests Windows Event logs including security events for analysis.

Why this answer

The Windows Security Events via AMA connector (D) is correct because it ingests Windows Event Logs (specifically Security logs with Event ID 4625 for failed logons) from Azure VMs into Microsoft Sentinel, enabling detection of brute-force patterns. This connector uses the Azure Monitor Agent (AMA) to collect events, which is the recommended method for modern Windows event collection in Sentinel.

Exam trap

The trap here is that candidates may confuse the Azure Activity log connector (which shows administrative actions like 'Deallocate VM') with guest OS-level security events, or mistakenly think Defender for Cloud provides raw Windows event logs instead of aggregated security alerts.

How to eliminate wrong answers

Option A is wrong because the Office 365 connector ingests audit logs from Microsoft 365 services (Exchange, SharePoint, Teams), not Windows Security Event logs from Azure VMs. Option B is wrong because the Azure Activity log connector collects subscription-level control plane events (e.g., VM creation, resource changes), not guest OS-level security events like logon failures. Option C is wrong because the Microsoft Defender for Cloud connector ingests security alerts and posture data from Defender for Cloud, not raw Windows Security Event logs needed for brute-force detection.

48
MCQeasy

You need to ensure that Azure SQL Database always encrypts data at rest and in transit. Which features should you enable?

A.Firewall rules and Azure Active Directory authentication
B.Transparent Data Encryption (TDE) and enforce TLS connections
C.Always Encrypted and firewall rules
D.Azure Defender for SQL and vulnerability assessment
AnswerB

TDE encrypts data at rest; enforcing TLS encrypts data in transit.

Why this answer

Option B is correct because Transparent Data Encryption (TDE) encrypts data at rest, and enforcing TLS encrypts data in transit. Option A is wrong because Always Encrypted encrypts specific columns, not the entire database. Option C is wrong because Azure Defender for SQL provides threat detection.

Option D is wrong because firewall rules control access.

49
MCQeasy

A company uses Microsoft Intune to manage corporate devices. They want to ensure that only compliant devices can access corporate email in Outlook Mobile. Which type of policy should they configure?

A.App protection policy
B.Device configuration policy
C.Conditional Access policy
D.Compliance policy
AnswerC

Conditional Access can block access to apps if device is not compliant.

Why this answer

Conditional Access in Microsoft Entra ID can require device compliance before granting access. Option B is correct. Option A is wrong because compliance policies define what compliance means, but the enforcement is via Conditional Access.

Option C is wrong because app protection policies are for app-level controls, not device compliance. Option D is wrong because device configuration policies are for settings, not access control.

50
Multi-Selecthard

Which THREE components should be part of a secure DevOps pipeline using Microsoft security tools? (Select exactly three correct options.)

Select 3 answers
A.Azure Firewall
B.Microsoft Purview
C.Azure Front Door
D.Microsoft Entra ID
E.Microsoft Defender for DevOps
AnswersB, D, E

Can scan for secrets and sensitive data in repositories.

Why this answer

Microsoft Purview is correct because it provides data governance and compliance capabilities, including data classification, labeling, and data loss prevention (DLP) policies, which are essential for securing sensitive data within a DevOps pipeline. It integrates with Azure DevOps and GitHub to automatically detect and protect secrets, credentials, and other sensitive information in code repositories and CI/CD artifacts, ensuring that data security policies are enforced throughout the development lifecycle.

Exam trap

The trap here is that candidates often confuse network security appliances (Azure Firewall, Azure Front Door) with DevOps-specific security controls, failing to recognize that a secure pipeline requires identity, data governance, and workload protection tools that operate at the code and CI/CD layer, not just at the network perimeter.

51
MCQeasy

You need to design a solution to protect Azure VMs from malware and provide security recommendations. Which Azure service should you enable?

A.Azure Sentinel
B.Microsoft Intune
C.Azure Monitor
D.Microsoft Defender for Cloud
AnswerD

Provides antimalware and security recommendations.

Why this answer

Option C is correct because Microsoft Defender for Cloud provides antimalware and security recommendations. Option A is wrong because Azure Sentinel is a SIEM. Option B is wrong because Azure Monitor collects logs.

Option D is wrong because Microsoft Intune manages endpoints.

52
MCQmedium

Your company uses Microsoft Defender for Endpoint (MDE) and wants to integrate threat intelligence from an external source to improve detection. The security team needs to ingest custom indicators of compromise (IOCs) into MDE. Which feature should they use?

A.Advanced Hunting
B.Threat Analytics
C.Automated investigation and response
D.Custom indicators (IOCs)
AnswerD

Custom indicators allow ingestion of IOCs from external sources.

Why this answer

Option D is correct because the Custom Indicators (IOCs) feature in Microsoft Defender for Endpoint allows security teams to manually ingest and manage threat intelligence from external sources, such as IP addresses, URLs, domains, or file hashes. These indicators are then used by MDE to create or block alerts, enabling tailored detection beyond built-in threat intelligence feeds.

Exam trap

The trap here is that candidates often confuse 'Advanced Hunting' (a query tool) with a feature for importing threat data, or they mistakenly think 'Threat Analytics' allows custom feed integration, when in fact it only displays Microsoft's pre-built analysis.

How to eliminate wrong answers

Option A is wrong because Advanced Hunting is a query-based tool for exploring raw telemetry data over the past 30 days, not a mechanism for ingesting external IOCs. Option B is wrong because Threat Analytics provides curated reports and insights on known threats from Microsoft's research, not a way to import custom indicators. Option C is wrong because Automated investigation and response is a workflow that triggers actions on alerts, but it cannot ingest or manage external IOCs; it relies on existing detection rules.

53
MCQhard

A company is designing a security operations strategy. They want to use Microsoft Sentinel to detect and respond to threats across their hybrid environment. They need to ensure that logs from all sources are collected cost-effectively and that analysts can easily query data. Which data ingestion strategy should they recommend?

A.Send all logs to the Basic logs table to reduce costs.
B.Send only Windows Security Events to Sentinel.
C.Send all logs to the Analytics logs table for full query capabilities.
D.Use Analytics logs for high-value security logs and Basic logs for verbose logs with low security value.
AnswerD

Balances cost and functionality; Basic logs for low-value data, Analytics for actionable data.

Why this answer

Option D is correct because it balances cost and query performance by routing high-value security logs (e.g., Windows Security Events, network logs) to the Analytics logs table for full KQL query capabilities and retention, while sending verbose, low-security-value logs (e.g., DNS debug, firewall flow logs) to the Basic logs table, which offers lower ingestion cost and limited query features (e.g., no KQL summarization). This tiered approach ensures analysts can efficiently hunt on critical data without incurring unnecessary costs for voluminous, less actionable logs.

Exam trap

The trap here is that candidates assume 'cost-effective' means using only the cheapest option (Basic logs) or only the most capable option (Analytics logs), failing to recognize that Microsoft Sentinel’s tiered ingestion model is designed specifically to optimize cost versus query capability by separating high-value and low-value log sources.

How to eliminate wrong answers

Option A is wrong because sending all logs to the Basic logs table would severely limit query capabilities—Basic logs support only simple search and no KQL aggregation functions like summarize or make-series—making threat hunting and advanced analytics impractical. Option B is wrong because sending only Windows Security Events ignores other critical sources like Azure Activity logs, network logs, and third-party security appliances, creating blind spots in the hybrid environment and violating the requirement to detect threats across all sources. Option C is wrong because sending all logs to the Analytics logs table would incur high ingestion and retention costs for verbose logs (e.g., DNS queries, firewall flow logs) that have low security value, contradicting the cost-effectiveness requirement.

54
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps to monitor shadow IT. You discover that employees are using a third-party file sharing app that is not sanctioned. The security team wants to block access to this app from managed devices and require authentication for unmanaged devices. You need to configure the appropriate controls in Defender for Cloud Apps. What should you do?

A.Create a session policy that monitors file uploads to the app.
B.Create an app governance policy to restrict the app's permissions.
C.Create an access policy to block the app on unmanaged devices and require authentication on managed devices.
D.Configure a DLP policy to prevent sharing of sensitive data through the app.
AnswerC

Access policies can block or allow based on device and user context.

Why this answer

Option C is correct because it uses access policies to block unmanaged devices and require authentication, which aligns with the requirement. Option A is wrong because session policies monitor but do not block. Option B is wrong because app governance policies manage app permissions.

Option D is wrong because DLP policies focus on data protection.

55
Multi-Selectmedium

Which TWO actions are part of the Microsoft Cybersecurity Reference Architecture (MCRA) for a Zero Trust implementation?

Select 2 answers
A.Use a single security vendor for all solutions
B.Block all legacy authentication protocols
C.Treat identity as the primary security perimeter
D.Implement micro-segmentation of network traffic
E.Require multifactor authentication for all users
AnswersC, D

MCRA emphasizes identity as the control plane.

Why this answer

Option C is correct because the MCRA explicitly identifies identity as the primary security perimeter in a Zero Trust model, shifting trust from the network to user and device identity. This principle underpins all other controls, as every access request must be authenticated and authorized regardless of location.

Exam trap

The trap here is that candidates often confuse 'best practices' (like blocking legacy auth or requiring MFA for all) with the core architectural principles of Zero Trust defined in the MCRA, which prioritize identity as the control plane and micro-segmentation as the network isolation mechanism.

56
MCQmedium

You are designing an API management solution using Azure API Management. The security team requires that all API calls must be authenticated using OAuth 2.0 and that only specific Azure AD applications can access the APIs. Additionally, the solution must support rate limiting and IP filtering. What should you configure?

A.Set up client certificate authentication and map certificates to Azure AD apps
B.Enable API key authentication and restrict access using subscription keys
C.Use OAuth 2.0 with Azure AD and configure inbound policies to validate JWTs
D.Configure OAuth 2.0 in Azure API Management, use validate-jwt policy to restrict to specific Azure AD apps, and add rate-limit and ip-filter policies
AnswerD

This combination meets all requirements.

Why this answer

Option B is correct because Azure API Management can validate OAuth tokens, and you can restrict access to specific Azure AD applications using the 'validate-jwt' policy. Rate limiting and IP filtering are also built-in policies. Option A is wrong because it's not a complete solution.

Option C is wrong because API keys are less secure. Option D is wrong because client certificates are not OAuth.

57
Multi-Selectmedium

A company uses Microsoft Purview Data Lifecycle Management. They need to retain financial records for 7 years and then delete them. Which TWO actions should they configure?

Select 2 answers
A.Create a DLP policy that blocks deletion
B.Apply a sensitivity label to the records
C.Create a retention label with a 7-year retention period
D.Use a trainable classifier to identify records
E.Configure a disposition review to approve deletion
AnswersC, E

Retention labels enforce retention.

Why this answer

Option C is correct because Microsoft Purview Data Lifecycle Management uses retention labels to enforce a specific retention period and then automatically delete the data. By creating a retention label with a 7-year retention period, the organization ensures financial records are retained for exactly 7 years and then permanently deleted without manual intervention.

Exam trap

The trap here is confusing sensitivity labels (used for classification and protection) with retention labels (used for lifecycle management), leading candidates to incorrectly select Option B instead of understanding that retention labels are the correct mechanism for timed deletion.

58
MCQeasy

Refer to the exhibit. A security administrator created this Azure Policy definition to prevent unauthorized role assignments. However, SOC analysts are unable to assign the Security Operations Contributor role to new team members. What is the most likely cause?

A.The policy is scoped to a management group that does not include the SOC team's subscription.
B.The parameter 'principalId' is required but not provided when assigning the policy.
C.The role definition ID in the policy does not match the Security Operations Contributor role.
D.The policy uses the 'deny' effect, which blocks any role assignment for the specified role.
AnswerD

The policy denies assignments of the specified role, preventing SOC analysts from assigning it.

Why this answer

Option D is correct because the Azure Policy definition uses the 'deny' effect, which explicitly blocks any role assignment that matches the specified role definition ID. Since the policy targets the Security Operations Contributor role, any attempt to assign that role—including by SOC analysts—is denied by the policy engine, regardless of permissions.

Exam trap

The trap here is that candidates often confuse Azure Policy's 'deny' effect with RBAC 'deny assignments' or assume the issue is a missing parameter or scope misconfiguration, rather than recognizing that a policy with 'deny' explicitly blocks the action itself.

How to eliminate wrong answers

Option A is wrong because if the policy were scoped to a management group that excludes the SOC team's subscription, the policy would not apply at all, and role assignments would succeed without restriction—so this would not cause the failure. Option B is wrong because the 'principalId' parameter is not required for the policy to evaluate role assignments; it is only used in the 'roleAssignmentResource' alias to match the specific principal, and omitting it would cause the policy to deny all assignments for the role, not fail to assign. Option C is wrong because if the role definition ID did not match, the policy would not apply to Security Operations Contributor assignments, and they would succeed—so a mismatch would not cause the denial.

59
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. What should you configure?

A.Create a Conditional Access policy that requires compliant device
B.Set up enrollment restrictions in Intune
C.Create a device configuration policy that blocks non-compliant devices
D.Configure an app protection policy for email apps
AnswerA

Conditional Access can require device compliance as a condition for accessing corporate resources.

Why this answer

Option A is correct because a Conditional Access policy in Microsoft Entra ID (formerly Azure AD) can enforce the requirement that only devices marked as compliant by Intune can access corporate email. This policy evaluates the device compliance status at authentication time and blocks or grants access based on that signal, ensuring that only managed and compliant devices can connect to services like Exchange Online.

Exam trap

The trap here is that candidates often confuse device configuration policies (which set device settings) with Conditional Access (which enforces access control based on compliance), leading them to choose option C instead of the correct policy-based access control.

How to eliminate wrong answers

Option B is wrong because enrollment restrictions in Intune control which devices can enroll into management (e.g., by platform or ownership type), but they do not enforce compliance at the point of access to corporate email. Option C is wrong because device configuration policies in Intune are used to set settings and features on devices (like password policies or restrictions), not to block non-compliant devices from accessing resources; blocking access is done via Conditional Access. Option D is wrong because an app protection policy (MAM) protects data within apps (e.g., preventing copy/paste or requiring PIN) but does not evaluate device compliance; it can be used without device enrollment but does not replace the need for a Conditional Access policy that checks device compliance.

60
Multi-Selecteasy

You are designing an API management solution using Azure API Management. Which TWO should you implement to protect the API from unauthorized access? (Choose TWO.)

Select 2 answers
A.Implement OAuth 2.0 authorization with Microsoft Entra ID.
B.Use client certificates for authentication.
C.Enable Cross-Origin Resource Sharing (CORS).
D.Restrict access by IP address only.
E.Require subscription keys for all API calls.
AnswersA, E

OAuth 2.0 is a standard authorization framework.

Why this answer

A and D are correct. Subscription keys are a basic mechanism to authenticate callers. OAuth 2.0 is a standard authorization framework integrated with Azure API Management.

Option B is wrong because client certificates are for mutual TLS, not a primary authentication method. Option C is wrong because IP filtering is for restricting IP ranges, not authentication. Option E is wrong because CORS is for cross-origin requests, not authentication.

61
MCQmedium

Your organization uses Azure SQL Database and needs to protect sensitive data from being exported by unauthorized users. You must implement a solution that prevents users from copying data to clipboard or taking screenshots of query results, while allowing legitimate business operations. What should you implement?

A.Apply Azure Information Protection labels to the database.
B.Use Dynamic Data Masking to obscure sensitive columns.
C.Enable Azure SQL Database Auditing and threat detection.
D.Configure a session policy in Microsoft Defender for Cloud Apps to block clipboard and screenshot actions.
AnswerD

Session policies can control data exfiltration in real-time.

Why this answer

Option C is correct because Microsoft Defender for Cloud Apps session policies can monitor and control data exfiltration via reverse proxy, including blocking clipboard and screenshot actions. Option A is incorrect because Azure SQL Database Auditing logs activities but does not prevent them. Option B is incorrect because Dynamic Data Masking obfuscates data but does not prevent export.

Option D is incorrect because Azure Information Protection labels files but does not prevent clipboard actions in a browser.

62
MCQeasy

You are designing a backup strategy for Azure virtual machines that host a mission-critical application. The solution must support daily backups with a retention of 30 days for daily backups, weekly backups retained for 12 weeks, and monthly backups retained for 3 years. What should you use?

A.Azure Files backup with a custom script.
B.Azure Disk Backup with a snapshot schedule.
C.Azure Site Recovery with a recovery plan.
D.Azure Backup with a backup policy that specifies daily, weekly, and monthly retention.
AnswerD

Azure Backup policies support multi-tier retention.

Why this answer

Option A is correct because Azure Backup allows you to define backup policies with multiple retention points (daily, weekly, monthly, yearly). Option B is incorrect because Azure Site Recovery is for disaster recovery, not long-term retention. Option C is incorrect because Azure Disk Backup is for disk-level backups and does not support complex retention.

Option D is incorrect because Azure Files backup is for file shares.

63
MCQeasy

A company uses Microsoft Sentinel to detect threats. They want to automatically send an email to the security team when a high-severity incident is created. What should they configure?

A.An analytics rule with an automated response
B.A workbook
C.A watchlist
D.A hunting query
AnswerA

Analytics rules can trigger playbooks that send email notifications when an incident is created.

Why this answer

Option B is correct because analytics rules with automated responses can trigger a playbook to send email. Option A is wrong because workbooks are for visualization. Option C is wrong because watchlists are for reference data.

Option D is wrong because hunting queries are for proactive threat hunting.

64
MCQeasy

Your organization is adopting Microsoft Purview to classify and protect sensitive data in Microsoft 365. You need to ensure that documents containing credit card numbers are automatically detected and encrypted when shared externally. What should you configure?

A.An Information Barrier policy between departments
B.A sensitivity label configured with auto-labeling for credit card numbers and encryption for external sharing
C.A retention label that deletes documents with credit card numbers after 90 days
D.A Data Loss Prevention (DLP) policy that blocks sharing of credit card numbers
AnswerB

Auto-labeling detects the data and encryption protects it when shared externally.

Why this answer

Option B is correct because sensitivity labels in Microsoft Purview can be configured with auto-labeling conditions that detect sensitive data types (e.g., credit card numbers) and automatically apply encryption to documents when shared externally. This meets the requirement of automatic detection and encryption for external sharing without manual user intervention.

Exam trap

The trap here is confusing DLP policies (which block or warn) with sensitivity labels (which can auto-apply encryption), leading candidates to choose DLP when the requirement explicitly states 'encrypt when shared externally' rather than block.

How to eliminate wrong answers

Option A is wrong because Information Barrier policies are designed to prevent communication and collaboration between specific groups or departments, not to detect or encrypt sensitive data like credit card numbers. Option C is wrong because retention labels manage data lifecycle (retention or deletion) based on time, not real-time detection or encryption of sensitive content when shared externally. Option D is wrong because a DLP policy can block sharing of credit card numbers but does not encrypt the documents; it only prevents the action, whereas the requirement is to encrypt when shared externally.

65
MCQhard

Your organization uses Microsoft Defender for Cloud to secure multi-cloud workloads. You need to ensure that Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) resources are assessed against the same security baseline. What should you do?

A.Configure AWS Config and GCP Security Command Center to export findings to Microsoft Sentinel
B.Connect AWS and GCP accounts to Defender for Cloud and use Azure Policy to enforce the Microsoft Cloud Security Benchmark
C.Use regulatory compliance standards for each cloud separately
D.Enable the Cloud Security Posture Management (CSPM) plan and configure AWS and GCP connectors
AnswerB

Connecting multi-cloud accounts allows Defender for Cloud to assess them against Azure Policy initiatives like the Microsoft Cloud Security Benchmark.

Why this answer

Microsoft Defender for Cloud can assess resources from Azure, AWS, and GCP using security policies. By default, Azure Policy is used for Azure resources. To assess AWS and GCP, you need to connect those cloud accounts to Defender for Cloud and then use Azure Policy to enforce standards like Microsoft Cloud Security Benchmark.

Option A is wrong because the CSPM plan assesses posture but does not use a single baseline across clouds. Option C is wrong because regulatory compliance standards apply to specific regulations, not custom baselines. Option D is wrong because AWS Config and GCP Security Command Center are separate tools, not integrated into a single baseline.

66
MCQmedium

Refer to the exhibit. You are analyzing a KQL query in Microsoft Defender XDR advanced hunting. The query is intended to identify the top 10 devices by the number of executable process creations in the last 7 days. However, the results are showing only a few entries with low counts. What is the most likely issue?

A.The 'summarize' statement should include DeviceName in the aggregate
B.The 'take' operator is not appropriate for this aggregation
C.The 'bin' function on Timestamp is incorrect
D.The ActionType filter is likely missing the correct value for process creation
AnswerD

In Defender for Endpoint, the ActionType for process creation is often 'ProcessCreated' or similar, not 'ProcessCreate'. Also, FileName filter may exclude processes launched from paths.

Why this answer

Option C is correct because the query filters on ActionType == "ProcessCreate", but the correct field might be "ProcessCreated" or different enumeration; also, FileName endswith ".exe" might miss processes with full paths. Option A is wrong because the take operator works but the query may not be returning the expected data due to filtering. Option B is wrong because bin(Timestamp, 1h) is valid.

Option D is wrong because the summarize should work on DeviceName.

67
MCQhard

Your organization is implementing a privileged access strategy using Microsoft Entra Privileged Identity Management (PIM). The compliance team requires that all privileged role activations be approved by a manager and that an audit trail is maintained for at least one year. Which configuration should you recommend?

A.Configure access reviews for privileged roles
B.Set PIM role settings to require approval and enable audit logging
C.Enable Conditional Access policies for privileged roles
D.Require Azure MFA for role activation
AnswerB

PIM supports approval workflow and logs are retained for auditing.

Why this answer

Option B is correct because it directly addresses both compliance requirements: requiring approval ensures a manager authorizes each activation, and enabling audit logging in PIM retains activation history for at least one year. PIM role settings allow you to configure approval workflows and automatically log all activations to the Microsoft Entra audit log, which can be exported and retained for compliance purposes.

Exam trap

The trap here is that candidates confuse access reviews (periodic recertification) with the real-time approval workflow required for each activation, or they assume MFA alone satisfies the audit and approval requirements.

How to eliminate wrong answers

Option A is wrong because access reviews are used for periodic recertification of role assignments, not for real-time approval of activations or audit trail retention. Option C is wrong because Conditional Access policies control access based on conditions like location or device state, but they do not provide the required manager approval workflow or dedicated audit logging for role activations. Option D is wrong because Azure MFA for role activation enhances security but does not satisfy the compliance requirement for manager approval or the one-year audit trail retention.

68
MCQmedium

Your organization uses Microsoft Purview to manage data governance. You need to create a unified data catalog that automatically classifies and labels data across Azure SQL Database, Amazon S3, and on-premises SQL Server. What should you configure?

A.Microsoft Purview account with scans for all data sources.
B.Azure Data Catalog with custom classification.
C.Azure Purview (legacy) with multi-cloud scanning.
D.Microsoft Information Protection scanner on each source.
AnswerA

Microsoft Purview can scan multi-cloud and on-premises sources.

Why this answer

Option A is correct because Microsoft Purview (the unified data governance service) supports scanning and classifying data across multi-cloud and on-premises sources. Option B is wrong because Microsoft Information Protection is for labeling, not scanning. Option C is wrong because Azure Purview (now part of Microsoft Purview) is the correct service.

Option D is wrong because Azure Data Catalog is legacy and limited.

69
MCQhard

Your organization is migrating on-premises workloads to Azure and wants to use Microsoft Defender for Cloud to secure the environment. The compliance team requires that all critical vulnerabilities be remediated within 30 days. What is the most efficient way to track and enforce this?

A.Configure Azure Policy to auto-remediate all Defender for Cloud recommendations
B.Create a custom Azure Dashboard and manually update it weekly
C.Enable automatic VM patching in Azure Update Manager
D.Use Microsoft Defender for Cloud regulatory compliance dashboard with a custom initiative
AnswerD

Tracks compliance against specific standards and deadlines.

Why this answer

Option D is correct because Microsoft Defender for Cloud's regulatory compliance dashboard allows you to apply a custom initiative (e.g., based on the Microsoft Cloud Security Benchmark or a custom policy set) that maps specific security recommendations to compliance controls. By setting the initiative to enforce a 30-day remediation SLA via Azure Policy's 'deployIfNotExists' or 'modify' effects, you can automatically track compliance status and trigger remediation actions, meeting the compliance team's requirement efficiently.

Exam trap

The trap here is that candidates confuse 'auto-remediation' (Option A) with 'tracking and enforcing a time-bound SLA', but auto-remediation applies fixes immediately without a 30-day grace period, while the regulatory compliance dashboard is specifically designed to map recommendations to compliance controls and track remediation against custom timeframes.

How to eliminate wrong answers

Option A is wrong because Azure Policy auto-remediation (e.g., 'deployIfNotExists' effect) can automatically fix non-compliant resources, but it does not inherently track or enforce a 30-day remediation deadline; it applies fixes immediately or on a schedule, not based on a time-bound SLA. Option B is wrong because a custom Azure Dashboard manually updated weekly is not an efficient or automated way to track remediation deadlines; it lacks real-time enforcement and relies on human effort, which is error-prone and does not meet the compliance requirement for automated tracking. Option C is wrong because automatic VM patching in Azure Update Manager only addresses OS-level patch vulnerabilities, not all critical vulnerabilities across the full cloud workload (e.g., misconfigurations, network security groups, storage), and it does not provide a compliance dashboard to track remediation against a 30-day SLA.

70
MCQmedium

A company uses Microsoft Purview to manage data governance. They need to classify sensitive data automatically in Azure SQL Database. What should they configure?

A.Microsoft Defender for Cloud regulatory compliance
B.Microsoft Purview Data Map scanning rules
C.Microsoft Sentinel data connectors
D.Microsoft Entra ID Protection
AnswerB

Purview Data Map scans and classifies data sources.

Why this answer

Microsoft Purview Data Map scanning rules are the correct choice because they enable automated classification of sensitive data in Azure SQL Database by scanning the database schema and content against built-in or custom sensitive data types. This is the native mechanism within Purview to discover and label sensitive columns, such as credit card numbers or PII, directly in Azure SQL Database.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud's regulatory compliance dashboard with actual data classification, but Defender for Cloud only checks configuration settings against compliance frameworks, not the content of the data itself.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud regulatory compliance assesses the security posture of Azure resources against compliance standards (e.g., SOC 2, PCI DSS) but does not perform data classification or scanning of sensitive data within Azure SQL Database. Option C is wrong because Microsoft Sentinel data connectors ingest security logs and alerts from various sources for threat detection and SIEM purposes, not for scanning or classifying sensitive data in databases. Option D is wrong because Microsoft Entra ID Protection focuses on identity-based risks such as compromised credentials and sign-in anomalies, not on data classification within Azure SQL Database.

71
Multi-Selectmedium

Your organization is designing a secure access solution for a partner company that needs to access specific SharePoint Online sites. You need to implement Microsoft Entra ID B2B collaboration. Which THREE configurations are essential for a secure B2B collaboration setup?

Select 3 answers
A.Configure cross-tenant access settings in Microsoft Entra ID
B.Enable multi-factor authentication (MFA) for guest users
C.Use B2B direct connect for SharePoint site access
D.Allow all external domains to invite users without restrictions
E.Set Conditional Access policies that apply to guest users
AnswersA, B, E

Cross-tenant access settings control trust and access policies with partner tenants.

Why this answer

Option A is correct because cross-tenant access settings in Microsoft Entra ID allow you to control inbound and outbound access for B2B collaboration, including trust settings for MFA and device compliance. This is essential to define which partner tenants can access your resources and under what conditions, preventing unauthorized access.

Exam trap

The trap here is confusing B2B direct connect (for Teams shared channels) with B2B collaboration (for SharePoint and other apps), leading candidates to select Option C incorrectly.

72
Multi-Selecteasy

Which TWO Microsoft Purview solutions should you use to protect sensitive data in Microsoft 365? (Choose two.)

Select 2 answers
A.Microsoft Purview Audit.
B.Insider Risk Management.
C.Sensitivity labels and policies.
D.Microsoft Purview eDiscovery.
E.Data Loss Prevention (DLP) policies.
AnswersC, E

Labels classify and protect data with encryption and markings.

Why this answer

Option A is correct because Data Loss Prevention (DLP) policies prevent sensitive data from being shared inappropriately. Option B is correct because Sensitivity Labels classify and protect data across M365. Option C is wrong because Insider Risk Management detects risky user activities but does not directly protect data.

Option D is wrong because eDiscovery is for legal discovery. Option E is wrong because Audit logs track activities but do not protect data.

73
MCQmedium

Your organization uses Microsoft Purview and needs to prevent users from copying sensitive data to USB drives. Which solution should you implement?

A.Sensitivity labels with encryption
B.Insider Risk Management
C.Endpoint data loss prevention (DLP)
D.Communication Compliance
AnswerC

Endpoint DLP can block copying of sensitive data to removable devices like USB drives.

Why this answer

Endpoint DLP is the correct solution because it extends data loss prevention policies to endpoints, enabling the detection and blocking of sensitive data being copied to removable USB drives. Unlike other controls, Endpoint DLP can monitor and restrict data exfiltration actions at the device level, such as copying files to USB media, based on the content's sensitivity classification.

Exam trap

The trap here is that candidates often confuse Insider Risk Management (a detective control) with Endpoint DLP (a preventive control), assuming that risk management can block actions, when in fact it only alerts on suspicious behavior after the fact.

How to eliminate wrong answers

Option A is wrong because sensitivity labels with encryption protect data at rest and in transit by restricting access, but they do not block the act of copying labeled data to a USB drive; encryption alone does not prevent data exfiltration via removable media. Option B is wrong because Insider Risk Management is a detection and investigation tool that identifies risky user activities (e.g., unusual file copying) but does not actively block or prevent the copy action in real time. Option D is wrong because Communication Compliance focuses on monitoring and analyzing communications (e.g., email, Teams) for policy violations, not on controlling data movement to USB drives.

74
MCQmedium

Your company develops a web application hosted on Azure App Service. The application uses Azure SQL Database and requires managed identities to access the database. You need to ensure that the application can authenticate to Azure SQL without storing credentials in code. Which authentication method should you implement?

A.Store a client certificate in Azure Key Vault and reference it from the app.
B.Use an Azure AD service principal with a client secret.
C.Use Azure SQL database-level firewall rules with a static IP restriction.
D.Enable system-assigned managed identity on the App Service and grant it access to the SQL database.
AnswerD

Managed identity eliminates credential storage.

Why this answer

Option B is correct because system-assigned managed identity is the simplest and most secure way for an Azure App Service to authenticate to Azure SQL without credential storage. Option A is wrong because Azure AD service principals require secret management. Option C is wrong because certificate-based authentication still requires certificate deployment.

Option D is wrong because access keys are static credentials.

75
MCQeasy

You need to audit user activities in Microsoft 365, including who accessed a specific file in SharePoint Online. Which Microsoft Purview solution should you use?

A.Microsoft Purview Information Protection
B.Microsoft Purview Communication Compliance
C.Microsoft Purview Audit
D.Microsoft Purview Data Lifecycle Management
AnswerC

Audit logs user activities, including file access.

Why this answer

Microsoft Purview Audit (specifically Audit (Standard) or Audit (Premium)) is the correct solution because it captures and logs user activities across Microsoft 365 services, including SharePoint Online. When a user accesses a specific file, the audit log records the event with details such as the user, file name, action (e.g., FileAccessed), and timestamp, enabling you to query this data via the Microsoft 365 Defender portal or Search-UnifiedAuditLog cmdlet.

Exam trap

The trap here is that candidates often confuse 'auditing' with 'protection' or 'compliance' solutions, mistakenly choosing Information Protection (A) because they think labeling controls access, or Communication Compliance (B) because they associate 'compliance' with monitoring user actions, when in fact Audit is the dedicated logging service for user activity tracking.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Information Protection focuses on classifying, labeling, and protecting sensitive data (e.g., via sensitivity labels and encryption), not on auditing user activities or file access events. Option B is wrong because Microsoft Purview Communication Compliance is designed to detect and remediate inappropriate communications (e.g., offensive language or insider trading) in Exchange Online, Teams, or Yammer, not to audit file access in SharePoint Online. Option D is wrong because Microsoft Purview Data Lifecycle Management manages retention and deletion policies for data (e.g., automatically archiving or deleting old files), not the logging of user access events.

Page 1 of 13

Page 2