Microsoft Cybersecurity Architect (SC-100) — Questions 676750

969 questions total · 13pages · All types, answers revealed

Page 9

Page 10 of 13

Page 11
676
MCQmedium

Your organization uses Microsoft Entra ID and needs to ensure that external partners can access only specific applications for 30 days. What should you configure?

A.Entitlement management and create an access package with an expiration of 30 days
B.B2B direct connect
C.Self-service group management
D.Conditional Access policy with session control
AnswerA

Access packages in entitlement management allow you to grant time-limited access to applications for external users.

Why this answer

Option A is correct because entitlement management in Microsoft Entra ID allows you to create access packages that govern external partner access to specific applications. By configuring an access package with a 30-day expiration, you enforce time-limited access, ensuring partners can only access the designated applications for the required duration. This directly meets the requirement of restricting access to specific apps with a defined expiry.

Exam trap

The trap here is that candidates often confuse Conditional Access session controls (which manage sign-in frequency or app restrictions) with the ability to grant and expire access to specific applications, overlooking that entitlement management is the correct identity governance solution for time-limited external access.

How to eliminate wrong answers

Option B (B2B direct connect) is wrong because it is designed for mutual two-way access between organizations, typically for Teams Connect shared channels, and does not provide granular control over application-specific access or automatic expiration. Option C (self-service group management) is wrong because it allows users to create and manage their own groups, but it does not enforce time-bound access to specific applications or support external partner lifecycle management. Option D (Conditional Access policy with session control) is wrong because while it can enforce session restrictions like sign-in frequency, it cannot grant or expire access to specific applications for external users; it only controls access conditions for users who already have access.

677
Multi-Selecthard

Your company is using Microsoft Defender for Cloud to protect Azure resources. You need to implement just-in-time (JIT) VM access. Which THREE components are required? (Choose THREE.)

Select 3 answers
A.Microsoft Defender for Cloud enabled at the subscription level.
B.Azure role-based access control (RBAC) permissions for users to request access.
C.Log Analytics workspace for storing access logs.
D.Azure Bastion host for secure RDP/SSH access.
E.A virtual machine with an associated network security group (NSG).
AnswersA, B, E

JIT is a feature of Defender for Cloud.

Why this answer

Options A, B, and E are required. JIT requires a VM with a network security group (NSG), enabling JIT in Defender for Cloud, and assigning permissions to request access. Option C is wrong because an Azure Bastion host is optional.

Option D is wrong because a Log Analytics workspace is not required.

678
MCQeasy

You are reviewing an ARM template snippet that creates a blob container. The security team requires that the container be accessible only via authorized Azure AD identities, not via anonymous access. Based on the exhibit, is the configuration correct?

A.Yes, but you also need to disable shared key access
B.No, you need to set 'publicAccess' to 'Blob' to restrict access
C.Yes, the setting 'publicAccess': 'None' prevents anonymous access, and Azure AD authentication is available by default
D.No, you must also configure a firewall rule to restrict access to Azure AD users
AnswerC

Setting publicAccess to None blocks anonymous access. Azure AD authentication is always an option for authorized users.

Why this answer

Option B is correct because 'publicAccess': 'None' ensures no anonymous access, and Azure AD authentication is the default for authorized identities. Option A is wrong because the configuration is correct. Option C is wrong because container-level access is not a separate setting.

Option D is wrong because RBAC is already the default for authorized identities; no additional action needed.

679
MCQhard

A company uses Microsoft Sentinel and wants to prioritize incidents using user risk scores from Microsoft Entra ID Protection. Which configuration should they use to automatically assign a Sentinel severity based on the user's risk level?

A.Create a custom analytics rule that uses the RiskLevel field to set severity
B.Configure an automation rule to set severity when risk is high
C.Use a watchlist to map risk levels to severity
D.Create a playbook that assigns severity based on risk
AnswerA

Custom analytics rules can map risk level to incident severity during creation.

Why this answer

A is correct because Microsoft Sentinel's custom analytics rules can directly reference the `RiskLevel` field from Microsoft Entra ID Protection user risk data ingested via the UEBA connector. By writing a KQL query that checks the user's risk level (e.g., `RiskLevel == 'high'`) and mapping it to a Sentinel severity (e.g., High, Medium, Low) within the rule's incident creation settings, you automate severity assignment without external dependencies. This native integration ensures real-time synchronization of risk levels to incident priority.

Exam trap

The trap here is that candidates often assume automation rules or playbooks are required for any custom severity assignment, overlooking that custom analytics rules can directly map query results to severity fields without additional automation layers.

How to eliminate wrong answers

Option B is wrong because automation rules can set severity based on conditions like incident properties or entities, but they cannot directly read the `RiskLevel` field from Entra ID Protection user risk data; they operate on incident metadata after creation, not on raw risk signals. Option C is wrong because watchlists are static reference tables used for enrichment or correlation, not for dynamic, real-time mapping of continuously changing user risk levels to severity. Option D is wrong because playbooks (Azure Logic Apps) can assign severity, but they introduce latency and complexity compared to a native analytics rule, and they require additional permissions and orchestration, making them less efficient for this straightforward mapping.

680
MCQeasy

Your organization is developing a Power BI dashboard that uses data from an Azure SQL Database. The data includes personally identifiable information (PII). You need to mask the PII from certain users while allowing full access to data owners. What should you use?

A.Azure SQL Database auditing and Microsoft Defender for Cloud
B.Microsoft Purview Data Map and data catalog
C.Dynamic data masking in Azure SQL Database and row-level security in Power BI
D.Microsoft Purview sensitivity labels and auto-labeling
AnswerC

Dynamic data masking obfuscates PII in query results for non-privileged users. RLS restricts rows in Power BI.

Why this answer

Option A is correct because Power BI row-level security (RLS) can filter data based on user roles, but to mask specific columns, you need dynamic data masking in Azure SQL Database. Option B is wrong because sensitivity labels do not mask data. Option C is wrong because Azure SQL Database auditing logs access, does not mask.

Option D is wrong because Microsoft Purview scans data, does not mask.

681
MCQeasy

Refer to the exhibit. A KQL query in Microsoft Sentinel is used to detect potential brute-force attacks. What does this query detect?

A.Local logon attempts from multiple accounts
B.Failed logon attempts from multiple IPs
C.Successful remote logon attempts from a single IP exceeding 10
D.Failed logon attempts from a single IP
AnswerC

Filters for successful remote logons grouped by IP and account with count >10.

Why this answer

Option B is correct: The query filters for successful logon events (4624) with LogonType 10 (remote interactive), then summarizes by account and IP address, and filters for more than 10 attempts. This detects potential brute-force attacks. Option A is wrong because it looks for successful logons, not failures.

Option C is wrong because it looks for remote logons (type 10). Option D is wrong because it looks for successful logons, not failures.

682
Multi-Selectmedium

Your organization uses Microsoft Defender for Cloud and Microsoft Sentinel. You need to design a solution that automates incident response for critical security alerts. Which THREE components should you include?

Select 3 answers
A.Playbooks built on Azure Logic Apps
B.Microsoft Intune compliance policies
C.Sentinel automation rules
D.Microsoft Teams connector for collaboration
E.Conditional Access policies
AnswersA, C, D

Playbooks automate response actions.

Why this answer

Option B, Option C, and Option D are correct. Automation rules in Sentinel trigger playbooks (Azure Logic Apps) for incident response. Microsoft Teams can be used for communication during response.

Option A is wrong because Conditional Access is for identity, not incident response automation. Option E is wrong because Microsoft Intune is for device management.

683
MCQmedium

A multinational retail company, Northwind Traders, is building a new e-commerce platform on Azure. The platform includes a public-facing API built on Azure API Management (APIM) that processes orders containing personal data (PII). The company uses Microsoft Entra ID for identity management. You need to design a security solution that protects the API from common web vulnerabilities (e.g., SQL injection, XSS) and ensures that only authenticated users with the appropriate role can place orders. Additionally, you need to log and monitor all API requests for security auditing. Which combination of services should you use?

A.Use Azure Firewall to filter traffic, implement client certificate authentication in APIM, and use Azure Monitor for logging.
B.Use Azure API Management with built-in WAF, configure OAuth 2.0 authorization with Microsoft Entra ID, and enable Azure Monitor and Log Analytics for logging and alerting.
C.Use Azure Application Gateway with WAF in front of APIM, configure IP whitelisting on APIM, and enable diagnostic settings to send logs to a storage account.
D.Use Azure Front Door with WAF in front of APIM, configure IP whitelisting on APIM, and use Microsoft Sentinel for logging.
AnswerB

APIM WAF protects against OWASP threats, OAuth 2.0 provides secure authentication and authorization, and Monitor/Log Analytics provide comprehensive logging.

Why this answer

Option C is correct because Azure Web Application Firewall (WAF) on APIM protects against OWASP top 10 threats, OAuth 2.0 with Entra ID provides authentication and authorization, and Azure Monitor and Log Analytics provide logging and monitoring. Option A is wrong because NSGs do not protect against application-layer attacks. Option B is wrong because IP whitelisting does not handle authentication/authorization.

Option D is wrong because Application Gateway WAF is redundant if APIM WAF is used, and IP whitelisting is not suitable.

684
MCQeasy

Your organization uses Microsoft Purview to classify sensitive data in Azure storage. You need to ensure that a file containing PII is automatically protected when uploaded to an Azure Blob Storage account. What should you use?

A.Microsoft Purview retention labels
B.Microsoft Purview Information Protection sensitivity labels manually applied
C.Microsoft Purview Data Policy with auto-labeling
D.Azure Information Protection unified labeling client
AnswerC

Purview Data Policy can automatically apply sensitivity labels and encryption.

Why this answer

Option A is correct because Purview Data Policy can enforce auto-labeling and protection based on classification. Option B is incorrect because sensitivity labels alone do not trigger protection automatically. Option C is incorrect because Azure Information Protection is now part of Purview.

Option D is incorrect because retention labels are for retention, not protection.

685
MCQeasy

Your organization needs to enforce multi-factor authentication (MFA) for all users accessing sensitive applications. You plan to use Microsoft Entra ID Conditional Access. Which grant control should you configure?

A.Require multi-factor authentication
B.Require authentication strength (e.g., phishing-resistant MFA)
C.Require device to be marked as compliant
D.Use app enforced restrictions
AnswerA

This grant control directly enforces MFA.

Why this answer

The question specifies a requirement to enforce MFA for all users accessing sensitive applications. In Microsoft Entra ID Conditional Access, the 'Require multi-factor authentication' grant control directly enforces Azure AD MFA (e.g., via Microsoft Authenticator, OATH tokens, or SMS) as the primary authentication method. This is the simplest and most direct control to meet the stated goal of requiring MFA, without adding additional constraints like device compliance or authentication strength levels.

Exam trap

The trap here is that candidates often confuse 'Require authentication strength' (which is a newer, more specific control for phishing-resistant MFA) with the general 'Require multi-factor authentication' control, leading them to select the more complex option when the question simply asks for MFA enforcement.

How to eliminate wrong answers

Option B is wrong because 'Require authentication strength' is a more granular control that enforces a specific MFA method (e.g., phishing-resistant MFA via FIDO2 or certificate-based authentication), which is overkill for a general 'enforce MFA' requirement and may not be supported by all users. Option C is wrong because 'Require device to be marked as compliant' enforces device health (e.g., Intune compliance) but does not inherently require MFA; a user could satisfy this control with a compliant device and password only. Option D is wrong because 'Use app enforced restrictions' is a control that delegates MFA enforcement to the application itself (e.g., Exchange Online or SharePoint Online), which may not support MFA natively or may have inconsistent behavior, and it does not guarantee MFA at the identity provider level.

686
Multi-Selecteasy

Your organization uses Microsoft Sentinel for security operations. You need to design a solution to detect and respond to lateral movement attempts using pass-the-hash attacks. Which TWO data sources should you enable in Microsoft Sentinel to best detect this activity?

Select 2 answers
A.Office 365 Audit Logs
B.Windows Security Events via Azure Monitor Agent
C.DNS query logs
D.Microsoft Defender for Identity alerts
E.Azure Activity Log
AnswersB, D

Windows Security Events include Event ID 4624 (logon) and 4625 (failed logon) that can indicate pass-the-hash when combined with anomalous source workstations.

Why this answer

Option A (Windows Security Events) logs NTLM authentication events that can reveal pass-the-hash attempts. Option D (Microsoft Defender for Identity) provides advanced behavioral analytics to detect lateral movement. Option B (Azure Activity) is for Azure resource operations, not on-premises lateral movement.

Option C (Office 365) is for cloud app activity. Option E (DNS) helps with network detection but is not the best for pass-the-hash.

687
MCQmedium

Your organization uses Microsoft Entra ID and wants to implement a passwordless authentication strategy. Users have smartphones. Which method should you recommend as the primary authentication method?

A.FIDO2 security keys
B.Microsoft Authenticator app with passwordless sign-in
C.SMS-based authentication
D.Windows Hello for Business
AnswerB

Microsoft Authenticator supports passwordless sign-in using phone, making it suitable for users with smartphones.

Why this answer

The Microsoft Authenticator app with passwordless sign-in is the correct primary method because it leverages the user's smartphone to provide a seamless, phishing-resistant authentication experience using public/private key cryptography (FIDO2/WebAuthn). This method aligns with the organization's goal of eliminating passwords while utilizing existing smartphone hardware, and it supports a simple user experience by requiring only a biometric or PIN verification on the phone.

Exam trap

The trap here is that candidates often confuse 'passwordless' with 'MFA' and select SMS-based authentication, not realizing that SMS still relies on a shared secret (the code) and is not truly passwordless or phishing-resistant.

How to eliminate wrong answers

Option A is wrong because FIDO2 security keys are hardware tokens that require additional procurement and distribution, making them less practical as a primary method for all users who already have smartphones. Option C is wrong because SMS-based authentication is not passwordless (it still relies on a one-time code sent via text) and is vulnerable to SIM-swapping and phishing attacks, failing to meet the passwordless strategy's security goals. Option D is wrong because Windows Hello for Business is tied to Windows devices and does not leverage smartphones, so it cannot serve as the primary method for users who may not always have access to a Windows PC.

688
MCQhard

A company deploys a multi-tier application on Azure Kubernetes Service (AKS). The application uses Azure Key Vault to store secrets. You need to ensure that pod-level access to secrets is restricted to only the pods that require them. What should you implement?

A.Use a managed identity for each pod to access Key Vault directly
B.Configure Azure RBAC on the Key Vault to restrict access to the AKS cluster
C.Apply Azure Policy to deny access to Key Vault from unauthorized namespaces
D.Use the AKS Secret Store CSI Driver with pod-managed identities
AnswerD

CSI driver mounts secrets from Key Vault into specific pods using pod identity.

Why this answer

Option B is correct because AKS Secret Store CSI Driver allows mounting secrets from Key Vault into specific pods using pod identity, ensuring only authorized pods can access secrets. Option A is wrong because RBAC on the Key Vault itself is too coarse. Option C is wrong because Azure Policy for AKS can enforce compliance but doesn't manage secret access.

Option D is wrong because managed identity is used for pod identity but needs the CSI driver to mount secrets.

689
MCQhard

A company uses Azure API Management to expose backend APIs. They need to implement OAuth 2.0 authorization with Microsoft Entra ID. The APIs are called by a SPA application. Which OAuth 2.0 grant type should be used?

A.Implicit grant
B.Resource owner password credentials grant
C.Authorization code flow with PKCE
D.Client credentials grant
AnswerC

Recommended for SPAs, provides secure token exchange.

Why this answer

Option C is correct because the authorization code flow with PKCE is the recommended grant for SPAs. Option A is wrong because implicit flow is deprecated due to security concerns. Option B is wrong because client credentials is for server-to-server, not user authentication.

Option D is wrong because resource owner password credentials (ROPC) is not recommended and requires user credentials.

690
Multi-Selectmedium

A company is designing a secure baseline for Azure VMs using Azure Policy and Microsoft Defender for Cloud. Which TWO recommendations should you include to ensure VMs are protected against common threats?

Select 2 answers
A.Configure Azure Backup for all VMs
B.Deploy the Log Analytics agent on all VMs
C.Enable just-in-time (JIT) VM access
D.Enable Azure Site Recovery
E.Use Azure Disk Encryption with Azure Key Vault
AnswersB, C

The agent is required for Defender for Cloud to detect threats and collect security events.

Why this answer

Enabling just-in-time (JIT) VM access reduces attack surface by blocking inbound traffic to management ports. Deploying the Log Analytics agent is required for Defender for Cloud to collect security data. The other options are either not security baselines or not VM-specific.

691
MCQhard

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. Based on the JSON snippet, what is the most likely outcome when a user with high user risk attempts to sign in?

A.The sign-in is blocked because user risk is high
B.The sign-in is blocked only if sign-in risk is also high
C.The sign-in is allowed because sign-in risk is not high
D.The user is prompted for multi-factor authentication
AnswerA

High user risk triggers block grant control.

Why this answer

Option B is correct because the policy blocks sign-ins when user risk level is high. Option A is wrong because sign-in risk is not evaluated (empty array). Option C is wrong because there is no MFA requirement.

Option D is wrong because the policy blocks regardless of sign-in risk.

692
Multi-Selecteasy

Your organization needs to comply with regulatory requirements for data retention and deletion. Which TWO Microsoft Purview features should you use?

Select 2 answers
A.Retention policies
B.Data Loss Prevention (DLP) policies
C.Audit logs
D.Retention labels
E.eDiscovery
AnswersA, D

Define retention periods for locations.

Why this answer

Retention policies (A) are the correct choice because they allow you to define automated rules for retaining or deleting data at the container level (e.g., entire SharePoint sites, Exchange mailboxes, or OneDrive accounts) to meet regulatory requirements. Retention labels (D) are also correct because they provide granular, item-level control (e.g., specific documents or emails) for retention and deletion, and can be applied manually or automatically via trainable classifiers or sensitive information types. Together, they form the core of Microsoft Purview's data lifecycle management, ensuring compliance with data retention and deletion mandates.

Exam trap

The trap here is that candidates often confuse Data Loss Prevention (DLP) policies with retention policies because both involve data governance, but DLP focuses on preventing data exfiltration, not on lifecycle management of data retention and deletion.

693
MCQhard

Refer to the exhibit. A security analyst is reviewing a Windows security event log from a domain controller. The event indicates an attempted logon failure. Which type of attack is most likely being attempted?

A.Kerberos golden ticket attack
B.DCSync attack
C.Pass-the-hash attack
D.Brute-force password guessing attack
AnswerD

Multiple failed logon attempts with Logon Type 3 targeting a privileged account indicate a brute-force password guessing attack over the network

Why this answer

Event 4625 is a failed logon attempt. Logon Type 3 (Network) and the target account 'admin' with failure reason 'Unknown user name or bad password' suggest a brute-force or password guessing attack against a privileged account. Option B is correct because the event shows attempts to guess the 'admin' account password over the network.

Option A is wrong because a pass-the-hash attack would use a different logon type and process. Option C is wrong because a Kerberos golden ticket attack would not show a logon type 3 failure. Option D is wrong because DCSync would generate different events (4662).

694
Multi-Selectmedium

Which TWO actions should you take to secure an Azure Kubernetes Service (AKS) cluster?

Select 2 answers
A.Enable Azure AD integration for Kubernetes RBAC.
B.Disable HTTP application routing.
C.Use pod identity to access Azure resources.
D.Enable Azure Firewall to restrict outbound traffic.
E.Use a service principal for AKS cluster authentication and store the secret in a Kubernetes secret.
AnswersA, C

Provides identity-based access control.

Why this answer

Option A is correct because integrating Azure AD with AKS enables Kubernetes RBAC to use Azure AD identities for authentication and authorization. This allows you to grant granular permissions to users, groups, or service principals based on their Azure AD roles, eliminating the need for static Kubernetes secrets and providing centralized identity management.

Exam trap

The trap here is that candidates often confuse optional security features (like disabling HTTP routing or enabling Azure Firewall) with mandatory actions, or they mistakenly believe that storing service principal secrets in Kubernetes secrets is acceptable, when Azure AD integration provides a far more secure and manageable approach.

695
MCQeasy

A company wants to use Microsoft Defender XDR to correlate alerts across endpoints, email, and identities. Which component enables this correlation?

A.Microsoft 365 Defender
B.Microsoft Defender XDR
C.Microsoft Sentinel
D.Microsoft Defender for Cloud
AnswerB

Microsoft Defender XDR is the correct name for the unified platform.

Why this answer

Microsoft Defender XDR (the new name for Microsoft 365 Defender) is the unified pre- and post-breach enterprise defense suite that natively correlates signals from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Its correlation engine uses machine learning and the Microsoft Intelligent Security Graph to fuse alerts across these domains into a single incident, enabling security teams to see the full attack chain from email to endpoint to identity.

Exam trap

The trap here is that candidates confuse the old branding (Microsoft 365 Defender) with the new branding (Microsoft Defender XDR) and pick the outdated name, or they mistake Microsoft Sentinel's broader SIEM capabilities for the native cross-domain correlation engine that Defender XDR provides.

How to eliminate wrong answers

Option A is wrong because 'Microsoft 365 Defender' is the previous name for the same product now called Microsoft Defender XDR; the question explicitly uses the current name, so selecting the old name would be technically inaccurate. Option C is wrong because Microsoft Sentinel is a cloud-native SIEM and SOAR solution that ingests logs from many sources, including Defender XDR, but it does not perform the native, real-time cross-domain alert correlation that Defender XDR's built-in engine does; Sentinel correlates at a higher level using analytics rules and is not the component that directly correlates alerts across endpoints, email, and identities. Option D is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) focused on securing Azure, AWS, and GCP resources, not on correlating alerts across endpoints, email, and identities.

696
MCQeasy

You need to design a backup and disaster recovery solution for Azure virtual machines that meets a recovery time objective (RTO) of 15 minutes and a recovery point objective (RPO) of 1 hour. Which Azure service should you use?

A.Azure Site Recovery
B.Azure managed disk
C.Azure VM snapshot
D.Azure Backup
AnswerA

Azure Site Recovery supports low RPO and RTO for disaster recovery.

Why this answer

Option B is correct because Azure Site Recovery provides replication with RPO as low as 30 seconds and RTO typically within minutes. Option A is wrong because Azure Backup provides longer RPO and RTO, typically hours. Option C is wrong because Azure VM snapshots are manual.

Option D is wrong because Azure managed disks do not provide replication.

697
Multi-Selectmedium

Your organization is designing a solution to protect sensitive data in Microsoft 365. You need to implement Microsoft Purview Data Loss Prevention (DLP) policies. Which TWO actions can a DLP policy take when a match occurs? (Choose TWO.)

Select 2 answers
A.Encrypt the file with Azure Information Protection.
B.Quarantine the file for administrator review.
C.Automatically apply a sensitivity label.
D.Block the sharing of sensitive information.
E.Show a policy tip to the user.
AnswersD, E

DLP can block sharing actions.

Why this answer

Options A and D are correct. DLP policies can block sharing and show a policy tip to users. Option B is wrong because auto-labeling is a separate feature (auto-labeling policies).

Option C is wrong because DLP policies do not quarantine items. Option E is wrong because encryption is applied via sensitivity labels, not DLP directly.

698
Multi-Selecteasy

You are designing a backup strategy for Azure virtual machines using Azure Backup. The solution must support cross-region restore and provide 10 years of retention for compliance. Which THREE features should you enable? (Choose THREE.)

Select 3 answers
A.Cross-Region Restore
B.Azure Site Recovery replication
C.Soft Delete
D.Immutable vault
E.Archive Tier
AnswersA, D, E

Allows restoring backups in a paired Azure region.

Why this answer

Options A, C, and E are correct. Cross-Region Restore (A) enables restoring to a paired region. Archive Tier (C) allows retention up to 10 years.

Immutable vault (E) prevents deletion of backups. Option B is wrong because Azure Site Recovery is for disaster recovery, not backup retention. Option D is wrong because soft delete is for accidental deletion protection, not for long-term retention.

699
MCQeasy

Your organization plans to use Microsoft Defender for Cloud to secure Azure resources. The security team wants to continuously assess compliance against the CIS Azure Foundations Benchmark. What should you do?

A.Create a custom Azure Blueprint for CIS
B.Deploy Azure Security Center (legacy)
C.Enable the CIS Azure Foundations Benchmark in Defender for Cloud regulatory compliance dashboard
D.Assign Azure Policy for all CIS controls manually
AnswerC

Directly supports the benchmark.

Why this answer

Option C is correct because Microsoft Defender for Cloud's regulatory compliance dashboard includes built-in support for the CIS Azure Foundations Benchmark. By enabling this standard in the dashboard, Defender for Cloud continuously assesses your Azure resources against all CIS controls, providing automated compliance scores and remediation recommendations without requiring custom definitions or manual policy assignments.

Exam trap

The trap here is that candidates may think they need to create custom Azure Blueprints or manually assign Azure Policies for CIS compliance, overlooking that Defender for Cloud's regulatory compliance dashboard already includes a pre-configured, continuously updated CIS benchmark initiative that automates the entire assessment process.

How to eliminate wrong answers

Option A is wrong because Azure Blueprints are used to define a repeatable set of Azure resources and policies for deployment, not to continuously assess compliance against a specific benchmark like CIS; the CIS benchmark is already available as a built-in standard in Defender for Cloud. Option B is wrong because Azure Security Center (legacy) has been superseded by Microsoft Defender for Cloud, and the legacy version does not include the regulatory compliance dashboard with CIS Azure Foundations Benchmark support; you must use the current Defender for Cloud. Option D is wrong because manually assigning Azure Policy for all CIS controls is inefficient, error-prone, and unnecessary since Defender for Cloud provides a pre-built, automatically updated CIS benchmark initiative that maps policies to controls and continuously evaluates compliance.

700
MCQmedium

Your organization uses Microsoft Sentinel for security operations. You need to ensure that all incidents related to a specific critical asset are automatically assigned to the senior SOC analyst. The assignment should occur as soon as the incident is created. What should you configure?

A.Modify the analytics rule to include a custom details field for owner.
B.Create an automation rule that sets the incident owner to the senior SOC analyst.
C.Create a playbook and trigger it from an automation rule.
D.Configure a workbook to display incidents and manually assign them.
AnswerB

Automation rules can set incident owner, status, and tags upon creation.

Why this answer

Option B is correct because automation rules in Microsoft Sentinel can be used to assign incidents to specific owners automatically upon creation. Option A is incorrect because playbooks can automate responses but are not the simplest method for assignment. Option C is incorrect because analytics rules create alerts, not assign incidents.

Option D is incorrect because workbooks are for visualization.

701
MCQmedium

A company is deploying Microsoft Defender for Cloud to secure their hybrid cloud environment. They need to ensure that regulatory compliance with PCI DSS is continuously monitored and reported. Which solution should they use to automatically assess and report compliance posture?

A.Azure Policy
B.Microsoft Purview Information Protection
C.Regulatory compliance dashboard in Microsoft Defender for Cloud
D.Microsoft Entra ID Governance
AnswerC

The regulatory compliance dashboard in Defender for Cloud continuously monitors compliance with standards like PCI DSS and generates reports.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud is the correct solution because it provides built-in, automated assessment of compliance against regulatory standards like PCI DSS. It continuously monitors your hybrid cloud environment against the PCI DSS controls, generates a compliance score, and produces detailed reports without requiring custom policy definitions. This dashboard integrates with Azure Policy to map controls to assessments, but the dashboard itself is the dedicated tool for viewing and reporting compliance posture.

Exam trap

The trap here is that candidates often confuse Azure Policy (the enforcement engine) with the Regulatory compliance dashboard (the reporting interface), leading them to select Azure Policy as the direct solution for compliance reporting, when in fact the dashboard is the correct tool for continuous monitoring and reporting of regulatory posture.

How to eliminate wrong answers

Option A is wrong because Azure Policy is a service that enforces and audits compliance rules by creating custom policies and initiatives, but it does not provide a pre-built, continuously updated regulatory compliance dashboard or reporting specifically for PCI DSS; it is the underlying mechanism that the Regulatory compliance dashboard uses, not the reporting solution itself. Option B is wrong because Microsoft Purview Information Protection focuses on classifying, labeling, and protecting sensitive data (e.g., credit card numbers) through encryption and access controls, not on assessing or reporting overall compliance posture against a framework like PCI DSS. Option D is wrong because Microsoft Entra ID Governance deals with identity lifecycle, access reviews, and entitlement management for users and groups, not with continuous monitoring or reporting of cloud infrastructure compliance against regulatory standards.

702
MCQeasy

A company wants to protect sensitive data in their Azure SQL Database from unauthorized access. Which feature should they enable?

A.Azure Information Protection
B.Transparent Data Encryption (TDE)
C.Azure Key Vault
D.Azure Firewall
AnswerB

TDE encrypts SQL Server data files.

Why this answer

Transparent Data Encryption (TDE) performs real-time I/O encryption and decryption of the data and log files at the page level, protecting data at rest in Azure SQL Database. This directly addresses the requirement to prevent unauthorized access to the underlying storage files, as TDE ensures that data cannot be read if the physical media is compromised.

Exam trap

The trap here is that candidates often confuse Azure Information Protection (a classification tool) with database encryption, or think Azure Key Vault alone provides encryption, when in fact TDE is the specific feature that encrypts the database files at rest.

How to eliminate wrong answers

Option A is wrong because Azure Information Protection is a classification and labeling solution for documents and emails, not a database-level encryption feature for Azure SQL Database. Option C is wrong because Azure Key Vault is a secure key management service that can store TDE encryption keys, but it does not itself encrypt the database; it is a supporting component, not the primary feature. Option D is wrong because Azure Firewall is a network security service that controls inbound and outbound traffic at the network layer, not a data-at-rest encryption mechanism for database files.

703
MCQhard

A company is evaluating their incident response (IR) process. They use Microsoft Sentinel as their SIEM. During a security incident, the IR team struggles to quickly find related alerts and entities. Which improvement should they implement to enhance investigation efficiency?

A.Create more analytics rules to cover additional scenarios.
B.Configure automation rules to automatically classify incidents.
C.Increase data retention for all log tables.
D.Leverage the investigation graph to explore entity relationships.
AnswerD

Provides visual mapping of connections between alerts, entities, and incidents.

Why this answer

The investigation graph in Microsoft Sentinel provides a visual, interactive map of entity relationships (e.g., users, hosts, IP addresses, alerts) connected to an incident. This directly addresses the IR team's struggle to quickly find related alerts and entities by allowing them to explore and pivot across linked data points, drastically reducing manual correlation time.

Exam trap

The trap here is that candidates often confuse 'automation' (Option B) with 'investigation efficiency,' but automation rules handle classification and assignment, not the visual exploration of entity relationships that the investigation graph provides.

How to eliminate wrong answers

Option A is wrong because creating more analytics rules increases the volume of alerts and incidents, which would exacerbate the problem of finding related alerts and entities rather than improving investigation efficiency. Option B is wrong because configuring automation rules to automatically classify incidents helps with triage and prioritization, but does not assist investigators in exploring relationships between alerts and entities during an active investigation. Option C is wrong because increasing data retention for all log tables extends the storage period but does not provide any mechanism to correlate or visualize relationships between alerts and entities; it simply keeps more raw data without improving discoverability.

704
MCQhard

A company uses Azure Policy to audit storage accounts for secure transfer (HTTPS) enforcement. The policy is set to 'AuditIfNotExists' but compliance shows 0% non-compliant storage accounts even though some accounts have secure transfer disabled. What is the most likely cause?

A.The policy is in 'audit' mode and does not evaluate
B.The policy should use 'Audit' or 'Deny' effect instead of 'AuditIfNotExists'
C.The storage accounts are in a different region
D.The policy assignment scope does not include the non-compliant accounts
AnswerB

AuditIfNotExists is for existence of a resource, not property.

Why this answer

The 'AuditIfNotExists' effect is designed to audit resources that do not have a specific extension or sub-resource (e.g., a diagnostic setting or an agent). For a policy that needs to check a property of the storage account itself (like secure transfer enabled), the correct effect is 'Audit' (or 'Deny'). 'AuditIfNotExists' will never flag a storage account as non-compliant for missing the secure transfer property because it is looking for the absence of a child resource, not a property misconfiguration.

Exam trap

The trap here is that candidates confuse 'AuditIfNotExists' with 'Audit', assuming both can check resource properties, but 'AuditIfNotExists' is specifically for auditing the absence of a sub-resource or extension, not the resource's own configuration.

How to eliminate wrong answers

Option A is wrong because 'audit' mode is not a valid Azure Policy mode; policies use 'audit' effect, not a mode, and all policies evaluate resources within their scope regardless of effect. Option C is wrong because Azure Policy evaluates all storage accounts in the assigned scope regardless of region; region does not affect policy evaluation. Option D is wrong because if the policy assignment scope did not include the non-compliant accounts, those accounts would simply not be evaluated, but the question states compliance shows 0% non-compliant, implying the accounts are in scope yet not flagged, which points to an effect mismatch.

705
MCQhard

Refer to the exhibit. An organization uses Microsoft Entra ID Governance. This access review policy is intended to review guest users created after January 1, 2025. The reviewers are users with job title 'Manager'. However, the review is not starting automatically. What is the most likely cause?

A.The reviewer query returns no users.
B.The recurrence is not configured.
C.The autoReviewEnabled setting is false.
D.The scope query syntax is incorrect.
AnswerB

Without recurrence, the review does not start.

Why this answer

Option C is correct because the scope query filters guests by creation date, but the review is not starting automatically because there is no recurrence defined. The policy snippet does not include recurrence settings; access reviews need a recurrence to start. Option A is wrong because the query is valid.

Option B is wrong because autoReviewEnabled is false but that affects decision application, not starting. Option D is wrong because the reviewer query is valid.

706
MCQeasy

Your organization is required to retain all Microsoft Teams chat messages for 7 years due to regulatory compliance. You need to design a solution that automatically retains and, if needed, e-discovery searches these messages. What should you configure?

A.Microsoft Purview retention policies and eDiscovery
B.Microsoft Purview Data Loss Prevention policies
C.Azure Policy
D.Sensitivity labels auto-labeling
AnswerA

Retention policies preserve Teams chat data for 7 years; eDiscovery allows searching and exporting the data for compliance purposes.

Why this answer

Option A is correct because Microsoft Purview retention policies can be applied to Teams chats to retain them for a specified period, and eDiscovery can search retained messages. Option B is wrong because sensitivity labels classify but do not enforce retention. Option C is wrong because DLP policies prevent data loss, not retention.

Option D is wrong because Azure Policy applies to Azure resources, not Microsoft 365 data.

707
MCQhard

A company uses Microsoft Entra ID with P2 licenses. They want to implement a Zero Trust approach that requires step-up authentication for accessing high-value data in SharePoint. The solution must use risk-based policies and minimize user friction. Which combination should you recommend?

A.Microsoft Entra Conditional Access with trusted locations policy
B.Microsoft Entra Conditional Access with sign-in risk policy and authentication context for sensitive data
C.Azure AD Conditional Access with MFA for all SharePoint access
D.Microsoft Entra Identity Protection user risk policy with MFA
AnswerB

Risk-based step-up with granular context.

Why this answer

Option B is correct because it combines Conditional Access with a sign-in risk policy (from Identity Protection) and an authentication context that is applied to sensitive SharePoint data. This enforces step-up authentication only when risk is detected and the user accesses high-value data, minimizing friction for low-risk sessions while meeting Zero Trust requirements.

Exam trap

The trap here is that candidates often confuse user risk policies (which are based on historical user behavior) with sign-in risk policies (which evaluate the current session in real time), and they overlook the role of authentication context in scoping enforcement to specific data rather than all SharePoint access.

How to eliminate wrong answers

Option A is wrong because a trusted locations policy only checks the network location (e.g., corporate IP range) and does not evaluate user or sign-in risk, nor does it enforce step-up authentication based on data sensitivity. Option C is wrong because requiring MFA for all SharePoint access is not risk-based; it applies friction to every session regardless of risk level, violating the 'minimize user friction' requirement. Option D is wrong because a user risk policy with MFA triggers based on user-level risk (e.g., leaked credentials) but does not use authentication context to scope enforcement to specific high-value data in SharePoint, and it does not leverage sign-in risk for real-time step-up.

708
MCQmedium

Your organization stores sensitive data in Azure Blob Storage. You need to ensure that data is encrypted at rest and that the encryption keys are rotated every 90 days. You also need to maintain your own key material. Which solution should you use?

A.Azure Information Protection
B.Azure Storage Service Encryption with Microsoft-managed keys
C.Azure Storage Service Encryption with customer-managed keys in Azure Key Vault
D.Azure Disk Encryption
AnswerC

Customer-managed keys allow you to provide your own key material and rotate it every 90 days

Why this answer

Azure Storage encryption with customer-managed keys in Azure Key Vault allows you to supply your own encryption keys and rotate them on your own schedule. Option A is wrong because Azure Disk Encryption is for VM disks, not Blob Storage. Option B is wrong because Azure Storage Service Encryption with Microsoft-managed keys does not allow customer control or rotation.

Option D is wrong because Azure Information Protection is for classification and labeling, not encryption at rest.

709
MCQhard

Your organization uses Microsoft Entra ID and plans to implement a Zero Trust architecture. You need to ensure that all access requests to internal applications are verified continuously, not just at the initial sign-in. What should you configure?

A.Microsoft Defender for Cloud Apps session policy
B.Privileged Identity Management (PIM)
C.Conditional Access policies with session controls
D.Continuous Access Evaluation (CAE)
AnswerD

CAE provides real-time token validation for critical events.

Why this answer

Continuous Access Evaluation (CAE) is the correct choice because it enables real-time token validation and policy enforcement for critical events (e.g., user risk elevation, device compliance change, or IP address change) without requiring a new authentication request. This aligns with the Zero Trust principle of 'verify explicitly and continuously' by revoking access mid-session when conditions change, rather than only at initial sign-in.

Exam trap

The trap here is that candidates often confuse Conditional Access session controls (which enforce periodic reauthentication) with true continuous verification, but CAE is the only mechanism that provides event-driven, real-time session revocation without waiting for token expiry or user reauthentication.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps session policies are used for app-level session monitoring and control (e.g., preventing data exfiltration) but do not provide continuous token-level verification of identity or device state across all applications. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not continuous verification of all access requests. Option C is wrong because Conditional Access policies with session controls (e.g., sign-in frequency, persistent browser session) still rely on periodic reauthentication or token refresh, not real-time, event-driven revocation of active sessions as CAE does.

710
MCQmedium

A SOC team uses Microsoft Sentinel for incident management. They need to ensure that when a high-severity incident is created, a Teams message is sent to the security team and an email is sent to the IT manager. What is the most efficient way to achieve this?

A.Configure the analytics rule to send notifications when an incident is created.
B.Create an automation rule in Sentinel that triggers a playbook to send the notifications.
C.Use a workbook to display incidents and have a manual process to send notifications.
D.Enable incident creation in the data connector settings.
AnswerB

Automation rules are designed to respond to incidents with playbooks.

Why this answer

Option B is correct because automation rules in Microsoft Sentinel can trigger a playbook (an Azure Logic Apps workflow) when an incident is created, allowing you to send a Teams message and an email simultaneously. This is the most efficient, automated approach without manual intervention or modifying the analytics rule itself.

Exam trap

The trap here is that candidates often confuse analytics rule configuration (which can only generate incidents or alerts) with automation rules (which handle post-creation actions like playbooks), leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because analytics rules in Sentinel do not have native capabilities to send Teams messages or emails directly; they only generate incidents or alerts. Option C is wrong because workbooks are for visualization and reporting, not for automated notification workflows, and relying on a manual process defeats efficiency. Option D is wrong because data connector settings only control ingestion of logs and incident creation from external sources, not post-incident notification actions.

711
MCQmedium

You are designing a secure data sharing solution for a research organization that needs to share large datasets with external universities. The data must be encrypted at rest and in transit, and access must be time-limited. The solution should minimize administrative overhead. What should you use?

A.Azure Blob Storage with SFTP protocol enabled
B.Azure Data Share with snapshot-based sharing
C.Azure Storage with shared access signatures (SAS) and Azure Key Vault
D.Azure File Sync with on-premises file servers
AnswerC

SAS tokens provide time-limited access, and Azure Storage encrypts data at rest and in transit.

Why this answer

Option D is correct because Azure Storage with SAS tokens provides time-limited access, encryption at rest (SSE), and encryption in transit (HTTPS). Option A is wrong because Azure File Sync focuses on syncing files, not secure sharing. Option B is wrong because Azure Data Share is more for periodic snapshots, not direct access.

Option C is wrong because SFTP requires more administrative overhead for user management.

712
MCQmedium

Your organization uses Microsoft Sentinel to monitor hybrid workloads. You need to design a solution to detect lateral movement attempts from compromised on-premises servers to Azure VMs. Which data connector should you prioritize?

A.Syslog via AMA
B.Office 365 Logs
C.Windows Security Events via AMA
D.Azure Activity Log
AnswerC

Captures security events like logons, which are critical for lateral movement detection.

Why this answer

Option B is correct because the Windows Security Events via AMA connector provides the necessary event IDs (e.g., 4624, 4625) for lateral movement detection on Azure VMs. Option A is wrong because Azure Activity Log does not capture OS-level events. Option C is wrong because Syslog via AMA covers Linux but not Windows.

Option D is wrong because Office 365 connector is for cloud app activity.

713
MCQeasy

Your organization uses Microsoft Defender for Office 365. You need to design a solution to protect users from malicious links in email. What should you configure?

A.Anti-spam policy
B.Safe Attachments policy
C.Safe Links policy
D.Anti-phishing policy
AnswerC

Safe Links protects against malicious URLs.

Why this answer

Option A is correct because Safe Links in Defender for Office 365 scans and blocks malicious links in real time. Option B is incorrect because Safe Attachments is for attachments. Option C is incorrect because anti-spam policies handle spam.

Option D is incorrect because anti-phishing policies handle phishing, not links specifically.

714
MCQhard

Your organization is a multi-national corporation that uses Microsoft 365 E5 and Azure. You need to design a security operations center (SOC) to detect and respond to threats across identities, endpoints, and cloud apps. The SOC team will use a single pane of glass for incident management. Requirements: (1) Centralize alerts from Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps, (2) Automate incident response playbooks, (3) Use advanced hunting across all data sources, (4) Integrate with external threat intelligence feeds, (5) Provide role-based access control for SOC analysts. Which Microsoft solution should you implement?

A.Microsoft 365 Defender portal
B.Microsoft Sentinel
C.Microsoft Purview Compliance Manager
D.Microsoft Defender for Cloud
AnswerB

Sentinel provides centralized SIEM/SOAR with advanced hunting and threat intelligence.

Why this answer

Option B is correct because Microsoft Sentinel is a cloud-native SIEM/SOAR that ingests alerts from all Microsoft Defender products, supports automation playbooks, advanced hunting via KQL, threat intelligence connectors, and RBAC. Option A is wrong because Defender for Cloud is for cloud workload protection, not unified SIEM. Option C is wrong because Microsoft 365 Defender portal provides visibility but limited automation and external TI integration.

Option D is wrong because Microsoft Purview is for data governance.

715
MCQmedium

A company uses Azure App Service to host a web application that stores sensitive data in Azure SQL Database. The security team requires that data at rest in the database be encrypted using a customer-managed key stored in Azure Key Vault. The key must be rotated automatically every 90 days. What is the recommended approach to meet these requirements?

A.Encrypt sensitive columns using cell-level encryption with keys stored in Azure Key Vault and rotate keys manually every 90 days.
B.Enable Transparent Data Encryption (TDE) with service-managed keys in Azure SQL Database.
C.Enable TDE with customer-managed keys in Azure Key Vault and set a key rotation policy in Key Vault to rotate the key every 90 days.
D.Use Always Encrypted with column master keys stored in Azure Key Vault and configure key rotation in the application code.
AnswerC

TDE with customer-managed keys supports automatic rotation via Key Vault lifecycle policies.

Why this answer

Option C is correct because Transparent Data Encryption (TDE) with customer-managed keys (CMK) in Azure Key Vault meets the requirement for encrypting data at rest in Azure SQL Database using a key controlled by the customer. Azure Key Vault supports automatic key rotation policies that can be set to rotate the key every 90 days, satisfying the rotation requirement without manual intervention or application code changes.

Exam trap

The trap here is confusing data-at-rest encryption (TDE) with column-level encryption (Always Encrypted or cell-level encryption), leading candidates to pick options that encrypt only specific columns or require application changes, rather than the simpler, database-wide TDE approach with automatic key rotation in Key Vault.

How to eliminate wrong answers

Option A is wrong because cell-level encryption (e.g., Always Encrypted) encrypts individual columns, not the entire database at rest, and requires manual key rotation or application code changes, not automatic rotation via Key Vault policy. Option B is wrong because TDE with service-managed keys uses keys managed by Microsoft, not customer-managed keys, so it fails the requirement for customer-controlled keys. Option D is wrong because Always Encrypted encrypts data at the column level and requires application code changes for key rotation, whereas the requirement specifies data at rest in the database (TDE) and automatic rotation without application modifications.

716
MCQeasy

Your organization uses Microsoft Sentinel and has enabled User and Entity Behavior Analytics (UEBA). The security team receives an alert for a user who has failed authentication 10 times in 5 minutes. What should you configure to reduce false positives while ensuring legitimate brute-force attacks are still detected?

A.Customize the anomaly threshold in UEBA
B.Disable UEBA for that user
C.Modify the analytics rule that triggered the alert
D.Create a playbook to auto-acknowledge the alert
AnswerA

Adjusting sensitivity reduces false positives while keeping detection.

Why this answer

Customizing the anomaly threshold in UEBA allows you to adjust the sensitivity of the behavioral baseline, reducing false positives for users who legitimately fail authentication multiple times while still detecting true brute-force attacks. UEBA learns normal behavior patterns and flags deviations; by raising the threshold, you require a higher deviation from the baseline before an alert fires, preserving detection of actual attacks.

Exam trap

The trap here is that candidates assume modifying the analytics rule (Option C) is the correct tuning mechanism, but UEBA-specific thresholds are configured separately from the underlying analytics rule, and adjusting the rule itself would affect all users and all detection logic, not just the behavioral anomaly component.

How to eliminate wrong answers

Option B is wrong because disabling UEBA for that user would stop all behavioral analytics for that user, preventing detection of any future anomalous activity, including legitimate brute-force attacks. Option C is wrong because modifying the analytics rule that triggered the alert would change the detection logic for all users, potentially missing real attacks or increasing noise across the board, rather than tuning the behavioral sensitivity for this specific pattern. Option D is wrong because creating a playbook to auto-acknowledge the alert does not reduce false positives; it merely automates ignoring the alert, which could cause a real brute-force attack to be overlooked.

717
Multi-Selectmedium

You are planning a security baseline for Azure resources using Microsoft Defender for Cloud. Which THREE recommendations are part of the Azure Security Benchmark?

Select 3 answers
A.Implement role-based access control (RBAC) for resource management
B.Enable multi-factor authentication for all privileged accounts
C.Disable TLS 1.0 and enable TLS 1.2
D.Use Point-to-Site VPN for remote access
E.Enable network security groups on subnets to restrict traffic
AnswersA, B, E

Core identity and access control recommendation.

Why this answer

Option A is correct because the Azure Security Benchmark (ASB) includes identity and access control recommendations, specifically recommending role-based access control (RBAC) to manage resource access. RBAC is a foundational security control that enforces the principle of least privilege, and it is explicitly listed in the ASB under the Identity Management (IM) control family.

Exam trap

The trap here is that candidates often confuse the Azure Security Benchmark with general security best practices or the Azure Well-Architected Framework, leading them to select recommendations like disabling TLS 1.0 or using VPNs, which are not part of the benchmark's specific control set.

718
Multi-Selectmedium

Which THREE are valid sources for ingesting data into Microsoft Sentinel? (Choose three.)

Select 3 answers
A.AWS CloudTrail
B.Microsoft 365 Defender
C.Adobe Analytics
D.Azure Activity log
E.Google BigQuery
AnswersA, B, D

AWS CloudTrail connector is available.

Why this answer

Options A, B, and D are correct. Option A is correct because Azure Activity logs are a built-in connector. Option B is correct because Microsoft 365 Defender is a connector.

Option D is correct because AWS CloudTrail can be ingested via connector. Option C is incorrect because Google BigQuery is not a direct connector. Option E is incorrect because Adobe Analytics is not supported.

719
MCQhard

Refer to the exhibit. You run the PowerShell script to protect high-confidentiality resources. After execution, you find that some resources with tag 'Confidentiality=High' are still unprotected. What is the most likely reason?

A.Some resources are in a different resource group than expected.
B.The script does not check for existing locks properly.
C.Tags are not inherited from resource groups.
D.The script overwrites existing locks.
AnswerA

The script assumes resource group from the resource object.

Why this answer

Option B is correct because the script uses Get-AzResource which returns resources from all resource groups, but the lock creation uses -ResourceGroupName parameter. If a resource is in a different resource group than the one resolved from the resource object, the lock might fail or apply incorrectly. Option A is wrong because the script does not check for existing locks correctly, but the main issue is the resource group mismatch.

Option C is wrong because the script checks for locks before creating new ones. Option D is wrong because tag inheritance is not the issue.

720
MCQmedium

Refer to the exhibit. The NSG is applied to a subnet containing Azure SQL databases. You notice that traffic from the internet to the databases is not being denied. What is the most likely reason?

A.The rule should be Allow to deny traffic
B.The destinationAddressPrefix should be '*' instead of 'VirtualNetwork'
C.The priority of the Deny rule is too low (100)
D.The direction should be Outbound
AnswerB

SQL databases are not in a VNet by default; use '*' to cover all destinations.

Why this answer

Option C is correct because the destinationAddressPrefix is 'VirtualNetwork', but SQL databases are not in a virtual network by default; they are PaaS services with a public endpoint. Option A is wrong because priority 100 is high. Option B is wrong because the rule explicitly denies traffic.

Option D is wrong because the direction is inbound.

721
MCQhard

Your organization is planning to use Microsoft Entra ID for identity management. You need to design a solution that enforces conditional access policies for sensitive applications while minimizing user friction. The solution must support offline access for mobile devices and require step-up authentication only when accessing high-risk data. What should you recommend?

A.Implement Microsoft Entra ID Protection to automatically remediate risky users
B.Use Conditional Access session controls with app-enforced restrictions and grant controls for high-risk sign-ins
C.Configure risk-based Conditional Access policies with user risk and sign-in risk
D.Require device compliance via Intune and block non-compliant devices
AnswerB

Session controls allow step-up authentication and support offline via app-based policies.

Why this answer

Option B is correct because session controls in Conditional Access allow for continuous access evaluation (CAE) and step-up authentication based on risk, while app-based conditional access provides offline access. Option A is wrong because device compliance policies do not support offline access natively. Option C is wrong because risk-based policies alone do not handle offline scenarios.

Option D is wrong because identity protection requires online connectivity.

722
MCQmedium

Your company is deploying Microsoft Intune for mobile device management. You need to ensure that corporate data on personally owned devices is protected without affecting the user's personal data. Which Intune feature should you use?

A.Device compliance policies
B.Conditional Access for app control
C.Windows Autopilot
D.App Protection Policies (MAM)
AnswerD

MAM policies protect corporate data in apps without device management.

Why this answer

App Protection Policies (MAM) are the correct choice because they allow you to manage and protect corporate data within applications on personally owned devices without requiring device enrollment. This ensures that corporate data is encrypted, can be selectively wiped, and is prevented from being copied to personal apps, while leaving the user's personal data untouched.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access to resources) with App Protection Policies (which protect data within apps), leading them to select Conditional Access for app control when the question specifically asks about protecting corporate data without affecting personal data.

How to eliminate wrong answers

Option A is wrong because Device Compliance Policies evaluate the security configuration of the entire device (e.g., jailbreak detection, encryption status) and require the device to be enrolled in Intune, which would give the organization visibility and control over the entire device, affecting personal data. Option B is wrong because Conditional Access for app control (e.g., using Azure AD Conditional Access with app-based policies) can restrict access based on app-level conditions but does not provide the granular data protection and selective wipe capabilities that MAM offers for corporate data within apps. Option C is wrong because Windows Autopilot is a device provisioning and deployment tool for Windows devices, not a mobile device management feature for protecting corporate data on personally owned devices.

723
MCQhard

Your company uses Microsoft Purview to manage data governance. You need to create a data classification rule that scans Azure Data Lake Storage for personally identifiable information (PII) such as email addresses. The rule must also apply a sensitivity label automatically. Which approach should you use?

A.Create an Azure Policy to detect and label PII.
B.Create a custom scan rule in Microsoft Purview and configure auto-labeling.
C.Use a Power Automate flow to scan files and apply labels.
D.Use Microsoft Defender for Cloud to scan for PII.
AnswerB

Purview scans data and can auto-apply sensitivity labels.

Why this answer

Option C is correct because Microsoft Purview has built-in scan rules for sensitive data types and can auto-label. Option A is wrong because Azure Policy is for compliance, not scanning. Option B is wrong because Microsoft Defender for Cloud is for security posture.

Option D is wrong because custom Power Automate flows are not the primary method for classification.

724
Multi-Selecthard

Which THREE of the following are best practices for securing Azure Kubernetes Service (AKS)?

Select 3 answers
A.Enable Azure Policy for AKS
B.Integrate Azure AD for Kubernetes RBAC
C.Use network policies to control pod-to-pod communication
D.Store secrets in Kubernetes secrets
E.Allow all node pools to communicate freely
AnswersA, B, C

Azure Policy enforces security standards on AKS.

Why this answer

A is correct because Azure Policy for AKS enforces organizational standards and assesses compliance at scale by applying built-in policies that restrict privileged containers, require pod security standards, and enforce HTTPS ingress. This reduces the attack surface and ensures clusters adhere to security baselines without manual intervention.

Exam trap

The trap here is that candidates often assume Kubernetes secrets are secure by default, but the exam tests awareness that they lack encryption at rest and proper access controls, making Azure Key Vault or external secrets stores the recommended approach.

725
MCQmedium

A company is using Microsoft Intune to manage devices. They need to ensure that only devices with a specific operating system version can access corporate resources. Which Intune policy should they use?

A.App protection policy
B.Enrollment restriction
C.Compliance policy
D.Device configuration policy
AnswerC

Compliance policies enforce OS version requirements to grant access.

Why this answer

Compliance policies in Microsoft Intune define the rules that devices must meet to be considered compliant, such as requiring a specific operating system version. When a device is marked non-compliant, Conditional Access policies can block access to corporate resources. This directly enforces the requirement that only devices with the correct OS version can access company data.

Exam trap

The trap here is confusing the purpose of Compliance policies (which enforce ongoing access rules based on device health) with Enrollment restrictions (which only gate initial enrollment) or Device configuration policies (which apply settings but do not evaluate compliance).

How to eliminate wrong answers

Option A is wrong because App protection policies (MAM) manage how apps handle data (e.g., preventing copy/paste) and do not enforce device-level OS version requirements. Option B is wrong because Enrollment restrictions control which devices can enroll in Intune (e.g., by platform or manufacturer) but do not enforce ongoing compliance with OS version after enrollment. Option D is wrong because Device configuration policies push settings (e.g., Wi-Fi, VPN, certificates) to devices but do not evaluate or enforce OS version compliance; they are not used for access control decisions.

726
MCQhard

You are designing a solution to securely store and manage secrets for a cloud-native application deployed on Azure Kubernetes Service (AKS). The application needs to retrieve database connection strings and API keys at runtime without hardcoding them. The solution must minimize administrative overhead and integrate with Azure Active Directory (now Microsoft Entra ID) for access control. Which service should you use?

A.Kubernetes Secrets
B.HashiCorp Vault on AKS
C.Azure Key Vault with managed identities
D.Azure App Configuration
AnswerC

Key Vault securely stores secrets, and managed identities provide secure access without credentials.

Why this answer

Option C is correct: Azure Key Vault with managed identities for AKS allows secure secret retrieval without storing credentials in code or configuration, integrates with Entra ID, and minimizes overhead. Option A is wrong: Kubernetes Secrets are not encrypted by default and require additional configuration. Option B is wrong: Azure App Configuration can store configuration but is not optimized for secrets.

Option D is wrong: HashiCorp Vault adds complexity and is not a native Azure service.

727
MCQeasy

You are designing a compliance solution for your organization that must enforce retention policies for documents stored in SharePoint Online. Which Microsoft Purview solution should you use?

A.Microsoft Purview Data Lifecycle Management
B.Microsoft Purview eDiscovery
C.Microsoft Purview Communication Compliance
D.Microsoft Purview Insider Risk Management
AnswerA

This manages retention and deletion of content.

Why this answer

Microsoft Purview Data Lifecycle Management (formerly Microsoft 365 Retention) is the correct solution because it is specifically designed to enforce retention policies for documents in SharePoint Online. It allows you to apply retention labels and policies that automatically retain or delete content based on compliance requirements, without user intervention.

Exam trap

The trap here is that candidates often confuse 'retention' with 'eDiscovery holds' or 'compliance monitoring,' leading them to select eDiscovery or Communication Compliance, but Data Lifecycle Management is the only solution that directly enforces retention schedules for content in SharePoint Online.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview eDiscovery is used for searching, holding, and exporting content for legal or investigative purposes, not for enforcing retention policies. Option C is wrong because Microsoft Purview Communication Compliance is designed to detect and manage inappropriate communications (e.g., harassment, sensitive info sharing), not to apply retention schedules. Option D is wrong because Microsoft Purview Insider Risk Management focuses on identifying and mitigating internal security risks (e.g., data theft, policy violations), not on lifecycle retention of documents.

728
Multi-Selecthard

Your organization uses Microsoft Intune for mobile device management. You need to configure a compliance policy for iOS devices that requires the device to be jailbreak-detected and have a minimum OS version. Which two settings should you configure in the compliance policy? (Choose two.)

Select 2 answers
A.Require passcode
B.Minimum OS version
C.Device encryption
D.Jailbreak detection
AnswersB, D

Ensures the device runs at least a specified version.

Why this answer

B is correct because the compliance policy must specify a minimum OS version to ensure iOS devices meet the required security baseline, preventing outdated devices with known vulnerabilities from accessing corporate resources. D is correct because jailbreak detection is a specific compliance setting that identifies compromised devices, which are a significant security risk as they bypass iOS security controls.

Exam trap

The trap here is that candidates may confuse 'jailbreak detection' with 'device encryption' or 'passcode requirements,' but the question explicitly asks for the two settings that directly address jailbreak detection and minimum OS version, not general security settings.

729
MCQeasy

Your organization is implementing a zero-trust network strategy. You need to ensure that all network traffic between Azure virtual machines is encrypted and authenticated at the IP layer, regardless of the virtual network they are in. Which Azure feature should you configure?

A.Azure Service Endpoints
B.Azure VPN Gateway
C.Azure Private Link
D.Azure Virtual Network encryption
AnswerD

This feature encrypts traffic between VMs using IPsec, meeting zero-trust requirements.

Why this answer

Azure Virtual Network encryption provides IPsec encryption for traffic between VMs within the same virtual network or peered virtual networks. Service endpoints use public IPs. Private Link is for accessing PaaS services privately.

VPN Gateway is for site-to-site.

730
MCQmedium

A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They need to ensure that all resources are compliant with the Payment Card Industry Data Security Standard (PCI DSS). What should they do?

A.Create Azure Policy initiatives to enforce PCI DSS controls
B.Use Microsoft Purview to classify data and apply PCI DSS labels
C.Deploy Azure Blueprints that include PCI DSS policies
D.Enable the PCI DSS regulatory compliance standard in Microsoft Defender for Cloud
AnswerD

Defender for Cloud includes built-in regulatory compliance standards with continuous assessment.

Why this answer

Microsoft Defender for Cloud includes built-in regulatory compliance standards, such as PCI DSS, that can be enabled directly. Once enabled, Defender for Cloud continuously assesses your Azure subscriptions against the PCI DSS controls and provides a compliance score with detailed remediation steps. This is the simplest and most effective method to monitor compliance without creating custom policies or blueprints.

Exam trap

The trap here is that candidates often confuse Azure Policy or Blueprints as the primary tool for compliance assessment, when in fact Defender for Cloud's built-in regulatory compliance standards are the correct, out-of-the-box solution for monitoring against frameworks like PCI DSS.

How to eliminate wrong answers

Option A is wrong because Azure Policy initiatives enforce custom or built-in policies for resource configuration, but they do not natively map to PCI DSS controls; you would need to create or import a custom initiative, which is more complex and less accurate than using the built-in standard. Option B is wrong because Microsoft Purview is a data governance and classification service, not a compliance assessment tool for PCI DSS; it cannot evaluate resource configurations or provide a compliance score against PCI DSS. Option C is wrong because Azure Blueprints can include policies and resource templates, but they are used for deploying consistent environments, not for ongoing compliance assessment; the PCI DSS standard in Defender for Cloud already provides the necessary policy mappings and continuous monitoring.

731
Matchingmedium

Match each Microsoft 365 Defender workload to its protection domain.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Endpoint protection

Email and collaboration protection

On-premises identity protection

SaaS application protection

Unified XDR

Why these pairings

Each workload focuses on a specific attack surface.

732
MCQhard

Your organization is a large financial services company with a hybrid infrastructure consisting of on-premises servers and Azure IaaS. You are tasked with designing a security solution for infrastructure that meets the following requirements: - All administrative access to Azure resources must be just-in-time (JIT) and just-enough-access (JEA). - All on-premises servers must be managed centrally with consistent security policies. - All network traffic between on-premises and Azure must be encrypted and inspected for threats. - All privileged access must be monitored and audited. You have the following services available: Microsoft Entra ID, Microsoft Defender for Cloud, Azure Firewall, Azure Bastion, Microsoft Sentinel, Azure Arc, Azure Policy, Microsoft Defender for Identity, and Microsoft Entra Privileged Identity Management (PIM). Which combination of services should you use to meet all requirements?

A.Use Azure Bastion for administrative access, Azure Automation for on-prem management, Azure VPN Gateway for encrypted traffic, and Microsoft Sentinel for monitoring.
B.Use Microsoft Entra PIM for JIT access, Azure Arc to extend Azure Policy to on-prem servers, Azure Firewall with threat intelligence for traffic inspection, and Microsoft Defender for Identity for monitoring privileged access.
C.Use Microsoft Sentinel for all aspects, including JIT via playbooks, Azure Arc for management, Azure Firewall for traffic, and Azure Policy for compliance.
D.Use Microsoft Entra roles with permanent assignments, Azure Site Recovery for on-premises management, Azure ExpressRoute for encrypted traffic, and Microsoft Defender for Cloud for monitoring.
AnswerB

PIM provides JIT/JEA; Arc brings Azure Policy to on-prem; Firewall inspects traffic; Defender for Identity monitors AD.

Why this answer

Option A is correct: PIM provides JIT/JEA for Azure roles; Azure Arc enables management of on-prem servers with Azure Policy; Azure Firewall with threat intelligence can inspect encrypted traffic; Microsoft Defender for Identity monitors on-prem AD for privileged attacks. Option B is incorrect: Azure Bastion provides secure RDP/SSH but does not provide JIT/JEA. Option C is incorrect: Azure VPN Gateway does not inspect traffic.

Option D is incorrect: Microsoft Sentinel is for SIEM, not JIT.

733
MCQeasy

Your application uses Azure Key Vault to store secrets. You need to ensure that the application rotates secrets automatically without downtime. Which feature should you enable?

A.Key Vault automatic rotation with Event Grid integration
B.Key Vault manual rotation
C.Key Vault soft-delete
D.Key Vault RBAC
AnswerA

Automates rotation with notifications.

Why this answer

Option B is correct because Key Vault automatic rotation with Event Grid notifications allows the application to be notified before expiration and rotate seamlessly. Option A is wrong because manual rotation requires intervention. Option C is wrong because soft-delete only protects against accidental deletion.

Option D is wrong because RBAC controls access, not rotation.

734
MCQhard

Your organization uses Microsoft Sentinel and wants to reduce alert fatigue by grouping related alerts into incidents. Which configuration should you use?

A.Configure incident creation in the analytics rule properties
B.Use a workbook to aggregate alerts
C.Use a playbook to create incidents
D.Create an automation rule to group alerts
AnswerA

Analytics rules can be configured to create incidents from alerts and group related alerts into a single incident.

Why this answer

Option A is correct because in Microsoft Sentinel, incident creation is configured directly within the analytics rule properties. When you create or edit a scheduled or Microsoft Security analytics rule, the 'Incident settings' tab allows you to enable incident creation and define how alerts are grouped into incidents. This is the native mechanism for reducing alert fatigue by automatically grouping related alerts into a single incident based on criteria such as entity matching or time window.

Exam trap

The trap here is that candidates often confuse automation rules with incident grouping logic, assuming that automation rules can create or group incidents, when in fact automation rules only manage incidents after they are created by analytics rules.

How to eliminate wrong answers

Option B is wrong because workbooks in Microsoft Sentinel are visualization tools that display data from queries; they do not create or group incidents. Option C is wrong because playbooks are automated workflows triggered by incidents or alerts (using Azure Logic Apps) and can perform response actions, but they are not designed to initially group alerts into incidents; incident creation is a function of the analytics rule. Option D is wrong because automation rules in Sentinel are used to automate incident management tasks (e.g., assigning, tagging, or running playbooks) after an incident is created, not to group alerts into incidents at creation time.

735
MCQmedium

Your company is migrating on-premises Active Directory to Microsoft Entra ID. The security team requires that users must use passwordless authentication methods for all sign-ins. Which Microsoft Entra ID feature should you enable to support passwordless authentication?

A.Microsoft Entra ID passwordless authentication methods
B.Password hash synchronization
C.Seamless Single Sign-On (Seamless SSO)
D.Pass-through authentication
AnswerA

Passwordless methods include Windows Hello, FIDO2 keys, and Authenticator app, eliminating passwords.

Why this answer

Option A is correct because Microsoft Entra ID passwordless authentication methods (such as Windows Hello for Business, FIDO2 security keys, and Microsoft Authenticator) are the native features designed to eliminate passwords entirely. These methods satisfy the security team's requirement by enabling users to sign in without a password, using biometrics or cryptographic keys instead.

Exam trap

The trap here is that candidates often confuse 'passwordless authentication' with features that reduce password usage (like Seamless SSO or PHS) rather than understanding that only the dedicated passwordless methods in Entra ID actually remove the password requirement entirely.

How to eliminate wrong answers

Option B is wrong because Password hash synchronization (PHS) synchronizes password hashes from on-premises AD to Entra ID for authentication, but it does not enable passwordless methods; it still relies on passwords. Option C is wrong because Seamless SSO provides automatic sign-in when users are on domain-joined devices connected to the corporate network, but it does not eliminate the need for passwords—it just skips the password prompt in certain scenarios. Option D is wrong because Pass-through authentication (PTA) validates passwords directly against on-premises AD, but it still requires a password to be entered and does not support passwordless authentication.

736
Multi-Selectmedium

You are designing a solution to protect a web application hosted on Azure App Service. The application uses Azure SQL Database and stores sensitive customer data. You need to ensure that the data is encrypted at rest and in transit, and that the application is protected from common web attacks. Which TWO of the following should you implement?

Select 2 answers
A.Azure Private Link for App Service
B.Enforce TLS for Azure SQL Database connections
C.Network Security Groups (NSGs) on the subnet
D.Azure Web Application Firewall (WAF) on Azure Front Door
E.Azure DDoS Protection Standard
AnswersB, D

Enforcing TLS encrypts data in transit between App Service and SQL Database; TDE encrypts at rest.

Why this answer

Option A and D are correct. Option A: Azure WAF protects against common web attacks like SQL injection and XSS. Option D: Azure SQL Database always encrypts data at rest with TDE, and enforcing TLS ensures encryption in transit.

Option B is wrong because DDoS Protection is for network-layer attacks, not application-layer. Option C is wrong because Network Security Groups (NSGs) are for network traffic filtering, not for encrypting data in transit.

737
MCQmedium

Your organization uses Microsoft Intune and Microsoft Defender for Endpoint. You need to design a solution that ensures all Windows 10 devices are running the latest security updates and have real-time protection enabled. If a device is non-compliant, it should be blocked from accessing corporate resources. You have already created a Conditional Access policy that requires compliant devices. You need to configure the compliance requirements and automatic remediation. What should you do?

A.Create an Intune device configuration profile that enforces the minimum OS version and enables real-time protection.
B.Create an Intune app protection policy that requires the device to have the latest updates and real-time protection.
C.Create an Intune device compliance policy that requires minimum OS version and real-time protection, and create a remediation policy that automatically enables real-time protection if disabled.
D.Create an Intune device compliance policy that requires minimum OS version and real-time protection, and use the Conditional Access policy to block non-compliant devices.
AnswerC

The remediation policy can automatically fix the non-compliant setting.

Why this answer

Option B is correct because Intune compliance policies can check for minimum OS version and require Defender for Endpoint health status, and remediation policies can automatically enforce settings. Option A is incorrect because it does not address automatic remediation. Option C is incorrect because configuration profiles deploy settings but do not enforce compliance.

Option D is incorrect because app protection policies are for app-level data.

738
MCQmedium

You are designing a security solution for a critical Azure SQL Database that must be protected against data exfiltration by a compromised admin account. The solution must ensure that even a database administrator cannot copy data to an external storage account. Which Azure service should you configure?

A.Always Encrypted
B.Azure SQL Database firewall rules
C.Microsoft Purview Data Loss Prevention
D.Azure Information Protection
AnswerC

DLP policies can monitor and block sensitive data from being copied or exported.

Why this answer

Option D is correct because Microsoft Purview Data Loss Prevention (DLP) policies can be applied to Azure SQL Database to detect and block sensitive data exfiltration attempts. Option A is wrong because Azure SQL Database firewall controls network access, not data exfiltration. Option B is wrong because Always Encrypted protects data at rest and in use but does not prevent copying.

Option C is wrong because Azure Information Protection (now integrated into Purview) is for classification and labeling, not real-time blocking.

739
MCQeasy

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure resources. The security team wants to ensure that all virtual machines are covered by Defender for Cloud's vulnerability assessment capabilities. Which plan must be enabled?

A.Microsoft Defender for Storage
B.Microsoft Defender for Servers Plan 2
C.Microsoft Defender for Cloud Apps
D.Defender Cloud Security Posture Management (CSPM)
AnswerB

Plan 2 includes vulnerability assessment, just-in-time VM access, and other advanced features.

Why this answer

Option D is correct because the Defender for Servers Plan 2 includes the integrated vulnerability assessment powered by Qualys or Microsoft Defender Vulnerability Management. Option A is wrong because Defender CSPM covers cloud security posture management but not VM-specific vulnerability assessment. Option B is wrong because Defender for Cloud Apps (now part of Defender XDR) focuses on SaaS applications.

Option C is wrong because Defender for Storage protects storage accounts.

740
MCQhard

You are the security architect for a company that has a hybrid identity infrastructure with Microsoft Entra ID (formerly Azure AD) and an on-premises Active Directory Domain Services (AD DS) forest. The company is planning to migrate several line-of-business (LOB) applications to Azure Virtual Machines. The applications currently use Windows Integrated Authentication (WIA) and rely on Kerberos delegation. You need to design a solution that allows the Azure VMs to authenticate on-premises users and access on-premises resources using Kerberos constrained delegation (KCD) without exposing on-premises-domain controllers to the internet. The solution must minimize latency and administrative overhead. You have configured Azure ExpressRoute for connectivity between the on-premises network and Azure. What should you do?

A.Deploy domain controllers as Azure VMs in the same virtual network as the application VMs. Configure the application VMs to use these domain controllers for authentication and KCD.
B.Implement Azure AD Application Proxy to publish the applications and use Azure AD for authentication.
C.Use Azure AD Domain Services to provide domain join and KCD capabilities for the Azure VMs.
D.Configure the application VMs to use the on-premises domain controllers over ExpressRoute for authentication and KCD.
AnswerA

This provides low-latency access to domain controllers and supports KCD without exposing on-premises DCs.

Why this answer

Option A is correct because deploying domain controllers as Azure VMs in the same virtual network as the application VMs allows them to use KCD with low latency, and ExpressRoute ensures secure connectivity without exposing on-premises DCs. Option B is wrong because Azure AD Domain Services provides managed domain services but does not support full KCD and may not meet all application requirements. Option C is wrong because using only ExpressRoute means the VMs would have to communicate with on-premises DCs over the WAN, potentially increasing latency.

Option D is wrong because Azure AD Application Proxy is for publishing on-premises apps, not for authentication delegation.

741
Multi-Selectmedium

Which TWO Microsoft Purview solutions are used to discover and protect sensitive data across Microsoft 365, Azure, and on-premises environments?

Select 2 answers
A.Microsoft Purview Audit
B.Microsoft Purview Data Map
C.Microsoft Purview eDiscovery
D.Microsoft Purview Information Protection
E.Microsoft Purview Data Loss Prevention (DLP)
AnswersB, E

Data Map discovers and classifies data across sources.

Why this answer

Microsoft Purview Data Map (B) is correct because it provides automated scanning and classification of sensitive data across Microsoft 365, Azure, and on-premises sources, creating a unified map of data assets and their sensitivity labels. Microsoft Purview Data Loss Prevention (DLP) (E) is correct because it enforces policies to detect and prevent unauthorized sharing or leakage of sensitive data across these same environments, integrating with the classification from Data Map. Together, they discover sensitive data via classification and protect it through policy enforcement.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Information Protection (which handles labeling and encryption) with the discovery capability provided by Data Map, leading them to select D instead of B, even though Information Protection relies on Data Map for automated scanning and classification across hybrid environments.

742
MCQhard

Your company uses Azure Firewall to filter outbound traffic from a virtual network. You need to allow only HTTP and HTTPS traffic to specific FQDNs, while blocking all other outbound traffic. Which Azure Firewall rule type should you use?

A.NAT rule
B.Application rule
C.Threat intelligence rule
D.Network rule
AnswerB

Application rules allow filtering by FQDN for HTTP/HTTPS.

Why this answer

Option D is correct because application rules allow filtering based on FQDNs for HTTP/HTTPS. Option A is wrong because network rules filter by IP/port, not FQDN. Option B is wrong because NAT rules only translate addresses.

Option C is wrong because threat intelligence rules block known malicious IPs.

743
MCQhard

Your organization is deploying Microsoft Copilot for Security and wants to ensure that the AI model does not expose sensitive data in its responses. You need to configure data loss prevention (DLP) policies that apply to Copilot interactions. Which Microsoft Purview capability should you use?

A.eDiscovery
B.Data Loss Prevention policies
C.Information Protection and sensitivity labels
D.Communication Compliance
AnswerD

Communication Compliance can monitor AI chat interactions for policy violations.

Why this answer

Communication Compliance in Microsoft Purview is specifically designed to detect and prevent sensitive data exposure in communication channels, including Microsoft Copilot for Security interactions. It allows you to configure policies that scan AI prompts and responses for sensitive information, such as credit card numbers or confidential business data, and take automated actions like blocking or alerting. This makes it the correct capability for DLP in Copilot contexts, as it directly addresses the risk of AI models inadvertently leaking sensitive data.

Exam trap

The trap here is that candidates assume standard Data Loss Prevention policies (Option B) are the obvious choice for any DLP scenario, but Microsoft specifically designed Communication Compliance to handle the unique risks of AI interactions, including Copilot for Security, making it the correct answer for this context.

How to eliminate wrong answers

Option A is wrong because eDiscovery is used for legal and investigative searches of content across Microsoft 365, not for real-time data loss prevention in AI interactions. Option B is wrong because standard Data Loss Prevention policies apply to traditional data-at-rest and data-in-transit scenarios (e.g., email, SharePoint), but they do not natively extend to Copilot for Security interactions without Communication Compliance integration. Option C is wrong because Information Protection and sensitivity labels classify and protect data through encryption and labeling, but they do not provide the real-time scanning and policy enforcement needed to prevent sensitive data exposure in Copilot responses.

744
Multi-Selectmedium

Your organization uses Microsoft Purview to comply with regulatory requirements. Which TWO features should you use to manage data retention and deletion?

Select 2 answers
A.Data lifecycle management policies (retention policies).
B.Sensitivity labels.
C.Records management (retention labels and disposition).
D.Data Loss Prevention (DLP) policies.
E.Trainable classifiers.
AnswersA, C

Retention policies manage retention and deletion.

Why this answer

Data lifecycle management policies (retention policies) in Microsoft Purview allow you to automatically retain or delete data at the container level (e.g., SharePoint sites, Exchange mailboxes, Teams channel messages) based on regulatory requirements. They enforce retention and deletion actions without user intervention, making them essential for compliance with data governance mandates.

Exam trap

The trap here is that candidates often confuse sensitivity labels (which handle classification and protection) with retention labels (which handle retention and deletion), leading them to incorrectly select sensitivity labels as a retention feature.

745
MCQhard

You are analyzing a custom detection rule in Microsoft 365 Defender. Based on the exhibit, what is a potential operational issue with this rule?

A.The threshold is too low, leading to alert fatigue.
B.The query syntax is invalid.
C.The severity should be Medium instead of High.
D.The rule does not cover PowerShell 7 (pwsh.exe).
AnswerA

A threshold of 5 with high severity will cause many alerts, overwhelming analysts.

Why this answer

Option D is correct because high severity with a low threshold (5) will generate many alerts. Option A is wrong because the query is valid. Option B is wrong because the severity is set to High.

Option C is wrong because the query includes both powershell.exe and pwsh.exe.

746
MCQhard

You are designing a secure solution for an Azure Kubernetes Service (AKS) cluster that hosts a critical application. You need to ensure that pods can only communicate with specific back-end services and that traffic is encrypted. What should you implement?

A.Implement Kubernetes network policies and enable mTLS using a service mesh like Istio or Linkerd.
B.Use network security groups (NSGs) on the subnet.
C.Configure Azure Application Gateway Ingress Controller.
D.Deploy Azure Firewall and configure application rules.
AnswerA

Network policies restrict communication; mTLS encrypts it.

Why this answer

Option C is correct because network policies in AKS control pod-to-pod communication, and mutual TLS (mTLS) with a service mesh encrypts traffic. Option A is wrong because Azure Firewall controls ingress/egress, not pod-to-pod. Option B is wrong because NSGs are for subnet-level, not pod-level.

Option D is wrong because App Gateway is for ingress.

747
MCQmedium

Refer to the exhibit. A security architect is reviewing an Azure Policy definition. What is the effect of this policy?

A.Modifies storage accounts to enable HTTPS traffic only
B.Audits storage accounts that do not require HTTPS traffic
C.Denies creation or update of storage accounts that do not require HTTPS traffic
D.Deploys a remediation task to enable HTTPS traffic only
AnswerC

The policy denies any storage account where HTTPS traffic only is not enabled

Why this answer

The policy checks if the resource type is a storage account and if HTTPS traffic only is set to false. If both conditions are true, it denies the creation or update of the storage account. Option B is correct because the effect is 'deny'.

Option A is wrong because it does not audit; it denies. Option C is wrong because it does not modify; it denies. Option D is wrong because it does not deploy a remediation task.

748
MCQmedium

Your organization plans to deploy Microsoft Defender for Cloud to protect hybrid workloads. You need to design the agentless scanning deployment for Azure VMs running SQL Server. What should you configure?

A.In Microsoft Defender for Cloud, enable the 'defenderForSql' plan and set the 'agentlessScanning' property to 'true'.
B.Deploy the Log Analytics agent on each SQL Server VM.
C.Enable SQL Vulnerability Assessment in Microsoft Defender for Cloud.
D.Configure Azure Policy to assign the 'Enable Defender for Cloud for SQL Servers' initiative.
AnswerA

This directly enables agentless scanning for SQL Server on Azure VMs.

Why this answer

Agentless scanning for SQL Server on Azure VMs is enabled via defenderForSql in the Defender plan, not via Azure Policy or SQL Vulnerability Assessment. Option C is correct because it directly enables agentless scanning. Option A is wrong because Azure Policy can enforce scanning but is not the configuration mechanism.

Option B is wrong because SQL Vulnerability Assessment is a separate feature. Option D is wrong because just enabling Defender for Cloud does not automatically scan SQL.

749
MCQeasy

You need to design a solution to protect Azure VMs from malware and vulnerabilities. Which Microsoft service should you use?

A.Microsoft Defender for Cloud
B.Microsoft Purview
C.Microsoft Sentinel
D.Microsoft Intune
AnswerA

Defender for Cloud offers VM protection features like antimalware and vulnerability scanning.

Why this answer

Option C is correct because Microsoft Defender for Cloud provides threat detection, vulnerability assessment, and antimalware for VMs. Option A is wrong because Microsoft Sentinel is a SIEM. Option B is wrong because Microsoft Intune is for device management.

Option D is wrong because Microsoft Purview is for data governance.

750
Multi-Selecthard

Your organization is implementing Microsoft Entra ID governance. Which THREE capabilities should you include to manage the identity lifecycle and access reviews?

Select 3 answers
A.Microsoft Entra Identity Protection.
B.Microsoft Entra Access Reviews.
C.Microsoft Entra Entitlement Management.
D.Microsoft Entra Lifecycle Workflows.
E.Privileged Identity Management (PIM).
AnswersB, C, D

Reviews access periodically.

Why this answer

Option B is correct because Entitlement Management automates access requests and lifecycle. Option D is correct because Access Reviews allow periodic review of access. Option E is correct because Lifecycle Workflows automate joiner/mover/leaver processes.

Option A is wrong because Privileged Identity Management is for privileged access. Option C is wrong because Identity Protection is for risk detection.

Page 9

Page 10 of 13

Page 11