Microsoft Cybersecurity Architect (SC-100) — Questions 751825

969 questions total · 13pages · All types, answers revealed

Page 10

Page 11 of 13

Page 12
751
MCQhard

An organization uses Microsoft Defender for Cloud to secure their multi-cloud environment, including Azure and AWS. They want to ensure that all AWS EC2 instances are automatically onboarded to Defender for Cloud. What should they configure?

A.Deploy Azure Arc on each EC2 instance
B.Use AWS Systems Manager to push Defender workload
C.Set up the AWS connector in Defender for Cloud
D.Configure AWS Config rules to report to Defender
AnswerC

The connector automatically discovers and monitors EC2 instances.

Why this answer

Option C is correct because the AWS connector in Microsoft Defender for Cloud is the native integration that enables automatic discovery and onboarding of AWS resources, including EC2 instances, into Defender for Cloud. Once configured, the connector uses AWS IAM roles and APIs to continuously sync EC2 inventory and apply Defender plans (e.g., Defender for Servers) without requiring manual agent installation on each instance.

Exam trap

The trap here is that candidates confuse the AWS connector (a cloud-to-cloud integration) with Azure Arc (a hybrid management tool), assuming Arc is required for any non-Azure workload, when in fact the connector handles automatic onboarding without per-instance configuration.

How to eliminate wrong answers

Option A is wrong because deploying Azure Arc on each EC2 instance is an alternative method for managing non-Azure servers, but it is not the automatic onboarding mechanism for Defender for Cloud; it requires manual installation and does not leverage the native AWS connector. Option B is wrong because AWS Systems Manager is an AWS-native management service and cannot directly push Defender workloads; Defender for Cloud relies on its own agents (e.g., Azure Monitor Agent or Microsoft Defender for Endpoint) deployed via the AWS connector integration, not via Systems Manager. Option D is wrong because AWS Config rules are used for compliance auditing and resource configuration tracking, not for onboarding EC2 instances to Defender for Cloud; they lack the capability to install security agents or enable Defender plans.

752
MCQhard

Your organization is migrating to Microsoft 365 and wants to implement a data classification strategy. The compliance team needs to automatically detect and label documents containing personal data (e.g., Social Security numbers) in SharePoint Online. Which Microsoft Purview solution should you use?

A.Auto-labeling policies
B.Records Management
C.eDiscovery
D.Data Loss Prevention policies
AnswerA

Auto-labeling uses sensitive info types to automatically apply labels.

Why this answer

Auto-labeling policies in Microsoft Purview are designed to automatically detect sensitive data types (e.g., Social Security numbers) using built-in or custom sensitive information types and apply sensitivity labels to documents in SharePoint Online. This meets the requirement for automatic detection and labeling without user intervention, as the compliance team needs.

Exam trap

The trap here is confusing Data Loss Prevention (DLP) policies with auto-labeling policies, as both can detect sensitive data, but DLP policies enforce protective actions (block/alert) while auto-labeling policies apply sensitivity labels for classification and downstream protection.

How to eliminate wrong answers

Option B (Records Management) is wrong because it focuses on managing retention and disposition of content, not on automatic detection and labeling of sensitive data. Option C (eDiscovery) is wrong because it is used for searching and exporting content for legal or investigative purposes, not for applying classification labels. Option D (Data Loss Prevention policies) is wrong because DLP policies are designed to prevent unauthorized sharing or leakage of sensitive data by blocking or alerting on activities, not to automatically apply sensitivity labels to documents at rest.

753
Multi-Selectmedium

Your organization is implementing Microsoft Entra ID Governance. You need to design a solution that automates user access reviews for cloud applications. Which TWO capabilities should you include?

Select 2 answers
A.Identity Protection
B.Entitlement Management with access packages
C.Terms of Use
D.Access Reviews
E.Privileged Identity Management (PIM)
AnswersB, D

Entitlement Management automates access lifecycle and can require reviews.

Why this answer

Option A and Option C are correct because Access Reviews automate periodic review of access, and Entitlement Management provides automated assignment and removal of access packages, which can trigger reviews. Option B is wrong because Privileged Identity Management (PIM) is for privileged roles, not general access reviews. Option D is wrong because Identity Protection is for risk detection.

Option E is wrong because Terms of Use is for consent.

754
MCQmedium

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Microsoft 365. You need to ensure that when a user attempts to share a document containing credit card numbers externally, the action is blocked and the user is shown a policy tip. Which DLP rule configuration should you use?

A.Block the action with a policy tip and allow override
B.Block the action and send an incident report in email
C.Audit the action only
D.Block the action without allowing override
AnswerA

This blocks the action, shows a policy tip, and allows override with justification.

Why this answer

Option B is correct: Block with override and policy tip allows the block and shows the tip, while still allowing user override if they provide justification. Option A is wrong: Block without override is too restrictive and does not show a policy tip. Option C is wrong: Audit only does not block the action.

Option D is wrong: Block with notification sends an email but not a policy tip.

755
Drag & Dropmedium

Order the steps to troubleshoot an Azure VPN gateway connection failure.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting starts with Azure side, then on-premises, and may require reset.

756
MCQeasy

Your company plans to migrate on-premises servers to Azure. You need to ensure that the migrated servers are protected against malware and vulnerabilities. Which Microsoft Defender for Cloud plan should you enable for the Azure VMs?

A.Microsoft Defender for SQL
B.Microsoft Defender for Storage
C.Microsoft Defender for Containers
D.Microsoft Defender for Servers
AnswerD

Defender for Servers protects VMs with malware and vulnerability scanning.

Why this answer

Option A is correct because Microsoft Defender for Servers provides malware protection, vulnerability assessment, and threat detection for Azure VMs. Option B is wrong because Defender for Containers is for container workloads. Option C is wrong because Defender for Storage is for storage accounts.

Option D is wrong because Defender for SQL is for SQL databases.

757
MCQmedium

A company uses Azure Arc to manage on-premises servers. The security team wants to enforce that all servers (on-premises and Azure) have Microsoft Defender for Endpoint installed and running. Which solution should you use to ensure compliance across hybrid environments?

A.Microsoft Intune
B.Azure Policy with Guest Configuration
C.Azure Update Manager
D.Microsoft Defender for Cloud
AnswerB

Azure Policy with Guest Configuration can audit and enforce settings on hybrid servers.

Why this answer

Option C is correct because Azure Policy with Guest Configuration can audit and enforce configurations on Azure Arc-enabled servers. Option A is wrong because Microsoft Intune manages mobile devices and PCs, not servers. Option B is wrong because Microsoft Defender for Cloud provides security recommendations but cannot enforce configuration compliance.

Option D is wrong because Azure Update Manager focuses on patching, not endpoint protection enforcement.

758
Multi-Selecteasy

Your organization needs to meet compliance requirements for GDPR. You need to design a solution that uses Microsoft Purview to classify and protect personal data. Which TWO capabilities should you include?

Select 2 answers
A.Data Subject Requests (DSR) tool
B.Data Classification and labeling
C.eDiscovery (Premium)
D.Insider Risk Management
E.Communication Compliance
AnswersA, B

DSR tool helps manage GDPR data subject requests.

Why this answer

Option A and Option D are correct. Data Classification in Purview helps identify personal data, and Data Subject Requests (DSR) tool helps respond to GDPR requests. Option B is wrong because Insider Risk Management is for insider threats, not GDPR.

Option C is wrong because Communication Compliance is for communication monitoring. Option E is wrong because eDiscovery is for legal discovery, not GDPR-specific classification.

759
MCQmedium

You are a security architect for a software development company. The company uses GitHub for source control and Azure DevOps for CI/CD. They have a large number of repositories and want to ensure that secrets (e.g., API keys, connection strings) are never committed to code. They also want to scan pull requests for secrets before merging. The company has Microsoft Defender for Cloud and Microsoft Purview available. You need to design a solution that prevents secret leaks. What should you use?

A.Enable Microsoft Defender for Cloud's 'Secrets scanning' feature for GitHub repositories.
B.Use Azure Key Vault to store secrets and enforce policies that require developers to use Key Vault references.
C.Use Microsoft Purview Information Protection to scan repositories and classify secrets.
D.Enable GitHub secret scanning for all repositories. Configure push protection to block commits containing secrets. Use custom patterns to scan for company-specific secrets.
AnswerD

GitHub secret scanning can detect and block secrets in code.

Why this answer

Option A is correct because GitHub secret scanning is built into GitHub and can scan for known secret patterns; it can also be extended with custom patterns. It can block pushes that contain secrets. Option B is wrong because Azure Key Vault is a storage for secrets, not a scanning tool.

Option C is wrong because Defender for Cloud does not scan GitHub repositories for secrets. Option D is wrong because Microsoft Purview Information Protection is for data classification, not secret scanning in code.

760
MCQhard

A healthcare organization is designing a zero-trust application security strategy. They use Microsoft Entra ID for identity and plan to deploy a legacy on-premises web application with no modern authentication support. The solution must ensure that only authorized users can access the app and that access is logged for auditing. Which Microsoft security service should they use to secure access?

A.Azure AD B2C
B.Microsoft Entra application proxy
C.Microsoft Defender for Cloud Apps
D.Microsoft Intune
AnswerB

Provides secure remote access and conditional access for on-premises web apps without modifying the app.

Why this answer

Microsoft Entra application proxy provides secure remote access and conditional access for on-premises apps without requiring VPN or changes to the app. Option A is correct. Option B is wrong because Defender for Cloud Apps is for cloud apps.

Option C is wrong because Azure AD B2C is for customer-facing apps. Option D is wrong because Microsoft Intune is for device management, not app access.

761
Multi-Selecteasy

Which TWO of the following are valid methods to enforce multifactor authentication (MFA) for users accessing Microsoft 365 services? (Choose two.)

Select 2 answers
A.Privileged Identity Management (PIM)
B.Security defaults
C.Identity Protection policies
D.Per-user MFA in the Microsoft 365 admin center
E.Conditional Access policies
AnswersD, E

Admins can enable MFA for individual users.

Why this answer

Option A is correct because per-user MFA can be enabled in the Microsoft 365 admin center. Option C is correct because Conditional Access policies can require MFA based on conditions. Option B is wrong because security defaults enforce MFA for all users, but it is not a per-user method; it is a tenant-level setting.

Option D is wrong because Privileged Identity Management (PIM) manages role activation, not MFA enforcement. Option E is wrong because Azure AD Identity Protection detects risk, but MFA enforcement is done via Conditional Access.

762
Multi-Selectmedium

Which TWO actions should you take to implement a least-privilege identity security model using Microsoft Entra ID? (Choose two.)

Select 2 answers
A.Create conditional access policies to restrict access based on user, device, and location.
B.Enable Azure AD Identity Governance for guest user access reviews.
C.Use Privileged Identity Management (PIM) for just-in-time role activation.
D.Require multi-factor authentication for all users.
E.Assign global administrator role to all IT staff for simplicity.
AnswersA, C

Conditional access policies enforce context-based access, adhering to least-privilege.

Why this answer

Option A is correct because PIM provides just-in-time privileged access. Option C is correct because conditional access policies enforce access controls. Option B is wrong because permanent assignment contradicts least-privilege.

Option D is wrong because guest review is about governance, not least-privilege directly. Option E is wrong because MFA is a security control, not least-privilege.

763
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to design a solution that collects security events from Azure virtual machines and sends them to Microsoft Sentinel. The solution must minimize cost and management overhead. Which data connector should you use?

A.Windows Security Events via the Log Analytics agent (AMA)
B.Microsoft Defender for Cloud data connector
C.Azure Activity data connector
D.Microsoft Entra ID (Azure AD) data connector
AnswerA

This connector collects security events from VMs efficiently.

Why this answer

Option C is correct because the Azure Windows VM (or Linux VM) connector via the Log Analytics agent is the standard, cost-effective way to collect security events. Option A (Azure Activity) is for subscription-level logs. Option B (Defender for Cloud) requires additional licensing.

Option D (Azure AD) is for identity logs.

764
MCQhard

Your company has a Microsoft Defender for Cloud environment with Azure Arc-enabled on-premises servers. The security team wants to ensure that all servers have the Log Analytics agent installed and that missing updates are automatically remediated for critical vulnerabilities. Which policy initiative should you assign to the management group containing these servers?

A.Azure Policy for Kubernetes
B.CIS Microsoft Azure Foundations Benchmark
C.NIST SP 800-53 R5
D.Azure Security Benchmark
AnswerD

This initiative includes policies for deploying the Log Analytics agent and remediating vulnerabilities.

Why this answer

The Azure Security Benchmark initiative includes policies for agent installation and vulnerability remediation. The other options are either not policy initiatives or focus on different aspects like container security or regulatory compliance.

765
Multi-Selectmedium

Your organization is implementing Microsoft Defender for Office 365 to protect against phishing attacks. Which TWO features can be used to simulate phishing attacks and train users?

Select 2 answers
A.Campaign simulations
B.Safe Attachments
C.Attack simulation training
D.Safe Links
E.Anti-phish policies
AnswersA, C

Part of attack simulation training.

Why this answer

Option A and D are correct because Attack simulation training in Defender for Office 365 allows creating simulation campaigns and training users. Option B is wrong because Safe Links protect against malicious URLs in real-time. Option C is wrong because Safe Attachments scans attachments.

Option E is wrong because Anti-phish policies protect against phishing, not simulate.

766
Multi-Selectmedium

A financial institution, Contoso Bank, is deploying a new application on Azure Kubernetes Service (AKS) that processes credit card transactions (PCI DSS). The application uses Azure SQL Database and Azure Redis Cache. You need to design a security solution that meets PCI DSS requirements. Which THREE of the following should you implement?

Select 3 answers
A.Deploy AKS as a private cluster with no public endpoint.
B.Configure Always Encrypted for sensitive columns in Azure SQL Database.
C.Enable Azure RBAC for Kubernetes authorization.
D.Use private endpoints for Azure SQL Database and Azure Cache for Redis.
E.Disable TLS for Azure Cache for Redis to improve performance.
AnswersA, B, D

Private cluster ensures that the Kubernetes API server is not exposed to the internet.

Why this answer

Option A is correct because AKS should be private to isolate the cluster from the internet. Option C is correct because Azure SQL Database should use Always Encrypted for sensitive data. Option E is correct because Azure Cache for Redis should use private endpoints for network isolation.

Option B is wrong because Azure RBAC for Kubernetes is not sufficient for PCI DSS; network policies and private cluster are needed. Option D is wrong because Redis cache should be encrypted in transit (TLS) and at rest if needed.

767
MCQmedium

A company deploys Microsoft Defender for Cloud Apps. They need to detect anomalous behavior in user activities across multiple cloud apps. Which feature should they enable?

A.Session policies
B.Anomaly detection policies
C.Data loss prevention policies
D.App governance
AnswerB

This is the correct feature for detecting anomalous user activities.

Why this answer

Anomaly detection policies in Microsoft Defender for Cloud Apps are specifically designed to identify unusual patterns in user activities across connected cloud apps, such as impossible travel, mass file downloads, or ransomware-like behavior. These policies leverage machine learning and behavioral analytics to establish a baseline of normal user behavior and trigger alerts when deviations occur, making them the correct choice for detecting anomalous behavior.

Exam trap

The trap here is that candidates often confuse session policies (which enforce real-time access controls) with anomaly detection policies (which analyze historical patterns), leading them to select session policies when the question specifically asks for detecting anomalous behavior rather than controlling it.

How to eliminate wrong answers

Option A is wrong because session policies are used for real-time control of user sessions based on risk level, not for detecting anomalous behavior patterns over time. Option C is wrong because data loss prevention policies focus on preventing unauthorized sharing or leakage of sensitive data, not on detecting behavioral anomalies in user activities. Option D is wrong because app governance provides visibility and control over app permissions and compliance, but it does not include the behavioral anomaly detection capabilities needed for user activity monitoring.

768
Multi-Selectmedium

Your company plans to use Microsoft Defender for Cloud to protect its Azure resources. You need to enable just-in-time (JIT) VM access to reduce the attack surface. Which TWO configurations are required to implement JIT access?

Select 2 answers
A.Enable JIT VM access in Microsoft Defender for Cloud.
B.Deploy Azure Bastion for secure RDP/SSH connectivity.
C.Configure a Log Analytics workspace to collect JIT logs.
D.Assign an Azure Policy that requires JIT access on VMs.
E.Create a network security group (NSG) that allows all inbound traffic.
AnswersA, D

JIT must be enabled in Defender for Cloud for the VMs.

Why this answer

Option B is correct because JIT access requires enabling it in Defender for Cloud for the VMs. Option D is correct because JIT access requires an Azure Policy to enforce the JIT configuration. Option A is wrong because a network security group (NSG) is used, but it is not a separate requirement; JIT automatically configures NSG rules.

Option C is wrong because Azure Bastion is a separate service for secure RDP/SSH access, not required for JIT. Option E is wrong because a Log Analytics workspace is used for monitoring, but not required for JIT.

769
Multi-Selecteasy

Which THREE features of Microsoft Defender for Cloud help secure Azure Kubernetes Service (AKS) clusters? (Select three.)

Select 3 answers
A.Advanced threat protection for Azure Cosmos DB
B.Azure Defender for Kubernetes (cluster hardening)
C.Vulnerability assessment for container images
D.DDoS Protection Standard
E.Runtime threat detection for AKS clusters
AnswersB, C, E

Provides threat detection and hardening recommendations for AKS.

Why this answer

Azure Defender for Kubernetes (now part of Microsoft Defender for Cloud's cloud workload protection) provides cluster hardening recommendations by assessing AKS cluster configurations against industry benchmarks like CIS. It identifies misconfigurations such as overly permissive RBAC roles, insecure network policies, or unencrypted secrets, and offers remediation steps to reduce the attack surface.

Exam trap

The trap here is that candidates may confuse general Azure security services (like DDoS Protection) or unrelated Defender plans (like Cosmos DB) with the specific Defender for Cloud features that directly protect AKS workloads, leading them to select options that are technically valid Azure services but not applicable to AKS cluster security.

770
MCQmedium

Your organization is migrating on-premises applications to Azure and needs to secure secrets (database connection strings, API keys) used by these applications. You are required to rotate secrets automatically without downtime. Which Azure service should you use?

A.Microsoft Purview Information Protection
B.Azure App Configuration with feature flags
C.Azure Key Vault with managed identity and certificate auto-rotation
D.Azure AD Application Proxy
AnswerC

Key Vault stores secrets, managed identity provides secure access, and auto-rotation rotates certificates.

Why this answer

Azure Key Vault with managed identity and automatic rotation is the correct solution because Key Vault stores secrets securely, managed identity eliminates hard-coded credentials, and Key Vault can rotate certificates automatically. Option B (Azure App Configuration) is for configuration management, not secrets. Option C (Microsoft Purview) is for data governance.

Option D (Azure AD Application Proxy) is for remote access to on-prem apps.

771
MCQmedium

Refer to the exhibit. You are reviewing a conditional access policy. What is the effect of this policy?

A.The policy is disabled and has no effect
B.Blocks access for all users
C.Requires multifactor authentication for all users
D.Requires multifactor authentication for Global Administrators and Security Administrators
AnswerD

The policy includes those roles and requires MFA.

Why this answer

Option D is correct because the exhibit shows a conditional access policy that targets the 'Global Administrators' and 'Security Administrators' directory roles, and the policy is configured to 'Require multifactor authentication' for those roles. The policy is enabled (as indicated by the 'On' toggle), so it actively enforces MFA for members of those two admin roles, blocking access if they do not complete MFA. This aligns with the principle of securing high-privilege roles with stronger authentication.

Exam trap

The trap here is that candidates may overlook the specific role targeting in the policy and assume it applies to all users, leading them to choose option C, or they may mistakenly think the policy is disabled because they misread the toggle state, choosing option A.

How to eliminate wrong answers

Option A is wrong because the policy is enabled (the 'On' toggle is visible in the exhibit), so it is not disabled and does have an effect. Option B is wrong because the policy targets only specific directory roles (Global Administrators and Security Administrators), not all users, so it does not block access for everyone. Option C is wrong because the policy does not apply to all users; it is scoped to only the two specified admin roles, so it does not require MFA for all users.

772
MCQmedium

A company is designing a hybrid network architecture using Azure ExpressRoute. They need to ensure that all traffic between on-premises and Azure is encrypted and authenticated. Which configuration should they implement?

A.Use VPN Gateway over ExpressRoute
B.Use ExpressRoute Direct with BGP
C.Use ExpressRoute with MACsec
D.Use Azure Firewall to inspect ExpressRoute traffic
AnswerC

MACsec enables encryption and authentication on ExpressRoute circuits.

Why this answer

Option C is correct because MACsec (IEEE 802.1AE) provides Layer 2 encryption and authentication for traffic traversing ExpressRoute Direct ports, ensuring that all data between on-premises and Azure is encrypted at the physical link level. This meets the requirement for both encryption and authentication without relying on higher-layer protocols like IPsec, which would add overhead and complexity.

Exam trap

The trap here is that candidates often confuse encryption at Layer 3 (IPsec) with encryption at Layer 2 (MACsec), assuming a VPN Gateway is required for encryption, when ExpressRoute Direct with MACsec provides native encryption without the performance penalty of a VPN overlay.

How to eliminate wrong answers

Option A is wrong because VPN Gateway over ExpressRoute uses IPsec tunnels, which encrypt traffic but add latency and complexity, and the question specifically asks for encryption and authentication at the infrastructure layer, not a VPN overlay. Option B is wrong because ExpressRoute Direct with BGP provides dedicated bandwidth and dynamic routing but does not include any encryption or authentication of the data plane traffic. Option D is wrong because Azure Firewall inspects traffic at Layers 3-7 but does not provide encryption or authentication for the traffic itself; it only filters and logs it.

773
MCQhard

Your company is implementing a zero-trust network architecture in Azure. You need to ensure that all network traffic between virtual machines is encrypted and authenticated, regardless of the virtual network they reside in. What should you implement?

A.Azure VPN Gateway
B.Azure Virtual Network encryption
C.Network Security Groups (NSGs)
D.Azure Firewall
AnswerB

Virtual Network encryption encrypts all intra-VNet traffic.

Why this answer

Option D is correct because Azure Virtual Network encryption encrypts all traffic between VMs within a virtual network, providing zero-trust encryption. Option A is wrong because VPN gateways provide site-to-site encryption, not intra-VNet encryption. Option B is wrong because Azure Firewall does not encrypt traffic.

Option C is wrong because NSGs filter traffic but do not encrypt.

774
MCQmedium

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy appears to block all legacy authentication. However, some users report that they can still access Exchange Online using Outlook 2010 (which uses basic authentication). What is the most likely reason the policy is not blocking these connections?

A.The policy is configured in 'report-only' mode
B.The policy excludes all users in the 'Global Administrators' group
C.The clientAppTypes condition does not include 'mobileAppsAndDesktopClients'
D.The policy state is 'disabled'
AnswerA

Report-only mode logs but does not enforce block actions.

Why this answer

Option B is correct because the policy is in 'report-only' mode, which logs but does not block connections. The exhibit shows 'enabled' but not 'enabledForReportingButNotEnforced'. However, the question implies the policy is not blocking, so the most common reason is that it's in report-only mode.

Option A is wrong because 'otherClients' covers Outlook 2010. Option C is wrong because the policy is enabled. Option D is wrong because there is no exclusion for specific users.

775
Multi-Selecteasy

Which THREE are valid methods to secure privileged access in Microsoft Entra ID? (Choose three.)

Select 3 answers
A.Use privileged access groups to manage elevated access to resources.
B.Require device enrollment via Microsoft Intune.
C.Use Privileged Identity Management (PIM) for just-in-time access.
D.Configure conditional access policies to require MFA for admins.
E.Enable self-service password reset for all users.
AnswersA, C, D

Privileged access groups allow time-based group membership.

Why this answer

Option A is correct because PIM enables just-in-time access. Option B is correct because conditional access can enforce MFA for admins. Option D is correct because privileged access groups manage group membership elevation.

Option C is wrong because self-service password reset is for end users. Option E is wrong because device enrollment is for device management, not privileged access.

776
MCQeasy

A company is designing an application architecture using Azure Kubernetes Service (AKS) and Azure Cosmos DB. The application requires that secrets (database connection strings) be injected into pods securely without storing them in the container image. The solution must minimize management overhead. What is the recommended approach?

A.Store secrets in a Kubernetes ConfigMap and reference them in the deployment YAML.
B.Use Azure Key Vault Provider for Secrets Store CSI Driver to mount secrets as volumes in pods.
C.Define secrets in a Kubernetes Secret object and reference them in the pod spec.
D.Hardcode the connection string in an environment variable in the deployment manifest.
AnswerB

This provides secure, managed secret injection with automatic rotation.

Why this answer

Option B is correct because the Azure Key Vault Provider for Secrets Store CSI Driver integrates directly with AKS to securely inject secrets from Azure Key Vault into pods as mounted volumes or environment variables, without storing them in container images or Kubernetes objects. This approach minimizes management overhead by leveraging Azure-managed Key Vault for secret lifecycle management and avoids the operational burden of manually managing Kubernetes Secrets.

Exam trap

The trap here is that candidates often assume Kubernetes Secrets are inherently secure because they are base64-encoded, but the exam tests the understanding that Secrets are only obfuscated, not encrypted by default, and that a managed external secrets store like Azure Key Vault is the recommended pattern for production-grade secret management with minimal overhead.

How to eliminate wrong answers

Option A is wrong because ConfigMaps are designed for non-sensitive configuration data (e.g., plain text), not secrets; storing database connection strings in a ConfigMap would expose them in plain text and violate security best practices. Option C is wrong because Kubernetes Secret objects are base64-encoded, not encrypted by default, and require additional encryption configuration (e.g., encryption at rest with KMS) and manual management, increasing overhead and risk compared to a dedicated secrets store. Option D is wrong because hardcoding connection strings in environment variables in the deployment manifest exposes secrets in plain text within the YAML file, version control, and cluster logs, completely violating security principles.

777
MCQmedium

You are designing security for a multi-region Azure application. You need to ensure that traffic between virtual networks in different regions is encrypted and uses Microsoft backbone. What should you implement?

A.Configure VNet peering with 'Allow gateway transit' and 'Use remote gateways'.
B.Use Azure Firewall in each VNet and route traffic through it.
C.Deploy ExpressRoute circuits and connect each VNet to them.
D.Deploy a site-to-site VPN between the virtual networks.
AnswerA

VNet peering uses Microsoft backbone and can use VPN gateway for encryption if needed.

Why this answer

Option B is correct because VNet peering with 'Use Remote Gateway' enables encrypted transit over Microsoft backbone. Option A is wrong because VPN Gateway is for on-premises or inter-region VPN over internet, not using backbone. Option C is wrong because ExpressRoute is for on-premises to Azure, not VNet-to-VNet.

Option D is wrong because Azure Firewall can inspect traffic but does not provide encrypted peering.

778
MCQhard

You are designing a security operations solution for a multinational organization using Microsoft Sentinel. The organization has multiple Azure subscriptions, each with its own Log Analytics workspace. You need to centralize incident management while minimizing data egress costs. What should you recommend?

A.Deploy a Sentinel workspace in each region and use cross-workspace views.
B.Export all logs to a third-party SIEM using Azure Event Hubs.
C.Configure Azure Monitor cross-workspace queries to correlate incidents.
D.Use a single Log Analytics workspace for all subscriptions and configure Sentinel in that workspace.
AnswerD

Centralizes incidents and avoids egress costs within the same region.

Why this answer

Option C is correct because using a single workspace for all subscriptions centralizes data and incidents, and Microsoft Sentinel does not charge for cross-workspace querying within the same region. Option A is wrong because separate workspaces per region would not centralize incidents. Option B is wrong because a third-party SIEM adds complexity and cost.

Option D is wrong because Azure Monitor cross-workspace queries are for analysis, not incident centralization.

779
MCQmedium

A company uses Microsoft Entra ID Governance. They need to automate the process of granting access to a SaaS application based on the user's department attribute. Which feature should they use?

A.Lifecycle workflows
B.Entitlement management
C.Access reviews
D.Privileged identity management
AnswerB

Entitlement management can automate access assignment based on attributes like department.

Why this answer

Entitlement management in Microsoft Entra ID Governance allows you to create access packages that define collections of resources (like SaaS apps) and policies for who can request access. By configuring a dynamic membership rule based on the user's department attribute, you can automate granting access to the SaaS application without manual intervention. This directly meets the requirement to automate access based on a user attribute.

Exam trap

The trap here is that candidates confuse Lifecycle workflows (which automate HR-driven provisioning events) with Entitlement management (which automates attribute-based access requests), leading them to choose Option A incorrectly.

How to eliminate wrong answers

Option A is wrong because Lifecycle workflows automate joiner, mover, and leaver processes (e.g., account provisioning, email forwarding) but do not handle attribute-based access requests to SaaS applications. Option C is wrong because Access reviews are periodic attestation processes to review existing access, not an automated mechanism to grant access based on a user attribute. Option D is wrong because Privileged identity management (PIM) provides just-in-time privileged access to Azure AD roles and Azure resources, not automated entitlement to a SaaS application based on a department attribute.

780
MCQeasy

Your organization uses Microsoft Defender for Office 365. You need to protect users from malicious links in emails. What should you configure?

A.Anti-malware policy
B.Safe Links policy
C.Anti-phishing policy
D.Safe Attachments policy
AnswerB

Safe Links protects users by scanning and blocking malicious links at the time of click.

Why this answer

Safe Links policy is the correct answer because it specifically protects users from malicious links in emails by scanning URLs at the time of click, checking against Microsoft's threat intelligence, and optionally rewriting links to route clicks through the Safe Links service. This is the dedicated Defender for Office 365 feature designed to mitigate link-based attacks in email messages.

Exam trap

The trap here is that candidates often confuse Safe Links with Safe Attachments, but Safe Attachments handles file payloads (attachments) while Safe Links handles URL payloads (links) — a common misconception that leads to selecting the wrong policy for link protection.

How to eliminate wrong answers

Option A is wrong because Anti-malware policy focuses on scanning email attachments and messages for malware signatures, not on protecting against malicious links. Option C is wrong because Anti-phishing policy primarily protects against impersonation attacks (e.g., spoofed domains, user impersonation) and does not directly scan or rewrite URLs in emails. Option D is wrong because Safe Attachments policy is designed to detonate and analyze email attachments in a sandbox environment, not to handle hyperlinks within the message body.

781
MCQmedium

Refer to the exhibit. You are troubleshooting a KQL query in Microsoft Sentinel that is supposed to return alerts for ransomware detections in the last day. The query returns no results, but you know there were ransomware alerts. What is the most likely cause?

A.The ThreatFamily field is an integer, not a string.
B.The AlertName filter is too specific and does not match the actual alert name.
C.The TimeGenerated filter uses the wrong time range.
D.The parse_json function is failing due to malformed JSON.
AnswerB

Alert names may have prefixes or variations.

Why this answer

Option B is correct because the query's `AlertName` filter is likely too specific (e.g., using a hardcoded string like 'RansomwareAlert') and does not match the actual alert name generated by Microsoft Sentinel's analytics rules. Ransomware alerts often have dynamic naming conventions that include variant names or suffixes, so an exact match filter fails to return results even though alerts exist. The query otherwise appears syntactically correct, and the `TimeGenerated` filter is set to the last day, which aligns with the known presence of alerts.

Exam trap

The trap here is that candidates assume a simple string comparison will match all alerts of a given category, overlooking that Microsoft Sentinel alert names often include variant-specific suffixes or prefixes, making exact-match filters too restrictive.

How to eliminate wrong answers

Option A is wrong because the `ThreatFamily` field in Microsoft Sentinel's alert schema is a string type, not an integer, and comparing it to a string literal would work correctly; an integer mismatch would cause a type error or implicit conversion, not a silent empty result. Option C is wrong because the `TimeGenerated` filter using `ago(1d)` is a standard and correct way to query the last 24 hours, and if alerts existed within that window, this filter would not suppress them. Option D is wrong because the `parse_json` function failing due to malformed JSON would typically produce an error or null value in the output, not an empty result set, and the query would still return rows with null fields rather than zero rows.

782
MCQmedium

Your organization uses Microsoft Defender XDR. You need to configure automatic attack disruption for ransomware attacks. Which action should you take?

A.Enable the 'Automatically investigate and respond to alerts' feature in Defender for Cloud Apps
B.Configure an automation rule in Microsoft Sentinel
C.Enable 'Automatic attack disruption' in the Microsoft 365 Defender portal
D.Disable 'Automated investigation and response' in Defender for Endpoint
AnswerC

This feature automatically contains assets during active attacks.

Why this answer

Automatic attack disruption is a feature of Microsoft Defender XDR that can be enabled to automatically contain attacks. It is configured in the Microsoft 365 Defender portal under Settings > Endpoints > Advanced features. The other options are not correct: disabling automated investigation reduces response, and the other portals are not for this setting.

783
MCQmedium

Refer to the exhibit. You are reviewing a Conditional Access policy JSON in Microsoft Entra ID. The policy is not blocking any sign-ins even though there are high-risk users. What is the most likely reason?

A.The signInRiskLevels condition is empty, so no sign-ins match.
B.The policy does not include any users or groups in the conditions.
C.The policy only applies to specific applications, but the exhibit shows 'All'.
D.The grant controls operator should be 'AND' instead of 'OR'.
AnswerB

The JSON lacks a user assignment, so the policy applies to no one.

Why this answer

Option C is correct because the policy only includes user risk levels but not sign-in risk levels; however, the exhibit shows signInRiskLevels is empty, which is fine. The issue is that the policy is in 'Report-only' mode (not shown) or the conditions are not met. But the most likely reason based on the exhibit is that the policy does not include any users or groups; the conditions do not specify users.

Option A is wrong because the exhibit does not show assignment of users. Option B is wrong because the policy blocks all apps, not just specific ones. Option D is wrong because signInRiskLevels empty means no filter, but that doesn't prevent blocking.

784
MCQhard

A company uses Azure Key Vault to store secrets for their applications. They want to ensure that secrets can be automatically rotated when they are close to expiration. Which solution should they implement?

A.Use Azure DevOps release pipeline to rotate secrets
B.Use Azure Automation with a schedule to check expiration and rotate
C.Use Key Vault event grid subscription to trigger an Azure Function for rotation
D.Use Azure Logic Apps with a recurrence trigger to rotate secrets
AnswerC

Event-driven rotation on secret expiration.

Why this answer

Option C is correct because Azure Key Vault can emit events via Event Grid when a secret is near expiration, and an Azure Function subscribed to that event can perform the rotation logic immediately. This event-driven approach ensures near-real-time rotation without polling, aligning with the requirement for automatic rotation close to expiration.

Exam trap

The trap here is that candidates often choose polling-based solutions (Azure Automation or Logic Apps with recurrence) because they seem simpler, but the exam expects event-driven architecture using Event Grid for real-time, efficient rotation without polling overhead.

How to eliminate wrong answers

Option A is wrong because Azure DevOps release pipelines are designed for CI/CD deployment, not for automated secret rotation; they lack native integration with Key Vault expiration events and would require manual or scheduled triggers. Option B is wrong because Azure Automation with a schedule uses polling, which introduces latency and inefficiency compared to event-driven rotation; it also requires custom runbook logic to check expiration dates. Option D is wrong because Azure Logic Apps with a recurrence trigger also relies on polling, which is less efficient and may miss exact expiration timing; while Logic Apps can integrate with Key Vault, the event-driven Event Grid subscription is the recommended pattern for automatic rotation.

785
MCQmedium

Your company uses Microsoft Sentinel for security operations. You need to design a solution to automatically respond to a confirmed ransomware incident by isolating affected devices and blocking malicious IPs. What should you use?

A.Azure Policy
B.Sentinel automation rules with playbooks
C.Microsoft Defender for Cloud Apps
D.Microsoft Intune
AnswerB

Automation rules trigger playbooks built on Azure Logic Apps, which can execute actions such as isolating devices via Microsoft Defender for Endpoint or blocking IPs via firewalls.

Why this answer

Option D is correct because Microsoft Sentinel automation rules can trigger playbooks (based on Azure Logic Apps) to perform actions like device isolation and IP blocking. Option A is wrong because Microsoft Defender for Cloud Apps is more focused on SaaS app security. Option B is wrong because Azure Policy is for compliance, not automated response.

Option C is wrong because Microsoft Intune supports device management but would require additional orchestration.

786
MCQmedium

Your company uses Microsoft Sentinel as its SIEM. You need to design a solution to detect lateral movement attempts within the corporate network using Windows Event Logs collected from domain controllers and workstations. Which data source and analytic rule type should you use?

A.Windows Security Events with a Fusion rule
B.Azure Activity logs with an anomaly rule
C.Windows Security Events with a scheduled query rule
D.Sysmon logs with a scheduled query rule
AnswerA

Fusion rules correlate multiple events across different sources to detect lateral movement.

Why this answer

Windows Security Events from domain controllers and workstations, with a Fusion or multi-event analytic rule, can detect lateral movement patterns like pass-the-hash. Sysmon is useful but not the only source. Scheduled query rules are for single events.

Anomaly rules use machine learning but may not be as precise.

787
MCQhard

Your organization uses Microsoft Sentinel as its SIEM. You receive a large number of low-severity alerts from various sources, overwhelming the security operations team. You need to design a solution to reduce alert fatigue while ensuring that critical incidents are not missed. The solution should also automatically collect feedback from analysts when they close an incident. What should you implement?

A.Tune analytics rules to generate incidents only for high-fidelity alerts and use automation rules to collect feedback on incident closure
B.Create a separate analytics rule for each severity level
C.Implement a playbook that automatically closes low-severity alerts and collects feedback
D.Increase the severity threshold for all analytics rules
AnswerA

Tuning reduces noise; automation rules can trigger a playbook to collect analyst feedback when an incident is closed.

Why this answer

Option D is correct because Sentinel's analytics rules can be configured to create incidents only for high-fidelity alerts, and automation rules can be used to prompt analysts for feedback when closing incidents. Option A is wrong because simply increasing severity thresholds may miss critical events. Option B is wrong because creating incidents for all alerts would increase fatigue.

Option C is wrong because a playbook for feedback is useful but does not reduce alert volume.

788
MCQeasy

Your security team needs to receive alerts when a user is assigned a privileged role in Microsoft Entra ID. Which service should you use to create an alert for privileged role assignments?

A.Microsoft Entra ID Privileged Identity Management (PIM)
B.Microsoft Defender for Identity
C.Microsoft Sentinel
D.Microsoft Defender for Cloud Apps
AnswerA

PIM provides alerts for privileged role assignments and activations.

Why this answer

Microsoft Entra ID Privileged Identity Management (PIM) is the correct service because it provides built-in alerting capabilities specifically for privileged role assignments in Microsoft Entra ID. PIM can generate alerts when a user is assigned a privileged role, such as Global Administrator, without requiring additional configuration or external data sources. This aligns directly with the requirement to receive alerts for privileged role assignments within the identity platform.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Identity or Microsoft Sentinel as the primary alerting tool for Entra ID role assignments, but PIM is the native, purpose-built service for this specific identity governance task.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Identity is a security solution that monitors on-premises Active Directory signals and hybrid identities for threats like lateral movement and compromised accounts, not for generating alerts on Entra ID role assignments. Option C is wrong because Microsoft Sentinel is a SIEM/SOAR platform that ingests logs from multiple sources, including Entra ID, but it requires custom analytics rules and log ingestion to create alerts for role assignments, making it an indirect and more complex solution compared to PIM's native alert. Option D is wrong because Microsoft Defender for Cloud Apps focuses on cloud application discovery, session controls, and anomaly detection for SaaS apps, not on monitoring Entra ID privileged role assignments.

789
Multi-Selecthard

Which THREE conditions can trigger a Microsoft Entra ID Protection user risk policy to require a password change?

Select 3 answers
A.Leaked credentials detected on the dark web.
B.User has not registered for multi-factor authentication.
C.Device is marked as non-compliant by Intune.
D.Impossible travel to atypical locations.
E.Sign-ins from anonymous IP addresses.
AnswersA, D, E

Leaked credentials indicate user compromise.

Why this answer

Option A is correct because Microsoft Entra ID Protection's user risk policy can be triggered by leaked credentials detected on the dark web. When Microsoft's threat intelligence services find a user's credentials exposed in a known data breach, the user's risk level is elevated, and the policy can be configured to require a password change as a remediation action to mitigate the compromised account.

Exam trap

The trap here is that candidates confuse user risk policy triggers (leaked credentials, impossible travel, anonymous IPs) with sign-in risk policy triggers (e.g., atypical travel, unfamiliar sign-in properties) or with unrelated Conditional Access conditions like device compliance or MFA registration.

790
MCQmedium

Your organization is deploying a customer-facing web application in Azure. The application must authenticate users via Microsoft Entra ID and access Microsoft Graph to read user profiles. The security team requires that the application never has access to user passwords. Which authentication flow should you recommend?

A.OAuth 2.0 implicit grant flow
B.OAuth 2.0 device authorization flow
C.OAuth 2.0 client credentials grant flow
D.OAuth 2.0 authorization code flow with PKCE
AnswerD

This flow obtains an authorization code after user consent, then exchanges it for tokens. PKCE ensures the code cannot be intercepted. No password is exposed.

Why this answer

Option B is correct because the OAuth 2.0 authorization code flow with PKCE is the recommended flow for native and web apps that need to access APIs without exposing user credentials. Option A is wrong because client credentials flow is for server-to-server scenarios without a user context. Option C is wrong because device authorization flow is for devices with limited input capabilities.

Option D is wrong because implicit grant flow is deprecated due to security concerns.

791
Multi-Selectmedium

Which TWO of the following are best practices for securing Azure Kubernetes Service (AKS)?

Select 2 answers
A.Use Azure AD integration for authentication
B.Deploy all applications in the default namespace
C.Use service principals instead of managed identities for pod identity
D.Enable Azure Policy for AKS to enforce pod security policies
E.Enable SSH access to all worker nodes for troubleshooting
AnswersA, D

Azure AD integration provides identity-based access control.

Why this answer

Azure AD integration for AKS enables role-based access control (RBAC) using Azure AD identities, allowing fine-grained permissions for cluster operations. This eliminates the need for shared static credentials and supports conditional access policies, multi-factor authentication, and audit logging via Azure AD sign-in logs. It is a foundational security best practice for identity management in Kubernetes clusters.

Exam trap

The trap here is that candidates may think service principals are more secure than managed identities because they are explicit credentials, but managed identities eliminate credential management and are the recommended approach for pod identity in Azure.

792
Multi-Selectmedium

Your organization is planning to deploy Microsoft Defender for Cloud Apps (formerly Cloud App Security). You need to discover shadow IT usage and control access to cloud apps. Which TWO capabilities should you enable? (Choose TWO.)

Select 2 answers
A.Conditional Access App Control
B.Microsoft Intune device compliance policies
C.Data Loss Prevention (DLP) policies
D.On-premises app discovery via Microsoft Defender for Identity
E.Cloud Discovery
AnswersA, E

Conditional Access App Control provides session-level controls to protect access.

Why this answer

Options A and C are correct. Cloud Discovery (A) identifies shadow IT by analyzing traffic logs. Conditional Access App Control (C) enables real-time session controls.

Option B is wrong because DLP policies are for data protection, not discovery or access control. Option D is wrong because device compliance is managed by Intune. Option E is wrong because MCAS does not scan on-premises apps.

793
MCQmedium

Your company is developing a microservices application that will run on Azure Kubernetes Service (AKS). The application must authenticate to Azure SQL Database using managed identities. Which type of managed identity should you assign to the AKS cluster?

A.Certificate-based authentication using Azure Key Vault
B.System-assigned managed identity on the cluster
C.Service principal with client secret
D.User-assigned managed identity and Azure AD Pod Identity
AnswerD

Pod Identity assigns a user-assigned identity to pods to access Azure resources.

Why this answer

Option B is correct because AKS uses a system-assigned managed identity for the cluster itself to integrate with Azure resources like load balancers. For pods to access Azure SQL, you need a pod identity (like Azure AD Pod Identity) which uses a user-assigned managed identity. Option A is wrong because system-assigned is for cluster, not pods.

Option C is wrong because service principal is legacy. Option D is wrong because certificate-based authentication is not managed identity.

794
MCQhard

Refer to the exhibit. A security administrator is reviewing a Conditional Access policy JSON. They want to ensure that users with medium risk level are prompted for multi-factor authentication (MFA), while high-risk users are blocked. The policy is not working as expected. Which issue is present in the policy?

A.The policy mode should be 'report-only'
B.The policy requires both user and sign-in risk to be high to block, but a user with high user risk and low sign-in risk would not be blocked
C.The JSON syntax is invalid
D.The conditions are combined with 'Or' instead of 'And'
AnswerB

Yes, the rule requires both risk levels to be high; a single high risk would not trigger the block.

Why this answer

The policy uses 'and' logic for user and sign-in risk within the same rule, meaning both must be high to block, and both must be medium to require MFA. However, the conditions are combined with implicit 'and'. For the intended effect, separate policies or different condition structure is needed.

Option C is correct. Option A is wrong because the syntax is valid JSON. Option B is wrong because there is no 'Or' condition issue; it's 'and'.

Option D is wrong because the policy mode is 'default'.

795
MCQmedium

A company is designing a data protection strategy for Azure SQL Database. They need to ensure that backups are retained for 7 years to meet regulatory compliance. Which Azure feature should they use?

A.Geo-redundant backup storage
B.Long-Term Retention (LTR)
C.Point-in-Time Restore
D.Active Geo-Replication
AnswerB

LTR retains backups for up to 10 years.

Why this answer

Long-Term Retention (LTR) for Azure SQL Database allows you to retain full database backups for up to 10 years, which meets the 7-year regulatory compliance requirement. LTR is specifically designed for archival and compliance scenarios, storing backups in separate containers with configurable retention policies based on weekly, monthly, or yearly intervals.

Exam trap

The trap here is that candidates confuse Point-in-Time Restore (PITR) with Long-Term Retention (LTR), mistakenly thinking PITR can be configured for years-long retention, when in fact PITR is limited to a maximum of 35 days and LTR is the only feature that supports multi-year archival retention.

How to eliminate wrong answers

Option A is wrong because Geo-redundant backup storage (RA-GRS) provides geographic redundancy for automated backups but does not extend the retention period beyond the default 7-35 days for point-in-time restore backups. Option C is wrong because Point-in-Time Restore (PITR) enables recovery to any point within the retention window (default 7 days, configurable up to 35 days), but it cannot retain backups for years. Option D is wrong because Active Geo-Replication is a continuous replication feature for disaster recovery and read-scale, not a backup retention mechanism; it does not provide long-term archival storage.

796
Multi-Selectmedium

Your organization uses Azure Data Lake Storage Gen2 for big data analytics. You need to secure access to the data using Azure RBAC and ACLs. Which two methods can you use to authorize access? (Choose two.)

Select 2 answers
A.Configure IP firewall rules to restrict access.
B.Assign Azure RBAC roles such as Storage Blob Data Contributor to security principals.
C.Set POSIX-like access control lists (ACLs) on directories and files.
D.Use managed identities for Azure resources.
E.Generate shared access signatures (SAS) for delegated access.
AnswersB, C

RBAC roles grant permissions to storage account.

Why this answer

Options A and B are correct. Azure RBAC roles (e.g., Storage Blob Data Contributor) provide coarse-grained access. POSIX-like ACLs provide fine-grained access at directory/file level.

Option C is wrong because SAS tokens provide delegated access but not RBAC/ACL. Option D is wrong because managed identity is an identity, not an authorization method. Option E is wrong because firewall rules control network access.

797
MCQhard

A company uses Microsoft Sentinel and wants to implement a security orchestration, automation, and response (SOAR) solution. They need a playbook that automatically blocks a user in Microsoft Entra ID when a high-severity incident is created. What should they use?

A.Microsoft Defender XDR automated investigation and response
B.Power Automate cloud flows
C.Azure Logic Apps integrated with Microsoft Sentinel
D.Microsoft Purview Compliance Manager
AnswerC

Sentinel playbooks are built on Azure Logic Apps.

Why this answer

Option C is correct because Azure Logic Apps provides the native integration with Microsoft Sentinel to create automated playbooks that trigger on incident creation. Logic Apps connectors allow direct interaction with Microsoft Entra ID to block a user via the Microsoft Graph API, enabling a seamless SOAR workflow without additional licensing or services.

Exam trap

The trap here is that candidates often confuse Power Automate with Logic Apps for Sentinel playbooks, but Power Automate lacks the native Sentinel incident trigger and security-specific connectors required for SOAR workflows in this context.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender XDR automated investigation and response is designed for endpoint and workload-level remediation (e.g., isolating devices, blocking files), not for user account management in Microsoft Entra ID. Option B is wrong because Power Automate cloud flows are intended for business process automation and lack the deep security-specific triggers and connectors (e.g., Sentinel incident trigger, Entra ID user block action) required for a SOAR playbook in Sentinel. Option D is wrong because Microsoft Purview Compliance Manager focuses on compliance posture management and risk assessments, not on real-time security incident response or user blocking.

798
Multi-Selectmedium

Which THREE components are part of the Microsoft Zero Trust architecture? (Choose three.)

Select 3 answers
A.Networks
B.Devices
C.Data
D.Applications
E.Identities
AnswersA, B, E

Network segmentation and micro-perimeters are part of zero trust.

Why this answer

Networks are a core component of the Microsoft Zero Trust architecture because the model assumes that the network is always hostile and should not be implicitly trusted. Instead of relying on a traditional perimeter, Zero Trust enforces micro-segmentation, real-time threat protection, and end-to-end encryption to control traffic between resources. Microsoft implements this through Azure Firewall, Azure Virtual Network security groups, and Microsoft Defender for Cloud to monitor and filter network traffic based on identity and device posture.

Exam trap

The trap here is that candidates may confuse the six pillars of Microsoft Zero Trust (Identities, Devices, Applications, Networks, Infrastructure, Data) with the three components asked in the question, leading them to select Applications or Data instead of recognizing that the question specifically requires Networks, Devices, and Identities as the correct trio.

799
MCQhard

Your organization has Microsoft Sentinel. You need to create an analytics rule that detects when a user account is created outside of business hours (9 AM to 5 PM, Monday-Friday). Which KQL query should you use as the rule query?

A.... | where dayofweek(TimeGenerated) between (1 .. 5) and datetime_part("hour", TimeGenerated) !between (9 .. 17)
B.... | where dayofweek(TimeGenerated) between (2 .. 6) and datetime_part("hour", TimeGenerated) !between (9 .. 17)
C.... | where dayofweek(TimeGenerated) between (2 .. 6) and datetime_part("hour", TimeGenerated) between (9 .. 17)
D.... | where dayofweek(TimeGenerated) !between (2 .. 6) or datetime_part("hour", TimeGenerated) between (9 .. 17)
AnswerB

Correctly identifies weekdays and outside business hours.

Why this answer

The query filters for events where the time is not between 9 AM and 5 PM on weekdays. The correct condition uses dayofweek() and datetimepart functions to check the hour. Option B uses the correct logic: dayofweek between 2 and 6 (Monday-Friday) and hour not between 9 and 17.

Option A is incorrect for weekdays, C and D have wrong hour ranges.

800
MCQeasy

A company uses Microsoft Defender for Endpoint (MDE) and needs to ensure that all devices report their security configuration to Microsoft Defender XDR. Which setting should they verify?

A.Devices are enrolled in Microsoft Intune
B.Microsoft Sentinel is connected to Defender for Endpoint
C.Microsoft Purview Information Protection is enabled
D.Devices are onboarded to Microsoft Defender XDR
AnswerD

Onboarding ensures devices report to the unified XDR experience.

Why this answer

Devices must be onboarded to Microsoft Defender XDR to report their security configuration. Onboarding registers the device with the Defender for Endpoint service, enabling the collection and forwarding of security telemetry to the Microsoft 365 Defender portal. Without onboarding, the device cannot communicate its security state, regardless of other integrations.

Exam trap

The trap here is that candidates confuse Intune enrollment with Defender for Endpoint onboarding, but Intune only manages policies and compliance, while onboarding is the specific process that enables security telemetry reporting to Defender XDR.

How to eliminate wrong answers

Option A is wrong because Intune enrollment manages device compliance and configuration policies but does not automatically onboard devices to Defender for Endpoint; a separate onboarding step is required. Option B is wrong because connecting Microsoft Sentinel to Defender for Endpoint ingests alerts and incidents into Sentinel for SIEM purposes, but it does not cause devices to report their security configuration to Defender XDR. Option C is wrong because Microsoft Purview Information Protection focuses on data classification and labeling, not device-level security configuration reporting.

801
MCQeasy

A company is implementing a Zero Trust security model. Which principle requires verifying every access request as if it originates from an uncontrolled network?

A.Least privilege
B.Micro-segmentation
C.Assume breach
D.Verify explicitly
AnswerD

This is the correct Zero Trust principle: always authenticate and authorize based on all available data points.

Why this answer

The 'Assume breach' principle is not about verifying requests. 'Verify explicitly' is the Zero Trust principle that mandates authenticating and authorizing every access request. 'Least privilege' limits access rights. 'Micro-segmentation' is a network isolation technique.

802
Multi-Selecteasy

Which TWO Microsoft services can be used to implement a cloud security posture management (CSPM) solution? (Select exactly two correct options.)

Select 2 answers
A.Microsoft Purview
B.Microsoft Defender for Cloud
C.Microsoft Intune
D.Microsoft Entra Permissions Management
E.Microsoft Sentinel
AnswersB, D

Provides CSPM across multi-cloud environments.

Why this answer

Options A and C are correct. Microsoft Defender for Cloud provides CSPM across Azure, AWS, and GCP. Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) tool that helps manage permissions.

Option B is wrong because Microsoft Intune is for device management. Option D is wrong because Microsoft Sentinel is a SIEM. Option E is wrong because Microsoft Purview is for data governance.

803
MCQhard

Your organization has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You need to design a solution that ensures all user authentication requests are evaluated by Conditional Access policies before granting access to cloud apps. However, some legacy apps still require basic authentication. What should you recommend?

A.Enable authentication policies in Microsoft Entra ID to block legacy authentication
B.Configure Active Directory Federation Services (AD FS) as the identity provider
C.Deploy Microsoft Entra Application Proxy for all legacy apps
D.Enable pass-through authentication (PTA) to forward authentication requests
AnswerA

Blocking legacy authentication ensures all requests use modern auth, which is required for Conditional Access evaluation.

Why this answer

Option A is correct because enabling authentication policies in Microsoft Entra ID to block legacy authentication ensures that all user authentication requests are evaluated by Conditional Access policies before granting access to cloud apps. Legacy authentication protocols (e.g., POP3, IMAP, SMTP, basic auth) bypass modern authentication and Conditional Access, so blocking them forces clients to use modern protocols (OAuth 2.0, OpenID Connect) that are subject to Conditional Access evaluation. This directly addresses the requirement while allowing legacy apps to be updated or replaced over time.

Exam trap

The trap here is that candidates often confuse 'blocking legacy authentication' with 'disabling basic authentication' in Exchange Online or other services, but the correct approach is to use the tenant-wide Conditional Access policy to block all legacy authentication protocols, which is a distinct setting in Microsoft Entra ID.

How to eliminate wrong answers

Option B is wrong because configuring AD FS as the identity provider does not inherently block legacy authentication; AD FS can still accept legacy authentication requests unless explicitly configured to block them, and it does not enforce Conditional Access policies for cloud apps as effectively as Entra ID. Option C is wrong because deploying Microsoft Entra Application Proxy for all legacy apps provides secure remote access but does not block legacy authentication protocols; the apps themselves may still use basic authentication, which bypasses Conditional Access. Option D is wrong because enabling pass-through authentication (PTA) forwards authentication requests to on-premises AD but does not block legacy authentication; PTA works with modern authentication but legacy protocols still bypass Conditional Access unless explicitly blocked.

804
MCQmedium

A company deploys a three-tier application with web servers, application servers, and database servers in a VNet. They need to ensure that web servers can only communicate with application servers on port 443, and application servers can only communicate with database servers on port 1433. Web servers should not be able to communicate with database servers. What is the most secure and efficient way to implement this?

A.Place each tier in a separate subnet, and create NSGs on each subnet with appropriate inbound and outbound rules.
B.Use Azure Firewall to inspect all traffic between tiers.
C.Use Application Security Groups (ASGs) to group VMs, but do not create NSGs.
D.Place all tiers in the same subnet, and use a single NSG with rules to allow and deny traffic.
AnswerA

This provides network segmentation and granular control.

Why this answer

Option A is correct because placing each tier in a separate subnet and applying Network Security Groups (NSGs) with specific inbound and outbound rules provides network segmentation and granular traffic control. NSGs are stateful, so you can define rules that allow web servers to initiate outbound traffic to application servers on port 443 and application servers to initiate outbound traffic to database servers on port 1433, while implicitly denying all other cross-tier communication (including web-to-database). This approach is both secure and efficient as it uses native Azure constructs without additional cost or complexity.

Exam trap

The trap here is that candidates often overlook that NSGs do not filter traffic between resources within the same subnet, leading them to choose Option D, which would fail to isolate the tiers.

How to eliminate wrong answers

Option B is wrong because Azure Firewall is a managed, stateful firewall as a service that introduces additional cost and latency; while it can inspect traffic, it is overkill for this simple east-west traffic control and less efficient than NSGs for subnet-level segmentation. Option C is wrong because Application Security Groups (ASGs) alone cannot enforce network rules; they are logical groupings that must be referenced in NSG rules to actually allow or deny traffic, so without NSGs, no traffic filtering occurs. Option D is wrong because placing all tiers in the same subnet with a single NSG would allow intra-subnet traffic to bypass NSG rules (NSGs do not filter traffic within the same subnet), making it impossible to prevent web servers from communicating directly with database servers.

805
Multi-Selecthard

Your organization is implementing a secure DevOps pipeline for Azure. You need to ensure that secrets (e.g., API keys) are not stored in source code and that access to production resources is controlled. Which THREE practices should you implement?

Select 3 answers
A.Store secrets in Azure DevOps pipeline variables with encryption enabled
B.Use Azure Key Vault to store secrets and retrieve them at deployment time
C.Use Azure DevOps variable groups linked to Azure Key Vault
D.Store secrets in a configuration file in a private Git repository
E.Use managed identities for Azure resources to authenticate to Key Vault
AnswersB, C, E

Key Vault securely stores secrets and can be accessed by pipelines.

Why this answer

Options A, B, and D are correct. Using Azure Key Vault for secrets, managed identities for Azure resources, and Azure DevOps variable groups linked to Key Vault are all secure practices. Option C is wrong because storing secrets in pipeline variables with encryption is not as secure as Key Vault.

Option E is wrong because hardcoding secrets in configuration files is insecure.

806
MCQeasy

Your company uses Microsoft Defender for Cloud Apps to discover shadow IT. You need to ensure that data exfiltration from sanctioned cloud apps is blocked in real-time. Which control should you configure?

A.Conditional Access App Control
B.IP address ranges
C.Cloud discovery
D.App connector
AnswerA

Session-based control uses reverse proxy to monitor and block data exfiltration in real time.

Why this answer

Option C is correct because session-based Conditional Access App Control enforces real-time monitoring and control of app sessions. Option A is wrong because app connectors provide read-only monitoring. Option B is wrong because cloud discovery only identifies apps, not controls.

Option D is wrong because IP address ranges are used for location policies, not session control.

807
MCQhard

You are designing a security solution for a financial services company that uses Microsoft 365 E5 and Azure. They have 10,000 users and 500 servers. They need to implement a Zero Trust network strategy that includes microsegmentation, identity-based access, and continuous monitoring. The solution must work across on-premises and cloud workloads. They also require that all access to critical servers is logged and audited. What should you include in your design?

A.Deploy Azure Firewall Premium to segment the network. Use Microsoft Entra ID for identity. Use Azure Monitor for logging.
B.Use site-to-site VPN to connect all on-premises servers to Azure. Place all servers in a single VNet. Use NSGs for segmentation and Azure AD for identity.
C.Use Azure Virtual Network Manager (AVNM) for network groups and security admin rules. Implement Microsoft Entra ID Conditional Access with device compliance. Use Microsoft Defender for Cloud for continuous monitoring and Azure Policy for audit.
D.Deploy a third-party SDN solution in AWS for microsegmentation. Use Microsoft Entra ID for identity. Use CloudWatch for logging.
AnswerC

AVNM provides microsegmentation; Conditional Access enforces identity-based access; Defender for Cloud monitors; Azure Policy audits.

Why this answer

Option B uses Azure Network Manager for microsegmentation, Microsoft Entra ID for identity, and Defender for Cloud for monitoring. Option A uses Azure Firewall for perimeter only; Option C uses AWS; Option D uses VPN (not Zero Trust).

808
MCQhard

A company uses Azure Policy to enforce compliance. They have a custom policy that denies creation of storage accounts without encryption enabled. A developer reports that they cannot create a storage account even though they specified encryption. What is the most likely cause?

A.The developer does not have 'Microsoft.Authorization/policyAssignments/write' permission
B.The policy effect is set to 'audit' instead of 'deny'
C.The policy's 'then' block uses 'deny' but the condition logic evaluates the 'encryption' property incorrectly
D.The policy is scoped to a management group that includes the developer's subscription
AnswerC

If the condition does not match the actual property path, the deny may fire incorrectly.

Why this answer

Option C is correct because the most likely cause is that the policy's condition logic incorrectly evaluates the 'encryption' property. Azure Policy uses JSON-based condition expressions to check resource properties; if the condition does not match the actual property path (e.g., 'properties.encryption.enabled' vs. 'properties.encryption') or uses an incorrect operator, the deny effect will trigger even when encryption is specified. This is a common misconfiguration in custom policies.

Exam trap

The trap here is that candidates often assume permission issues (Option A) or scope problems (Option D) are the cause, but the real issue is a misconfigured condition in the policy definition that fails to correctly match the encryption property.

How to eliminate wrong answers

Option A is wrong because 'Microsoft.Authorization/policyAssignments/write' permission is required to assign policies, not to create resources; the developer only needs contributor or owner permissions on the resource scope to create storage accounts. Option B is wrong because if the policy effect were set to 'audit', it would only log non-compliance without blocking creation, so the developer would succeed in creating the account. Option D is wrong because scoping a policy to a management group that includes the developer's subscription would apply the policy correctly; it does not inherently cause a false deny—the issue is with the policy logic, not the scope.

809
MCQmedium

A security architect is designing a data protection strategy for a Microsoft 365 tenant. The company must prevent users from sharing sensitive documents with external users via SharePoint Online. They want to apply a policy that automatically detects sensitive content and blocks external sharing. Which Microsoft Purview solution should they use?

A.Sensitivity labels
B.Retention policies
C.Data Loss Prevention (DLP) policy
D.Microsoft Purview Information Protection
AnswerC

DLP policies can automatically detect sensitive data and block actions like external sharing.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) policies can detect sensitive data and block external sharing. Option C is correct. Option A is wrong because sensitivity labels require manual application or automatic classification, but blocking external sharing is typically done by DLP.

Option B is wrong because retention policies are for data retention, not blocking sharing. Option D is wrong because Microsoft Purview Information Protection is the umbrella, but the specific policy is DLP.

810
Multi-Selecteasy

You are designing a secure infrastructure for an Azure Kubernetes Service (AKS) cluster that will host sensitive workloads. Which TWO configurations should you implement to secure the cluster?

Select 2 answers
A.Enable Azure AD integration for role-based access control (RBAC).
B.Enable Azure Monitor for containers.
C.Enable the HTTP application routing add-on.
D.Use Azure AD pod identity to provide identities for pods.
E.Enable the cluster autoscaler.
AnswersA, D

Azure AD integration provides authentication for cluster access.

Why this answer

Option A is correct because enabling Azure AD integration allows you to use Azure AD identities for cluster authentication. Option C is correct because using pod identity allows pods to authenticate to Azure resources securely. Option B is wrong because cluster autoscaler scales nodes, not security.

Option D is wrong because Azure Monitor provides monitoring, not security. Option E is wrong because the HTTP application routing add-on is for ingress, not security.

811
MCQhard

A company has a hybrid identity infrastructure with on-premises Active Directory synchronized to Azure AD using Azure AD Connect. The security team wants to use Microsoft Defender for Identity (MDI) to detect on-premises attacks. They have installed the MDI sensor on all domain controllers. However, they notice that some alerts are missing. What is the most likely cause?

A.MDI is not integrated with Microsoft Sentinel.
B.Azure AD Connect is not syncing frequently enough.
C.The sensor is not licensed for all detection types.
D.The necessary Windows event logs are not being forwarded to the MDI sensor.
AnswerD

MDI relies on specific event logs; without them, many detections are not possible.

Why this answer

Microsoft Defender for Identity relies on Windows Event Logs (specifically Event ID 4776, 4624, 4648, and others) to detect on-premises attacks such as Pass-the-Hash, Golden Ticket, and DCSync. If these logs are not being forwarded to the MDI sensor (e.g., due to disabled audit policies or log size limits), the sensor cannot analyze the events, resulting in missing alerts. The sensor itself is installed on domain controllers, but it must have access to the relevant security logs to function correctly.

Exam trap

The trap here is that candidates often assume missing alerts are due to licensing or integration gaps, but the root cause is typically a missing prerequisite—specifically, the Windows event logs that MDI relies on for attack detection.

How to eliminate wrong answers

Option A is wrong because MDI does not require integration with Microsoft Sentinel to generate alerts; Sentinel is a SIEM that can consume MDI alerts but is not a prerequisite for detection. Option B is wrong because Azure AD Connect sync frequency affects identity synchronization, not the real-time event log analysis that MDI performs on domain controllers. Option C is wrong because MDI sensors are licensed per instance and include all detection capabilities; there is no tiered licensing that restricts specific detection types on a properly licensed sensor.

812
MCQeasy

Your organization has a Microsoft 365 E5 subscription and wants to detect insider data exfiltration attempts. You need to design a solution that can identify users copying sensitive data to personal cloud storage services. Which Microsoft Purview capability should you use?

A.Data Loss Prevention (DLP) policies
B.eDiscovery (Premium)
C.Communication Compliance
D.Insider Risk Management
AnswerD

Insider Risk Management identifies risks like data exfiltration to personal cloud storage.

Why this answer

Option A is correct because Insider Risk Management in Microsoft Purview is designed to detect insider data exfiltration scenarios, including copying data to personal cloud storage. Option B is wrong because Data Loss Prevention (DLP) prevents data from being shared but does not detect exfiltration attempts from user activities. Option C is wrong because Communication Compliance focuses on inappropriate communications.

Option D is wrong because eDiscovery is for legal discovery.

813
MCQmedium

A company is implementing a zero-trust security model. They need to enforce conditional access policies that require device compliance from Microsoft Intune. However, some users report being blocked when using personal devices that are not enrolled. What is the best approach to allow access while maintaining security?

A.Allow all devices but monitor with Defender for Cloud Apps
B.Require app protection policies via Microsoft Intune
C.Block all non-compliant devices
D.Require device enrollment for all devices
AnswerB

App protection policies protect data without full enrollment.

Why this answer

Option B is correct because Microsoft Intune app protection policies (APP) can enforce data protection and access controls on personal devices without requiring full enrollment. This allows the company to maintain a zero-trust posture by applying conditional access policies that check for app-level compliance, such as requiring a managed browser or blocking copy/paste, while still permitting access from unenrolled personal devices. This approach aligns with the zero-trust principle of 'never trust, always verify' by verifying device health at the application layer rather than the device layer.

Exam trap

The trap here is that candidates often assume device compliance (via Intune enrollment) is the only way to enforce zero-trust access, overlooking that app protection policies can achieve similar security controls on unmanaged devices without requiring full device enrollment.

How to eliminate wrong answers

Option A is wrong because merely monitoring with Defender for Cloud Apps does not enforce any access control; it only provides visibility, leaving the organization vulnerable to non-compliant devices accessing sensitive data. Option C is wrong because blocking all non-compliant devices would deny access to all personal devices, which contradicts the requirement to allow access while maintaining security. Option D is wrong because requiring device enrollment for all devices would force users to enroll personal devices, which is often impractical and violates privacy, and does not address the scenario where users need to use unenrolled personal devices.

814
Multi-Selectmedium

Your company uses Microsoft Intune to manage mobile devices. You need to protect corporate data on mobile devices by ensuring that work files are encrypted and not accessible by personal apps. What three configurations should you implement? (Choose three.)

Select 3 answers
A.Require device encryption on all devices.
B.Enable mobile threat defense (MTD) integration to block risky devices.
C.Deploy a device compliance policy that requires a PIN.
D.Create an app protection policy (MAM) that encrypts work data and prevents save-as to personal locations.
E.Configure Conditional Access to require app protection policy for access to corporate data.
AnswersB, D, E

MTD adds security by detecting threats.

Why this answer

Options A, B, and C are correct. App protection policies (MAM) prevent data from being copied to personal apps. Conditional Access with 'Require app protection policy' ensures managed apps are used.

Mobile threat defense integration adds security. Option D is wrong because device encryption is device-level, not app-level. Option E is wrong because compliance policies are for device compliance, not data protection on unmanaged devices.

815
MCQeasy

Your organization uses Microsoft Defender for Cloud to secure a hybrid environment. You need to ensure that virtual machines running on-premises are assessed for security misconfigurations. What should you deploy?

A.Log Analytics agent on the on-premises servers
B.Microsoft Defender for Cloud's Vulnerability Assessment solution
C.Azure Arc on the on-premises servers
D.Azure Policy guest configuration
AnswerC

Azure Arc connects on-premises servers to Azure, enabling Defender for Cloud assessments.

Why this answer

Azure Arc enables Azure management services, including Defender for Cloud, to be extended to on-premises servers. Option A is correct because Arc-connected machines can be onboarded to Defender for Cloud for assessment. Option B is incorrect because Azure Policy alone does not perform assessments.

Option C is incorrect because Log Analytics agent without Arc does not integrate with Defender for Cloud assessments. Option D is incorrect because just enabling Defender for Cloud does not cover on-premises VMs without Arc.

816
MCQeasy

Your company is deploying Azure Kubernetes Service (AKS) and needs to secure container workloads. You must ensure that only approved container images from a trusted Azure Container Registry (ACR) can be deployed. What should you implement?

A.Enable Azure AD integration for AKS.
B.Apply an Azure Policy initiative to only allow images from a specific ACR.
C.Use Azure Key Vault to store container image credentials.
D.Configure network policies in AKS to restrict egress traffic.
AnswerB

Azure Policy can enforce image source restrictions.

Why this answer

Option C is correct because Azure Policy with the 'Only allow approved container images' built-in initiative enforces that containers in AKS must originate from a specified ACR. Option A is incorrect because network policies control traffic, not image source. Option B is incorrect because Azure AD integration controls authentication, not image source.

Option D is incorrect because Azure Key Vault stores secrets, not image approval.

817
MCQeasy

Your organization uses Microsoft Sentinel as its SIEM. You need to collect logs from a custom line-of-business application that does not support standard syslog or Windows Event Log. The application writes logs to a text file on a Windows server. What is the most efficient way to ingest these logs into Microsoft Sentinel?

A.Configure the application to send logs to a syslog server and use a syslog connector.
B.Set up a Azure Event Hubs and have the application write logs to Event Hubs.
C.Use the Azure Monitor Agent to collect the text file via a custom data source.
D.Install the Log Analytics Agent (deprecated, but still available) on the server and configure custom log collection.
AnswerD

The Log Analytics Agent can collect custom text files and parse them.

Why this answer

The Log Analytics Agent can collect custom text logs by specifying the log file path and parsing rules. This is the most direct method. Syslog is for Linux.

Azure Monitor Agent does not support custom text logs natively. Event Hubs would require additional configuration. Option A is correct.

818
MCQhard

A company uses Microsoft Defender for Endpoint to protect endpoints. They want to configure attack surface reduction rules to block executable files from running unless they meet a specific prevalence, age, or trust level. Which ASR rule should they enable?

A.Block Office communication application from creating child processes
B.Block credential stealing from the Windows local security authority subsystem
C.Block untrusted and unsigned processes that run from USB
D.Block executable files from running unless they meet a prevalence, age, or trusted list criteria
AnswerD

This ASR rule uses cloud-delivered reputation to block risky executables.

Why this answer

Option D is correct because the ASR rule 'Block executable files from running unless they meet a prevalence, age, or trusted list criteria' (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) is specifically designed to block executables that do not meet Microsoft's cloud-based prevalence, age, or trustworthiness criteria. This rule uses the Microsoft Intelligent Security Graph to evaluate files against global telemetry, blocking those that are new, rare, or unsigned, which directly matches the requirement to block executables based on prevalence, age, or trust level.

Exam trap

The trap here is that candidates confuse the USB-specific rule (Option C) with the global executable prevalence rule (Option D), because both mention 'untrusted' or 'unsigned', but only Option D explicitly includes prevalence, age, and trusted list criteria as stated in the question.

How to eliminate wrong answers

Option A is wrong because 'Block Office communication application from creating child processes' (GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869) targets child processes spawned by Office communication apps (e.g., Outlook, Skype) to prevent lateral movement via macro-based attacks, not executable file prevalence or trust. Option B is wrong because 'Block credential stealing from the Windows local security authority subsystem' (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) protects LSASS memory from credential theft tools like Mimikatz, not executable file execution policies. Option C is wrong because 'Block untrusted and unsigned processes that run from USB' (GUID: b2b3f03d-6a4c-4b7e-8c97-3f0e5c7b8a9d) only applies to USB-removable media, not all executable files, and does not consider prevalence or age criteria.

819
Multi-Selectmedium

You need to design a secure solution for a web application that authenticates users via Microsoft Entra ID and calls a downstream API. Which TWO should you implement to secure the application? (Choose TWO.)

Select 2 answers
A.Use the OAuth 2.0 authorization code flow with PKCE.
B.Store application secrets in Azure Key Vault.
C.Store application secrets in app configuration files.
D.Use the OAuth 2.0 client credentials flow.
E.Use shared access signatures (SAS) for API authentication.
AnswersA, B

Recommended for web apps with user interaction.

Why this answer

B and C are correct. Using OAuth 2.0 authorization code flow (with PKCE) is the recommended authentication flow for web apps. Storing secrets in Azure Key Vault ensures they are securely managed.

Option A is wrong because the client credentials flow is for server-to-server, not on behalf of users. Option D is wrong because storing secrets in configuration files is insecure. Option E is wrong because shared access signatures (SAS) are for storage, not API authentication.

820
MCQmedium

You are designing a secure hybrid network for a multinational company. They require encrypted communication between on-premises data centers and Azure, with high availability and no single point of failure. Which solution should you recommend?

A.Deploy ExpressRoute with a site-to-site VPN as a failover.
B.Deploy a site-to-site VPN over the internet with two active VPN devices.
C.Deploy Azure Virtual WAN with point-to-site VPN for each data center.
D.Deploy ExpressRoute without encryption and rely on Microsoft backbone security.
AnswerA

ExpressRoute provides a private, dedicated connection; VPN failover ensures high availability and encryption.

Why this answer

Option B is correct because ExpressRoute with a VPN gateway failover provides a private dedicated connection with encrypted site-to-site VPN as backup, meeting high availability and encryption. Option A is wrong because site-to-site VPN alone lacks the private dedicated connection. Option C is wrong because Azure Virtual WAN is a networking service, not a specific connectivity solution, and point-to-site VPN is for remote users.

Option D is wrong because ExpressRoute does not encrypt traffic by default; encryption must be added separately.

821
MCQhard

Your organization has a Microsoft Defender for Cloud Apps policy that detects suspicious OAuth app permissions. You need to ensure that when a high-risk app is detected, the app is automatically disabled and the user is notified. What is the most efficient design?

A.Use the 'Disable app' governance action in the policy, and configure email notification
B.Configure the policy to notify the user via email
C.Send the alert to Microsoft Sentinel and create an incident with a playbook
D.Create a Power Automate flow that triggers on the alert to disable the app
AnswerA

Defender for Cloud Apps can automatically disable the app and notify the user.

Why this answer

Option B is correct because it uses the built-in governance action in Defender for Cloud Apps to disable the app and send email. Option A is incomplete as notification alone doesn't disable. Option C is less efficient because it requires additional automation.

Option D is incorrect because Incident does not automatically disable the app.

822
Multi-Selecteasy

A company stores sensitive data in Azure Blob Storage. They want to prevent data exfiltration by blocking public access and restricting network access to only their on-premises data center via VPN. Which two features should they use?

Select 2 answers
A.Enable firewall and add on-premises IP range
B.Disable public access and use RBAC
C.Disable public access and configure a service endpoint with a firewall rule for the VPN subnet
D.Disable public access and configure a private endpoint
AnswersC, D

Service endpoint restricts to subnet, firewall blocks other traffic.

Why this answer

Option C is correct because disabling public access ensures the storage account is not reachable from the internet, and configuring a service endpoint with a firewall rule for the VPN subnet restricts traffic to only the on-premises data center traffic arriving via the VPN. Service endpoints provide an optimized route over the Azure backbone, and the firewall rule explicitly allows the VPN subnet's IP range, preventing data exfiltration from unauthorized networks.

Exam trap

The trap here is that candidates often confuse service endpoints with private endpoints, assuming private endpoints are required for VPN access, but service endpoints are simpler and sufficient when the goal is to restrict access to a specific subnet (the VPN gateway subnet) rather than assigning a private IP.

823
MCQmedium

A global retail company, Northwind Traders, is adopting a cloud-first strategy using Azure and Microsoft 365. They have a large number of temporary seasonal workers who need access to specific applications and data for limited periods. The security team wants to minimize the risk of standing privileges and ensure that access is granted only when needed and for a limited duration. They also need to audit all privileged access actions. The environment includes Microsoft Entra ID, Azure resources, and Microsoft 365 services. You need to design a privileged access strategy that follows the principle of least privilege and aligns with Microsoft's best practices for privileged identity management. What should you recommend?

A.Use Microsoft Entra Privileged Identity Management (PIM) to grant just-in-time access to Azure AD roles and Azure resources. Configure approval workflows for high-privilege roles. Set maximum activation durations. For non-Azure resources, use Privileged Access Groups (PAG) to manage access. Enable audit logging to a Log Analytics workspace for monitoring.
B.Create a custom role in Azure AD with limited permissions. Assign the role to a security group. Have users request access via a manual email process. The IT team approves and assigns the group membership temporarily.
C.Assign permanent roles to seasonal workers for the duration of their contract. Use Azure AD access reviews to periodically confirm access. Enable Azure AD audit logs. Use Conditional Access to require MFA for privileged roles.
D.Create separate Azure AD roles for each seasonal worker with granular permissions. Use Azure AD Identity Governance to automate access requests. Do not enable PIM to reduce complexity.
AnswerA

Provides JIT, approval workflows, and auditing for privileged access.

Why this answer

Option A is correct because it leverages Microsoft Entra Privileged Identity Management (PIM) to enforce just-in-time (JIT) access for Azure AD roles and Azure resources, aligning with the principle of least privilege and minimizing standing privileges. It includes approval workflows for high-privilege roles, maximum activation durations to limit exposure, and Privileged Access Groups (PAG) to manage access to non-Azure resources like Microsoft 365 workloads. Audit logging to a Log Analytics workspace provides comprehensive monitoring of all privileged actions, meeting the auditing requirement.

Exam trap

The trap here is that candidates may assume permanent role assignments with periodic access reviews are sufficient, but this fails to eliminate standing privileges between reviews, which is the core risk the question targets.

How to eliminate wrong answers

Option B is wrong because a manual email process for access requests is insecure, lacks automation, and does not enforce just-in-time activation or time-bound access, violating the requirement to minimize standing privileges. Option C is wrong because assigning permanent roles to seasonal workers for the duration of their contract creates standing privileges, which contradicts the goal of granting access only when needed and for a limited duration; access reviews alone do not prevent persistent access between reviews. Option D is wrong because creating separate Azure AD roles for each seasonal worker is administratively unsustainable and violates least privilege by not using PIM, which is essential for JIT activation and approval workflows; disabling PIM increases complexity and risk.

824
Matchingmedium

Match each Azure security benchmark control to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Control category for authentication and authorization

Control category for network segmentation and filtering

Control category for encryption and data classification

Control category for audit logs and alerts

Control category for detection and response processes

Why these pairings

These are key categories in the Microsoft cloud security benchmark.

825
MCQeasy

Your company uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate Exchange Online mailboxes. Which conditional access policy setting should you configure?

A.Grant: Require device to be marked as compliant.
B.Grant: Require approved client app.
C.Grant: Require multifactor authentication.
D.Grant: Require Intune enrollment.
AnswerA

This enforces device compliance from Intune.

Why this answer

Option B is correct because the 'Require device to be marked as compliant' grant condition enforces compliance. Option A is wrong because requiring multifactor authentication does not check device compliance. Option C is wrong because requiring Intune enrollment is part of compliance but not the compliance state itself.

Option D is wrong because approved client app is for app protection policies.

Page 10

Page 11 of 13

Page 12