Microsoft Cybersecurity Architect (SC-100) — Questions 826900

969 questions total · 13pages · All types, answers revealed

Page 11

Page 12 of 13

Page 13
826
MCQeasy

Your company uses Microsoft Purview to classify and protect sensitive data. You need to ensure that when a user sends an email containing a credit card number, the email is automatically encrypted and a notification is sent to the user. Which Microsoft Purview feature should you configure?

A.Sensitivity labels
B.Audit log policies
C.Insider risk management policies
D.Data Loss Prevention (DLP) policies
AnswerD

DLP can encrypt and notify on sensitive data.

Why this answer

Option B is correct because Data Loss Prevention (DLP) policies in Microsoft Purview can automatically apply encryption and send notifications when sensitive data is detected in emails. Option A is wrong because sensitivity labels require user action or auto-labeling, but not automatic encryption on send. Option C is wrong because audit logs only record events, not enforce controls.

Option D is wrong because insider risk management focuses on user behavior, not content protection.

827
Multi-Selecthard

Your organization uses Microsoft 365 and wants to implement a data loss prevention (DLP) strategy. You need to ensure that sensitive data is protected both at rest and in transit, and that incidents are automatically reported to the security team. Which THREE actions should you take?

Select 3 answers
A.Deploy Microsoft Intune to control app permissions on mobile devices
B.Implement Conditional Access policies to block external sharing of sensitive data
C.Enable Endpoint DLP for Windows 10/11 devices
D.Configure Microsoft Purview DLP policies for Exchange, SharePoint, and OneDrive
E.Configure DLP incident reports to be sent to the security team via email or Teams
AnswersC, D, E

Endpoint DLP protects data in use on devices and can generate alerts.

Why this answer

Option A, Option C, and Option D are correct. DLP policies in Microsoft Purview can scan data in Exchange, SharePoint, and OneDrive (at rest) and in emails (in transit). Endpoint DLP covers data in use on devices.

Incident reports can be sent to the security team. Option B is wrong because Microsoft Intune is for device management, not DLP. Option E is wrong because Conditional Access controls access but does not report DLP incidents.

828
MCQeasy

A company stores sensitive customer data in Azure SQL Database. They need to encrypt the data at rest and control access to encryption keys. Which solution should they use?

A.Azure Information Protection
B.Always Encrypted
C.Transparent Data Encryption (TDE) with customer-managed keys in Azure Key Vault
D.Dynamic Data Masking
AnswerC

TDE encrypts the database at rest, and using customer-managed keys in Key Vault gives the customer control over the encryption keys

Why this answer

Transparent Data Encryption (TDE) with customer-managed keys in Azure Key Vault provides at-rest encryption and allows the customer to control the encryption keys. Option A is wrong because Dynamic Data Masking hides data from non-privileged users but does not encrypt at rest. Option B is wrong because Always Encrypted encrypts data in use and at rest, but TDE is the standard for at-rest encryption.

Option D is wrong because Azure Information Protection is for classification and labeling, not database encryption.

829
MCQeasy

Refer to the exhibit. You are reviewing an Azure Policy definition that will be assigned to a subscription containing production virtual machines. The policy is intended to enforce security best practices for disk encryption. What is the effect of this policy?

A.The policy denies deployment of virtual machines using Standard_LRS or StandardSSD_LRS managed disks.
B.The policy modifies existing virtual machines to change their disk type to Premium_LRS.
C.The policy allows deployment of virtual machines only if they use Standard_LRS or StandardSSD_LRS disks.
D.The policy audits virtual machines to ensure they have Azure Disk Encryption enabled.
AnswerA

The policy uses the 'deny' effect to block VMs with those disk types.

Why this answer

The policy uses the 'deny' effect with a condition that checks if the 'Microsoft.Compute/disks/sku.name' property is not equal to 'Premium_LRS'. This means any virtual machine deployment that uses Standard_LRS or StandardSSD_LRS managed disks will be denied, enforcing the use of Premium_LRS disks for production VMs to meet security best practices for disk encryption.

Exam trap

Microsoft often tests the distinction between 'deny', 'audit', and 'modify' effects, and the trap here is assuming that a policy that checks disk SKU is related to encryption (ADE) rather than disk performance or redundancy, leading candidates to select the audit option D.

How to eliminate wrong answers

Option B is wrong because the policy uses the 'deny' effect, not 'modify' or 'deployIfNotExists', so it cannot change existing disks; it only blocks new deployments that don't meet the condition. Option C is wrong because the condition denies disks that are not Premium_LRS, so it does not allow Standard_LRS or StandardSSD_LRS disks; it explicitly blocks them. Option D is wrong because the policy checks the disk SKU type, not Azure Disk Encryption (ADE) enablement; auditing for ADE would require a different policy definition with a condition on encryption settings.

830
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. You need to identify users who are downloading large amounts of data from a sanctioned cloud app in a short period. What should you configure?

A.Create an anomaly detection policy for impossible travel or unusual activity.
B.Create an app permission policy to block downloads.
C.Create an activity policy to monitor downloads.
D.Create a file policy to detect mass download.
AnswerA

Anomaly detection can detect unusual download patterns.

Why this answer

Option B is correct because anomaly detection policies in Defender for Cloud Apps can detect unusual download activity. Option A is incorrect because file policies are for specific file attributes, not volume. Option C is incorrect because app permissions are about OAuth apps.

Option D is incorrect because activity policies can be used, but anomaly detection is more specific for this scenario.

831
MCQmedium

Your organization is deploying a new line-of-business application on Azure App Service. The app must authenticate users from Microsoft Entra ID and also access a downstream API that requires a client secret. You need to recommend the most secure method for managing the client secret. What should you use?

A.Store the secret in the Azure AD app registration manifest.
B.Store the secret in an App Service application setting.
C.Store the secret in Azure Key Vault and use a Key Vault reference in App Service.
D.Store the secret in the application code as a constant.
AnswerC

Key Vault provides centralized secret management with access policies and auditing.

Why this answer

Option C is correct because Azure Key Vault provides secure storage for secrets and certificates, and App Service can reference them via managed identity or Key Vault references. Option A is wrong because storing the secret in code exposes it to source control and accidental disclosure. Option B is wrong because App Service application settings are less secure and can be accessed through the portal.

Option D is wrong because Azure AD app registration is the identity object, not a storage for secrets.

832
MCQhard

Refer to the exhibit. A security architect reviews the Azure AD Conditional Access policy JSON. The policy is intended to require MFA for all users accessing Azure management (Microsoft Azure Management app ID 797f4846-ba77-4853-9e6f-4433c3e1d1c5), except for the BreakGlassAdmin account and from trusted locations. However, some users report being prompted for MFA even when connecting from the corporate office (which is marked as a trusted location). What is the most likely cause?

A.The corporate office location is not correctly defined as a trusted location in Azure AD
B.The grant controls operator is set to 'OR' instead of 'AND'
C.The policy is in 'Report-only' mode
D.The policy applies to all cloud apps, not just Azure management
AnswerA

If the corporate office IP range is not added to trusted locations, 'AllTrusted' won't exclude it.

Why this answer

Option A is correct because the policy is designed to require MFA for all users accessing Azure management, except for the BreakGlassAdmin account and from trusted locations. If the corporate office location is not correctly defined as a trusted location in Azure AD, the Conditional Access policy will not recognize it as an exception, and users connecting from that location will still be prompted for MFA. This mismatch between the intended trusted location definition and the actual location configuration is the most likely cause of the unexpected MFA prompts.

Exam trap

The trap here is that candidates often assume the policy logic is flawed (e.g., grant operator or app scope) when the real issue is a misconfiguration in the location definition, which is a common oversight in Conditional Access troubleshooting.

How to eliminate wrong answers

Option B is wrong because the grant controls operator being set to 'OR' would actually make the policy less restrictive (allowing MFA or other controls), not more restrictive, and would not cause unexpected MFA prompts; the issue is about location exclusion, not grant logic. Option C is wrong because if the policy were in 'Report-only' mode, it would not enforce MFA at all—users would not be prompted—so this cannot explain why MFA is being enforced. Option D is wrong because the policy explicitly targets the Microsoft Azure Management app (ID 797f4846-ba77-4853-9e6f-4433c3e1d1c5), not all cloud apps; if it applied to all cloud apps, the behavior would be broader, but the specific complaint is about Azure management access, and the policy scope is correctly set.

833
Multi-Selecthard

You are designing a secure access solution for an Azure App Service web application that authenticates users via Microsoft Entra ID. The requirements include: only allowing users from a specific Entra ID tenant, and blocking access from certain countries. Which two features should you combine? (Choose two.)

Select 2 answers
A.App Service authentication with Microsoft Entra ID
B.Network Security Groups (NSGs)
C.Microsoft Entra Conditional Access
D.Managed Identity
E.Azure Front Door with geo-filtering
AnswersA, E

Restricts access to users from a specific tenant.

Why this answer

Options A and D are correct: App Service authentication restricts to a specific tenant, and geo-filtering on Azure Front Door blocks countries. Option B is wrong because NSGs filter network traffic, not user authentication. Option C is wrong because Conditional Access can apply policies but not geo-blocking at the network edge.

Option E is wrong because Managed Identity is for app-to-Azure authentication, not user access.

834
MCQhard

Your organization uses Microsoft Entra ID with Privileged Identity Management (PIM). You need to design a role activation policy that requires approval from a security group for global administrator roles, but allows self-activation for other roles. What is the correct configuration?

A.Create a single PIM policy for all roles with approver group
B.Configure separate PIM settings per role: Global Administrator requires approval, others self-activate
C.Enable just-in-time access in Azure AD Identity Protection
D.Use Azure AD entitlement management with access packages
AnswerB

PIM supports per-role activation settings.

Why this answer

Privileged Identity Management (PIM) in Microsoft Entra ID allows you to configure role-specific activation settings. By creating separate PIM policies per role, you can require approval for the Global Administrator role while allowing self-activation for other roles. This granular control ensures that high-privilege roles have additional oversight, while lower-privilege roles remain agile.

Exam trap

The trap here is that candidates confuse PIM role-specific policies with broader identity governance tools like entitlement management or Identity Protection, failing to recognize that PIM's granular per-role settings are the correct mechanism for mixed approval requirements.

How to eliminate wrong answers

Option A is wrong because a single PIM policy applies uniformly to all roles, making it impossible to require approval for only Global Administrators while allowing self-activation for others. Option C is wrong because Azure AD Identity Protection focuses on risk-based policies for user sign-ins and sessions, not role activation approval workflows. Option D is wrong because Azure AD entitlement management manages access packages and resource access, not the activation approval process for built-in directory roles like Global Administrator.

835
MCQeasy

Your company plans to deploy Microsoft Defender for Cloud to secure a multi-cloud environment that includes Azure, AWS, and GCP. You need to ensure that security recommendations from all three cloud providers are centrally visible. What should you configure?

A.Onboard AWS and GCP accounts to Microsoft Defender for Cloud using the multicloud connectors feature.
B.Deploy Azure Policy on AWS and GCP using Azure Arc to enforce security policies.
C.Ingest security logs from AWS and GCP into Microsoft Sentinel and use workbooks to view recommendations.
D.Connect AWS accounts to AWS Security Hub and GCP accounts to Google Cloud Security Command Center, then view via a single pane of glass.
AnswerA

Defender for Cloud supports AWS and GCP via connectors, providing unified recommendations.

Why this answer

Option B is correct because Microsoft Defender for Cloud can connect AWS and GCP accounts via the multicloud connectors, allowing centralized visibility of security recommendations. Option A is wrong because AWS Security Hub only shows AWS recommendations. Option C is wrong because Azure Policy does not natively assess AWS/GCP resources.

Option D is wrong because Microsoft Sentinel is for SIEM/SOAR, not for CSPM recommendations.

836
MCQhard

Your company uses Microsoft Intune to manage devices. You need to design a solution that prevents users from installing unauthorized applications on corporate Windows 10 devices. Which Intune policy should you configure?

A.Compliance policy
B.App protection policy (MAM)
C.Device restriction policy (Windows 10)
D.Configuration policy (OMA-URI)
AnswerC

Device restrictions include settings to block app installation from untrusted sources.

Why this answer

Option A is correct because Intune device restriction policies can block installation of apps from untrusted sources. Option B is wrong because app protection policies apply to managed apps, not device-wide installation. Option C is wrong because compliance policies assess device state but do not block installation.

Option D is wrong because configuration policies set settings but not app installation control.

837
MCQmedium

Your organization uses Microsoft Sentinel to centralize security monitoring. You need to detect anomalous access to a critical Azure SQL Database from unusual geographic locations. Which data connector and analytic rule should you use?

A.Azure SQL Database connector and a custom scheduled query rule with geo-location
B.Azure Active Directory connector and an anomaly rule for sign-ins
C.Windows Security Events connector and a rule for failed logins
D.Azure Activity connector and a rule for resource deletion
AnswerA

The Azure SQL Database connector ingests diagnostic logs (SQLInsights, QueryStoreRuntimeStatistics) that include client IP. A rule can detect connections from unusual locations.

Why this answer

Option D is correct because the Azure SQL Database connector ingests diagnostic logs containing connection events, and an analytics rule can detect anomalies by location. Option A is wrong because Azure AD sign-in logs do not include database-level connections. Option B is wrong because Azure Activity logs track control plane operations, not data plane access.

Option C is wrong because Windows Security Events are for on-premises servers, not Azure SQL.

838
MCQeasy

A company wants to enforce that all administrators use just-in-time (JIT) access to privileged roles in Microsoft Entra ID. Which feature should they enable?

A.Microsoft Entra ID Conditional Access
B.Microsoft Entra ID Privileged Identity Management (PIM)
C.Microsoft Entra ID Access Reviews
D.Microsoft Entra ID Protection
AnswerB

PIM enables just-in-time, time-bound access to privileged roles.

Why this answer

Microsoft Entra ID Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access by enabling time-bound and approval-based role activation. This directly meets the requirement to enforce JIT access for administrators, as PIM allows roles to be activated only when needed and for a limited duration, reducing standing access.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access to apps) with PIM (which controls privileged role activation), leading them to select Option A because they think JIT access is a policy-based access control feature.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Conditional Access enforces access policies based on signals like location or device state, but it does not provide time-bound role activation or JIT privileged access. Option C is wrong because Microsoft Entra ID Access Reviews are used to periodically audit and recertify group memberships or role assignments, not to grant or activate privileged roles on demand. Option D is wrong because Microsoft Entra ID Protection detects and responds to identity-based risks (e.g., leaked credentials) but does not manage privileged role activation or JIT access.

839
Multi-Selecthard

Your organization uses Microsoft Defender for Cloud to protect a multi-cloud environment (Azure, AWS, GCP). You need to ensure that security configurations are assessed against industry benchmarks like CIS and PCI DSS. Which THREE actions should you take?

Select 3 answers
A.Enable the regulatory compliance dashboard in Defender for Cloud and select the desired standards (CIS, PCI DSS).
B.Deploy Azure Firewall in each cloud environment to filter traffic.
C.Use Azure Policy to enforce security configurations based on the benchmark recommendations.
D.Configure continuous export of assessment data to a Log Analytics workspace for custom reporting.
E.Deploy the Log Analytics agent to all VMs in the multi-cloud environment.
AnswersA, C, D

The regulatory compliance dashboard assesses against selected standards.

Why this answer

Option A is correct because the regulatory compliance dashboard in Microsoft Defender for Cloud allows you to add built-in standards such as CIS and PCI DSS. Once enabled, Defender for Cloud automatically assesses your multi-cloud resources against the selected benchmarks and provides a compliance score with detailed recommendations for remediation.

Exam trap

The trap here is that candidates often confuse network security controls (like Azure Firewall) or agent-based monitoring (Log Analytics agent) with the configuration assessment and compliance reporting capabilities that are native to Defender for Cloud's regulatory compliance dashboard and Azure Policy.

840
MCQhard

You are designing a solution for an Azure SQL Database that stores sensitive financial data. The compliance team requires that all queries are audited and that access to sensitive columns is restricted for certain users. What should you implement?

A.Enable Transparent Data Encryption (TDE) and SQL Server Audit.
B.Use Dynamic Data Masking and SQL Server Audit.
C.Implement Row-Level Security (RLS) and enable audit.
D.Use Always Encrypted for sensitive columns and enable Azure SQL Auditing.
AnswerD

Always Encrypted protects columns and auditing logs queries.

Why this answer

Option D is correct because using Always Encrypted protects sensitive columns at rest and in transit, and auditing via Azure SQL Auditing meets compliance. Option A is wrong because TDE encrypts the entire database, not columns. Option B is wrong because Dynamic Data Masking masks data but does not restrict access.

Option C is wrong because Row-Level Security restricts rows, not columns.

841
MCQmedium

A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They want to ensure that all virtual machines have the Log Analytics agent installed and that missing system updates are remediated automatically. Which two recommendations should be enabled in a single policy initiative?

A.Assign two separate Azure Policy initiatives, one for each requirement.
B.Create a custom Azure Policy initiative that combines the two requirements.
C.Use Azure Blueprints to assign the policies to all subscriptions.
D.Enable the Microsoft Defender for Cloud 'System Updates' and 'Log Analytics agent' recommendations via a built-in initiative.
AnswerD

Defender for Cloud provides built-in initiatives that cover both.

Why this answer

Option D is correct because Microsoft Defender for Cloud includes a built-in policy initiative (the 'ASC Default' initiative) that contains both the 'System Updates' and 'Log Analytics agent' recommendations. Enabling this single initiative automatically assigns both requirements to the selected scope, ensuring that missing system updates are remediated and the Log Analytics agent is installed on all virtual machines without needing custom policies or separate assignments.

Exam trap

The trap here is that candidates often think they need to create custom initiatives or use separate assignments (Option A or B) because they assume the two requirements are unrelated, but Microsoft Defender for Cloud's built-in initiative already bundles them together, making Option D the simplest and most correct approach.

How to eliminate wrong answers

Option A is wrong because it suggests assigning two separate Azure Policy initiatives, which would require managing two distinct assignments and could lead to inconsistent enforcement; the built-in initiative already combines both requirements into a single assignment. Option B is wrong because creating a custom Azure Policy initiative is unnecessary and adds complexity when a built-in initiative that exactly meets the requirements already exists in Defender for Cloud. Option C is wrong because Azure Blueprints are used for deploying and governing entire environments with multiple artifacts (including policies, role assignments, and resource groups), not for simply enabling two specific recommendations within Defender for Cloud; using Blueprints here would be over-engineering and not the intended use case.

842
MCQmedium

Your organization uses Microsoft Defender for Cloud to assess security posture. You need to ensure that your Azure App Service web applications are protected against common web vulnerabilities like SQL injection. What should you enable?

A.Web Application Firewall (WAF) on Azure Front Door
B.Just-in-time (JIT) VM access
C.Adaptive Application Controls
D.Azure DDoS Protection
AnswerA

WAF protects web applications from common exploits like SQL injection.

Why this answer

Option C is correct because Web Application Firewall (WAF) on Azure Front Door or Application Gateway protects against OWASP top 10 vulnerabilities including SQL injection. Option A is wrong because DDoS Protection protects against volumetric attacks, not web application attacks. Option B is wrong because JIT VM access reduces attack surface on VMs, not web apps.

Option D is wrong because Adaptive Application Controls whitelist applications on servers, not protect against web attacks.

843
MCQmedium

Your company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. You need to prevent users from sharing credit card numbers via email in Outlook on the web. The policy should notify users when they try to send such data and allow them to override with a business justification. What should you configure?

A.Create a DLP policy with the action 'Audit only' for credit card numbers
B.Create a DLP policy with the action 'Block with override' and enable 'Business justification'
C.Create a DLP policy that encrypts emails containing credit card numbers
D.Create a DLP policy with the action 'Block' for credit card numbers
AnswerB

This blocks by default but allows override with justification.

Why this answer

Option C is correct because DLP policies can have rules that detect sensitive info types like credit card numbers, and the action 'Block with override' allows users to override with justification. Option A is wrong because 'Block' without override is too restrictive. Option B is wrong because 'Audit only' does not block.

Option D is wrong because encryption alone does not block.

844
Multi-Selecthard

Your organization uses Azure Kubernetes Service (AKS) for containerized workloads. You need to design a security solution that includes network segmentation, threat detection, and secret management. Which THREE Azure services should you include?

Select 3 answers
A.Azure Key Vault with CSI driver for secrets store
B.Azure Service Bus
C.Azure Policy for Kubernetes (Azure Policy add-on)
D.Microsoft Defender for Cloud (with Kubernetes threat detection)
E.Azure Firewall Premium
AnswersA, C, D

Key Vault securely stores secrets, and the CSI driver mounts them into pods.

Why this answer

Option A (Azure Policy for AKS) enforces network policies and compliance. Option C (Azure Security Center for Kubernetes, now part of Defender for Cloud) provides threat detection. Option D (Azure Key Vault) stores secrets.

Option B (Azure Firewall) is for perimeter, not AKS-specific; Option E (Azure Service Bus) is messaging.

845
MCQmedium

Refer to the exhibit. A company applies this Azure Policy to their subscription. An administrator tries to create a VM with a public IP address. What will happen?

A.The public IP will be automatically removed
B.The VM creation will be denied
C.The VM will be created, but an alert will be generated
D.The policy will only apply to VMs in a specific resource group
AnswerB

The policy denies creation of NICs with public IP.

Why this answer

Option A is correct because the policy denies creation of network interfaces with a public IP. Option B is wrong because the policy does not audit, it denies. Option C is wrong because the policy applies to all resources.

Option D is wrong because the policy does not create a public IP.

846
Multi-Selectmedium

Your organization uses Microsoft Sentinel for security operations. You need to design a solution to detect and respond to lateral movement using pass-the-hash attacks. Which TWO data sources should you enable for ingestion into Microsoft Sentinel to detect such attacks?

Select 2 answers
A.Microsoft Defender for Identity alerts.
B.DNS events from DNS servers.
C.Azure AD sign-in logs.
D.Windows Security Events (Event ID 4624) from domain controllers.
E.Sysmon logs for process creation.
AnswersA, D

Provides detection of pass-the-hash.

Why this answer

Correct answers: A and D. Windows Security Events (Event ID 4624) can show anomalous logons, and Microsoft Defender for Identity provides detection of pass-the-hash. Option B is incorrect: Azure AD sign-in logs do not capture on-prem NTLM events.

Option C is incorrect: Sysmon is helpful but not specifically for pass-the-hash. Option E is incorrect: DNS logs are for network anomalies.

847
MCQmedium

A multinational corporation, Contoso Ltd., is implementing Microsoft Purview to manage data governance across their Azure and Microsoft 365 environments. They need to discover sensitive data (e.g., credit card numbers, passport numbers) in Azure Blob Storage, Azure SQL Database, and SharePoint Online. The data must be classified and labeled automatically. Additionally, they want to prevent sensitive data from being shared externally via email and Teams. The solution should align with Microsoft's data security best practices. What should you recommend?

A.Use Azure Policy to enforce tagging on resources. Use Microsoft Defender for Cloud to identify sensitive data. Configure retention labels in Microsoft 365. Use Azure AD Conditional Access to block external sharing.
B.Use Microsoft Defender for Cloud Apps to discover sensitive data in cloud apps. Use Microsoft Purview Information Protection to label. Use Azure AD Identity Governance to manage access.
C.Use Azure Information Protection (AIP) to classify documents. Use Azure SQL Data Discovery & Classification for databases. Configure manual labeling rules. Use Microsoft 365 DLP policies.
D.Deploy Microsoft Purview Data Map to scan Azure Blob Storage and Azure SQL Database. Create custom sensitivity labels to identify sensitive data types. Configure auto-labeling policies in Microsoft Purview to apply labels. Create Data Loss Prevention (DLP) policies in Microsoft Purview Compliance Portal to block external sharing of labeled content in email and Teams.
AnswerD

Comprehensive data discovery, classification, and DLP coverage.

Why this answer

Option A is correct because Microsoft Purview Data Map can scan and classify data in Azure sources, and sensitivity labels can be applied automatically. DLP policies in Microsoft 365 (via Purview) can block external sharing. Option B is wrong because Azure Policy does not classify data.

Option C is wrong because Azure Information Protection is deprecated. Option D is wrong because Defender for Cloud Apps is for cloud app security, not classification.

848
MCQmedium

Your team develops a web application hosted on Azure App Service. You need to secure the application against common web vulnerabilities like SQL injection and cross-site scripting. What should you implement?

A.Enable Azure Web Application Firewall (WAF) on Azure Front Door or Application Gateway.
B.Store application secrets in Azure Key Vault and enable managed identity.
C.Configure Network Security Groups (NSGs) on the App Service subnet to restrict inbound traffic.
D.Enable Azure DDoS Protection on the virtual network.
AnswerA

WAF protects against SQL injection, XSS, and other web threats.

Why this answer

Option C is correct because Azure Web Application Firewall (WAF) on Azure Front Door or Application Gateway protects against OWASP Top 10 threats including SQL injection and XSS. Option A is wrong because NSGs protect network traffic, not application layer. Option B is wrong because Key Vault is for secrets.

Option D is wrong because DDoS protection is for network layer attacks.

849
MCQmedium

Your organization is deploying a new web application in Azure and needs to secure it against common web attacks like SQL injection and cross-site scripting. You need to configure a solution that provides centralized protection at the network edge. Which Azure service should you use?

A.Azure Web Application Firewall (WAF) on Azure Application Gateway
B.Network Security Groups (NSGs)
C.Azure DDoS Protection
D.Azure Firewall
AnswerA

WAF provides centralized protection against web attacks at the edge.

Why this answer

Option A is correct because Azure Web Application Firewall (WAF) with Application Gateway provides centralized protection against common web exploits at the network edge. Option B is wrong because Azure Firewall is a network firewall but doesn't have web-specific filtering. Option C is wrong because Azure DDoS Protection only mitigates DDoS attacks.

Option D is wrong because Network Security Groups provide basic network filtering but not web application layer protection.

850
MCQmedium

Refer to the exhibit. You are reviewing a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

A.To identify accounts with multiple failed logon attempts from a single IP.
B.To list all successful logon events in the last 7 days.
C.To calculate the total number of failed logons per hour.
D.To detect account lockout events.
AnswerA

The query aggregates failed logons by account and IP, filtering for >10 attempts.

Why this answer

The query uses the `SigninLogs` table and filters for `ResultType == 50057`, which specifically indicates a failed user sign-in due to an incorrect password. By then summarizing `count()` by `IPAddress` and `UserPrincipalName` and filtering for `FailedAttempts > 5`, the query identifies accounts that have experienced multiple failed logon attempts from a single IP address. This aligns with detecting brute-force or password-spray attacks, making option A correct.

Exam trap

The trap here is that candidates may confuse the `ResultType` code 50057 with a successful logon or lockout event, or overlook that the query groups by both IP and user, not by time, leading them to select options B, C, or D.

How to eliminate wrong answers

Option B is wrong because the query filters for `ResultType == 50057`, which is a failed logon event, not a successful one; successful logons would use `ResultType == 0`. Option C is wrong because the query summarizes by `IPAddress` and `UserPrincipalName`, not by time bins (e.g., `bin(TimeGenerated, 1h)`), so it cannot calculate failed logons per hour. Option D is wrong because account lockout events are represented by a different `ResultType` value (e.g., 50053 or 50074 in Azure AD), and the query does not filter for those codes.

851
MCQmedium

You are reviewing the ARM template snippet for an Azure Storage container. What does the 'denyEncryptionScopeOverride' property set to 'true' ensure?

A.Double encryption is enabled for the container.
B.Encryption at rest is required for all blobs in the container.
C.The container automatically uses a customer-managed key for encryption.
D.Users cannot override the default encryption scope for blobs in this container.
AnswerD

This property prevents using a different encryption scope than the default.

Why this answer

Option A is correct because when 'denyEncryptionScopeOverride' is true, all blobs in the container must use the default encryption scope and cannot specify a different scope. Option B is wrong because it is about enforcing default scope, not requiring customer-managed keys. Option C is wrong because encryption at rest is always enabled; this setting controls scope override.

Option D is wrong because it doesn't affect double encryption.

852
Multi-Selectmedium

Which TWO actions should you take to secure Azure SQL Database against SQL injection attacks?

Select 2 answers
A.Implement Always Encrypted
B.Enable Azure Web Application Firewall (WAF) on Application Gateway
C.Enable Row-Level Security (RLS)
D.Apply Dynamic Data Masking
E.Use parameterized queries in stored procedures
AnswersB, E

Correct: WAF filters SQL injection payloads.

Why this answer

Using parameterized queries in stored procedures prevents SQL injection by separating SQL code from data. Enabling Azure WAF on Application Gateway filters malicious requests at the network edge. Row-Level Security is for access control, not injection.

Always Encrypted protects data at rest. Dynamic Data Masking obfuscates data.

853
MCQeasy

A company uses Microsoft Purview to enforce Data Loss Prevention (DLP) policies. They want to prevent users from sharing credit card numbers via email. Which action should they configure in the DLP policy?

A.Audit only.
B.Block with override.
C.Notify only.
D.Block.
AnswerB

Prevents sharing but allows override with justification.

Why this answer

Option B is correct because configuring 'Block with override' allows the DLP policy to block the email containing credit card numbers while permitting users to override the block with a business justification. This balances security with operational flexibility, ensuring sensitive data is not shared without authorization while avoiding unnecessary disruption.

Exam trap

The trap here is that candidates often confuse 'Block' with 'Block with override', assuming that simply blocking is sufficient, but Microsoft Purview DLP policies are designed to support user overrides with justification to avoid business disruption, making 'Block with override' the recommended action for scenarios requiring both security and flexibility.

How to eliminate wrong answers

Option A is wrong because 'Audit only' merely logs the activity without taking any enforcement action, failing to prevent the sharing of credit card numbers. Option C is wrong because 'Notify only' sends an alert to the user but does not block the email, allowing the data to be shared. Option D is wrong because 'Block' completely prevents the email from being sent without any option for override, which can hinder legitimate business needs and is less flexible than 'Block with override'.

854
MCQhard

A global company with branches worldwide wants to secure access to Azure resources using a zero-trust approach. They require that all access requests be authenticated, authorized, and encrypted, and that the user's device must be compliant with corporate policies. Which combination of services should they use?

A.Azure VPN Gateway and Azure AD Multi-Factor Authentication
B.Azure AD Conditional Access and Azure AD Application Proxy
C.Azure Firewall and Azure AD Password Protection
D.Azure AD B2C and Azure AD Identity Protection
AnswerB

Conditional Access enforces authentication and device compliance; Application Proxy provides secure remote access.

Why this answer

Option C is correct because Azure AD Conditional Access can enforce authentication and device compliance, while Azure AD Application Proxy provides secure remote access to on-premises apps without VPN. Option A is wrong because Azure VPN Gateway does not enforce device compliance. Option B is wrong because Azure Firewall does not enforce authentication.

Option D is wrong because Azure AD B2C is for external identities, not internal access.

855
Multi-Selectmedium

Which TWO of the following are benefits of using Microsoft Defender XDR (Extended Detection and Response)? (Choose two.)

Select 2 answers
A.Scans for vulnerabilities in VMs
B.Provides compliance assessments
C.Cross-domain correlation of alerts
D.Replaces the need for a firewall
E.Automated investigation and response
AnswersC, E

Defender XDR correlates alerts from multiple sources into incidents.

Why this answer

Option C is correct because Microsoft Defender XDR correlates alerts across endpoints, email, identities, and cloud apps to provide a unified incident view. This cross-domain correlation enables security teams to detect multi-stage attacks that span different attack surfaces, which is a core benefit of an XDR solution.

Exam trap

The trap here is that candidates confuse the broad capabilities of the Microsoft security portfolio (e.g., Defender for Cloud, Purview) with the specific scope of Defender XDR, leading them to select features that belong to other services.

856
MCQhard

Your organization uses Microsoft Defender for Endpoint (MDE) for endpoint detection and response. You need to protect sensitive data on Windows 10 devices from being exfiltrated via USB drives. The solution must be able to audit file copy operations to USB and block them for high-risk users. What should you configure?

A.Set up a Conditional Access policy in Microsoft Entra ID to block sign-ins from devices with USB activity
B.Use Microsoft Intune to create a device configuration profile that disables USB ports
C.Configure a Microsoft Purview DLP policy for endpoint devices
D.Deploy a device control policy in Microsoft Defender for Endpoint to audit USB usage and block for high-risk users
AnswerD

MDE device control can audit and block removable storage based on user groups.

Why this answer

Option D is correct because Microsoft Defender for Endpoint includes device control features that can audit and block removable storage. You can configure policies to audit all users and block for high-risk users using custom device control policies. Option A is wrong because Intune can manage USB restrictions but not with MDE-specific auditing.

Option B is wrong because DLP policies in Microsoft Purview are for cloud and network. Option C is wrong because conditional access does not control USB.

857
MCQmedium

Litware, a software development company, has adopted a DevOps culture and uses Azure DevOps for CI/CD pipelines. They deploy applications to Azure Kubernetes Service (AKS) and Azure App Services. The security team wants to ensure that secrets (API keys, connection strings) are not exposed in source code or pipeline logs. They also need to scan container images for vulnerabilities before deployment and ensure that only approved images are used in production. The solution must integrate with Microsoft Defender for Cloud and follow security best practices. What should you include in the design?

A.Use Azure App Configuration to store secrets with encryption. Run vulnerability scans using a third-party tool integrated into the pipeline. Create a custom script to check image registry location.
B.Store secrets in Azure Key Vault and use Azure DevOps Variable Groups linked to Key Vault for retrieval during pipelines. Enable Microsoft Defender for Containers on AKS to scan container images for vulnerabilities. Use Azure Policy (specifically Azure Policy for AKS with Gatekeeper) to enforce that only images from approved registries are deployed.
C.Store secrets as encrypted pipeline variables in Azure DevOps. Use Azure Container Registry (ACR) tasks to scan images. Implement manual approval gates in release pipelines to verify image source.
D.Store secrets in Azure Key Vault but use a custom task to retrieve them. Scan images using Microsoft Defender for Cloud after deployment. Use role-based access control to restrict registry access.
AnswerB

Secret security via Key Vault, automated vulnerability scanning, and policy enforcement.

Why this answer

Option B is correct because it aligns with security best practices by using Azure Key Vault to securely store secrets and linking them to Azure DevOps Variable Groups for secure retrieval during pipelines, preventing exposure in source code or logs. It enables Microsoft Defender for Containers on AKS to scan container images for vulnerabilities before deployment, and uses Azure Policy with Gatekeeper to enforce that only images from approved registries are deployed, ensuring compliance and integration with Microsoft Defender for Cloud.

Exam trap

The trap here is that candidates often confuse Azure App Configuration with Azure Key Vault for secret storage, or assume that post-deployment scanning is acceptable, but the requirement explicitly demands scanning before deployment and integration with Microsoft Defender for Cloud.

How to eliminate wrong answers

Option A is wrong because Azure App Configuration is not designed for secret storage (it lacks native key rotation and access policies compared to Key Vault), and using a third-party tool for vulnerability scanning and a custom script for registry checks does not integrate with Microsoft Defender for Cloud as required. Option C is wrong because storing secrets as encrypted pipeline variables in Azure DevOps still exposes them in pipeline logs and does not provide centralized secret management or rotation, and ACR tasks scan images only after push, not before deployment, while manual approval gates do not enforce policy-based image source control. Option D is wrong because using a custom task to retrieve secrets from Key Vault bypasses the secure, native integration of Variable Groups linked to Key Vault, and scanning images after deployment (post-deployment) violates the requirement to scan before deployment, while RBAC alone does not enforce that only approved images are used.

858
MCQhard

An organization is using Microsoft Defender for Cloud to secure their Azure workloads. They have several Azure SQL databases that store sensitive financial data. The security team wants to receive alerts when a user attempts to access the database from a suspicious IP address or at an unusual time. Which Defender for Cloud plan provides this capability?

A.Defender for SQL
B.Defender for Databases
C.Defender for Cloud SQL
D.Microsoft Sentinel
AnswerA

Provides advanced threat protection for Azure SQL databases, including anomalous access patterns.

Why this answer

Defender for Cloud includes Defender for SQL, which provides anomalous activity detection for Azure SQL databases. Option B is correct. Option A is wrong because Defender for Databases is a broader plan that includes SQL detection, but the specific feature is anomalous activity.

Option C is wrong because Defender for Cloud SQL is not a plan name. Option D is wrong because Microsoft Sentinel is for SIEM, not built-in database protection.

859
MCQhard

Your organization uses Microsoft Sentinel for security operations. You need to design a solution to automatically respond to a DDoS attack detected by Azure DDoS Protection. The response should include blocking the attacker's IP address in Azure Firewall and sending an alert to the security team. Which approach should you use?

A.Configure an alert rule in Azure Monitor to send an email to the security team
B.Use Azure Policy to deny network traffic from the attacker's IP range
C.Configure a resource lock on the Azure Firewall to prevent changes
D.Create an automation rule in Microsoft Sentinel that triggers a playbook to block the IP in Azure Firewall
AnswerD

Sentinel automation rules with playbooks can orchestrate automated response actions.

Why this answer

Option D is correct because Microsoft Sentinel automation rules can trigger a playbook (an Azure Logic App) when a DDoS attack detection alert fires. The playbook can execute an action to block the attacker's IP address in Azure Firewall via its REST API or PowerShell cmdlets, and simultaneously send an alert to the security team (e.g., via email or Teams). This provides an automated, orchestrated response directly from the SIEM, aligning with security operations best practices.

Exam trap

The trap here is that candidates may confuse Azure Monitor alert rules (which only notify) with Sentinel automation rules (which can trigger remediation playbooks), or think Azure Policy can dynamically block IPs when it is actually a static compliance enforcement tool.

How to eliminate wrong answers

Option A is wrong because an Azure Monitor alert rule can only send notifications (e.g., email) and cannot perform remediation actions like blocking an IP in Azure Firewall; it lacks the orchestration capability needed for automated response. Option B is wrong because Azure Policy is a governance tool for enforcing compliance rules on resource configurations (e.g., denying creation of certain resources), not for dynamically blocking network traffic from a specific attacker IP in real time. Option C is wrong because a resource lock on Azure Firewall prevents accidental deletion or modification of the firewall itself, but does not block attacker IPs or send alerts; it actually hinders the automated response by locking the resource.

860
Multi-Selecthard

Your organization is migrating from on-premises Active Directory to Microsoft Entra ID. You need to design a solution for hybrid identity that supports seamless SSO for legacy applications that require Kerberos authentication. Which THREE components should you include in your design?

Select 3 answers
A.Deploy Azure AD Application Proxy to publish legacy apps
B.Register legacy applications as Enterprise Applications in Microsoft Entra ID
C.Active Directory Federation Services (AD FS) deployed on-premises
D.Microsoft Entra Connect with Seamless SSO enabled
E.Password Hash Sync (PHS) with Self-Service Password Reset (SSPR) integration
AnswersB, D, E

Registering apps allows them to use Microsoft Entra ID for authentication, enabling SSO.

Why this answer

Option A (Microsoft Entra Connect) enables synchronization and seamless SSO. Option C (Password hash sync) is required for seamless SSO. Option D (Enterprise App registration) allows legacy apps to use Microsoft Entra ID for authentication.

Option B (AD FS) is optional and not required; Option E (Azure AD Application Proxy) is for remote access, not Kerberos SSO.

861
MCQmedium

Your company is migrating a legacy on-premises web application to Azure App Service. The application uses Windows Integrated Authentication and connects to a SQL Server database. You need to design a security solution that minimizes changes to the application code while ensuring secure authentication and data protection. What should you use to authenticate users?

A.Microsoft Entra Application Proxy
B.Microsoft Entra Domain Services
C.App Service Authentication (EasyAuth) with Entra ID
D.Site-to-Site VPN with on-premises Active Directory
AnswerA

Application Proxy enables legacy apps to use Entra ID authentication with minimal code changes.

Why this answer

Option C is correct because Microsoft Entra ID Application Proxy allows legacy apps to use Entra ID authentication without modifying code, by publishing the app through the proxy. Option A is wrong because Azure AD (now Entra ID) Domain Services provides domain join but requires code changes or a separate auth flow. Option B is wrong because App Service Authentication (EasyAuth) can be configured but may require code changes for WIA.

Option D is wrong because a VPN doesn't solve authentication; it just secures network access.

862
MCQmedium

You are a security architect at a global manufacturing company. The company uses a hybrid infrastructure with on-premises Active Directory and Azure. They have recently deployed Microsoft Sentinel as their SIEM. The security team wants to detect and investigate ransomware attacks that spread via SMB. The CISO has requested a solution that can automatically block malicious IPs at the network level and provide forensic evidence. You need to design a solution that meets these requirements with minimal manual intervention. What should you include in your design?

A.Deploy Azure Firewall with threat intelligence-based filtering enabled. Use Sentinel to generate alerts when SMB traffic is detected, and manually block IPs.
B.Use Microsoft Defender for Cloud to detect ransomware and deploy a third-party firewall in VPC. Configure Sentinel to send alerts to the firewall API.
C.Integrate Microsoft Defender for Identity with Sentinel. Create a playbook that automatically adds malicious IPs to a custom Azure Firewall policy, and use Sentinel incidents for investigation.
D.Enable network security groups (NSGs) on all subnets. Use Sentinel to detect SMB anomalies and apply NSG rules via Azure Policy.
AnswerC

Defender for Identity detects lateral movement via SMB; playbook automates blocking via Azure Firewall; incidents provide forensic data.

Why this answer

Option C uses Microsoft Defender for Identity to detect SMB-based attacks and Azure Firewall to block IPs via playbooks. Option A uses Azure Firewall alone without detection; Option B uses NSG but cannot block based on real-time threat intel; Option D uses VPC (AWS) which is not applicable.

863
MCQeasy

Your organization is implementing Microsoft Defender for Cloud Apps to protect against malicious OAuth app permissions. Users have been granting permissions to third-party apps that request excessive scopes. What should you configure to automatically revoke such permissions?

A.OAuth app policies in Defender for Cloud Apps
B.Microsoft Intune app protection policies
C.Conditional Access policies
D.Azure AD app permissions management
AnswerA

OAuth app policies can automatically revoke permissions for risky apps.

Why this answer

Option B is correct: OAuth app policies in Defender for Cloud Apps allow you to set policies to automatically revoke permissions for apps that meet certain criteria. Option A is wrong: Conditional Access policies can block access but do not revoke app permissions. Option C is wrong: Azure AD app permissions management is part of Entra ID, but automatic revocation is done via Defender for Cloud Apps.

Option D is wrong: Intune is for device management, not app permissions.

864
MCQmedium

Refer to the exhibit. You are reviewing an ARM template for an Azure storage account. Which security best practice is implemented?

A.Enforce HTTPS traffic only
B.Restrict network access by IP address
C.Deny all network traffic by default
D.Enable soft delete for blobs
AnswerC

defaultAction: Deny blocks all traffic unless explicitly allowed.

Why this answer

The template sets supportsHttpsTrafficOnly to true (enforces HTTPS) and minimumTlsVersion to TLS1_2 (requires TLS 1.2). It also sets networkAcls defaultAction to Deny (denies all traffic by default). All these are security best practices.

However, the question asks for which practice is implemented; the most notable is the network ACL default deny. The answer could also be enforcing HTTPS. But typical exam focuses on network access restriction.

865
MCQeasy

Your organization is a small business with 50 employees that uses Microsoft 365 Business Premium. You need to design a security baseline that protects against common threats like phishing, ransomware, and data leakage. The solution must be easy to manage and require minimal ongoing effort. You have the following requirements: 1. Block malicious emails and links. 2. Protect sensitive data from being shared externally. 3. Require multi-factor authentication for all users. 4. Keep devices healthy. Which combination of policies should you implement?

A.Enable Microsoft Defender for Office 365 for phishing protection. Use Microsoft Purview Information Protection to automatically label sensitive emails. Create a Conditional Access policy to require MFA for admins only. Use Azure Information Protection scanner.
B.Enable Exchange Online Protection (EOP) for spam and malware filtering. Create a Conditional Access policy to require MFA for all users. Enable device compliance policies in Microsoft Intune.
C.Enable Microsoft Defender for Office 365 Safe Links and Safe Attachments. Create a Microsoft Purview DLP policy to prevent external sharing of sensitive data. Create a Conditional Access policy to require MFA and device compliance.
D.Enable Microsoft Defender for Office 365 Safe Links and Safe Attachments. Create a Microsoft Purview DLP policy to block sharing of credit card numbers. Enable security defaults in Microsoft Entra ID to enforce MFA.
AnswerC

Covers all requirements: email protection, DLP, MFA, and device health via Conditional Access with device compliance.

Why this answer

Option C is correct because it directly addresses all four requirements: Microsoft Defender for Office 365 Safe Links and Safe Attachments blocks malicious emails and links; a Microsoft Purview DLP policy prevents external sharing of sensitive data, protecting against data leakage; a Conditional Access policy requiring MFA and device compliance enforces multi-factor authentication for all users and ensures devices are healthy. This combination is easy to manage with minimal ongoing effort, as it leverages built-in Microsoft 365 Business Premium capabilities without complex custom configurations.

Exam trap

The trap here is that candidates often confuse Exchange Online Protection (EOP) with Defender for Office 365, not realizing that EOP lacks advanced link and attachment protection, and they may overlook the need for device compliance policies when only security defaults are used for MFA.

How to eliminate wrong answers

Option A is wrong because it requires MFA for admins only, not all users, and uses Azure Information Protection scanner (which is not included in Business Premium and requires additional licensing) instead of a DLP policy for data leakage protection. Option B is wrong because Exchange Online Protection (EOP) alone does not block malicious links in emails or attachments at the same level as Defender for Office 365 Safe Links and Safe Attachments, and it lacks a DLP policy to prevent external sharing of sensitive data. Option D is wrong because it blocks only credit card numbers via DLP, not all sensitive data types, and security defaults in Microsoft Entra ID enforce MFA but do not include device compliance checks, failing the 'keep devices healthy' requirement.

866
MCQhard

Refer to the exhibit. A security administrator needs to ensure that the storage account 'securestore' is compliant with the company policy that requires encryption at rest using customer-managed keys and network access restricted to a specific virtual network. Which of the following statements is correct?

A.The storage account is compliant only if encryption is enabled for blob and file services.
B.The storage account is non-compliant because it uses Microsoft-managed keys for encryption.
C.The storage account is compliant because it uses customer-managed keys from Key Vault and network access is restricted to a specific virtual network.
D.The storage account is non-compliant because network access is allowed from any virtual network.
AnswerC

The output confirms customer-managed keys (keySource: Microsoft.Keyvault) and network ACLs with default deny and VNet rule.

Why this answer

Option A is correct. The output shows 'keySource' is 'Microsoft.Keyvault' indicating customer-managed keys. Network ACLs have 'defaultAction': 'Deny' and a virtual network rule allowing traffic from vnet1/subnet1.

Option B is wrong because the encryption is customer-managed, not Microsoft-managed. Option C is wrong because there is a VNet rule, but the default action is Deny, which restricts access. Option D is wrong because the output shows encryption is enabled for both blob and file services.

867
MCQmedium

Your organization uses Microsoft Defender for Cloud to protect Azure resources. You need to ensure that only authorized applications can access Azure Key Vault secrets. The solution must use managed identities and least privilege. What should you configure?

A.Use a shared access signature (SAS) token stored in an environment variable
B.Assign a system-assigned managed identity to the application and grant it Key Vault Secrets User role
C.Enable public network access on Key Vault and restrict inbound IP addresses
D.Install a client certificate on the application server and use it to authenticate to Key Vault
AnswerB

This provides secure, identity-based access with least privilege.

Why this answer

Option C is correct because using a system-assigned managed identity and assigning Key Vault access policies with Get and List permissions provides secure, identity-based access with least privilege. Option A is wrong because enabling public network access increases the attack surface. Option B is wrong because shared access signature tokens are less secure and harder to manage.

Option D is wrong because certificate-based authentication adds complexity without managed identity benefits.

868
MCQmedium

Refer to the exhibit. You are designing an API Management instance for a production environment. The exhibit shows a snippet of an ARM template. Which security concern is most critical to address before deploying to production?

A.Weak TLS cipher suites are enabled.
B.Publisher email and name are hardcoded.
C.The API version constraint is outdated.
D.The SKU is set to Developer, which is not suitable for production.
AnswerD

Developer SKU lacks SLA and scale.

Why this answer

Option D is correct because the Developer SKU is not suitable for production due to lack of SLA and limited scale. Option A is wrong because disabling TLS 1.0/1.1 and weak ciphers is actually a security best practice. Option B is wrong because the publisher email and name are informational.

Option C is wrong because the API version constraint affects feature set, not security.

869
MCQmedium

A company plans to implement a Zero Trust security model. Which of the following is the primary principle that should guide their strategy?

A.Assume breach and verify explicitly
B.Use a strong perimeter firewall as the primary defense
C.Grant trusted users full access to all resources
D.Trust but verify all internal traffic
AnswerA

This is a foundational Zero Trust principle.

Why this answer

The primary principle of Zero Trust is 'never trust, always verify,' which is operationalized as 'assume breach and verify explicitly.' This means every access request—regardless of source (internal or external)—must be authenticated, authorized, and encrypted before granting access. It eliminates implicit trust based on network location and enforces least-privilege access, which is foundational to the Zero Trust architecture.

Exam trap

The trap here is that candidates often confuse 'trust but verify' (Option D) with Zero Trust, but Zero Trust explicitly rejects any pre-established trust and requires verification at every access attempt, making 'assume breach and verify explicitly' the correct guiding principle.

How to eliminate wrong answers

Option B is wrong because relying on a strong perimeter firewall as the primary defense violates Zero Trust's core tenet of eliminating implicit trust based on network location; Zero Trust assumes the network is already compromised and requires micro-segmentation and per-request verification instead. Option C is wrong because granting trusted users full access to all resources contradicts the least-privilege principle of Zero Trust, which mandates that access be limited to only what is necessary for a specific task, regardless of user trust level. Option D is wrong because 'trust but verify' is the opposite of Zero Trust; Zero Trust requires 'never trust, always verify'—verification must occur before access is granted, not after trust is assumed.

870
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only approved applications can run on corporate devices. Which Intune feature should you configure?

A.Windows Defender Firewall
B.BitLocker
C.Windows Information Protection
D.AppLocker
AnswerD

AppLocker enables application control policies.

Why this answer

Option B is correct because AppLocker allows you to create policies to control which apps can run. Option A is wrong because Windows Defender Firewall controls network traffic. Option C is wrong because BitLocker encrypts drives.

Option D is wrong because Windows Information Protection prevents data leaks.

871
MCQeasy

You are designing security for a web application that will be developed by an external vendor. The vendor will have access to the source code repository and the development environment. You need to ensure that no secrets (e.g., API keys, connection strings) are stored in the source code. What is the best approach to manage secrets for this application?

A.Use Azure Key Vault to store secrets and configure the application to use managed identity to retrieve them.
B.Store secrets in environment variables on the application server.
C.Store secrets in Azure App Service application settings encrypted at rest.
D.Embed secrets in the compiled code using obfuscation.
AnswerA

Key Vault provides centralized secret management; managed identity avoids storing credentials.

Why this answer

Using Azure Key Vault to store secrets and referencing them from the application is the standard best practice. The application can use managed identity to authenticate to Key Vault securely. Storing secrets in app settings is not secure if the repository is accessible.

Using environment variables is better but still not as secure as Key Vault. Hardcoding is unacceptable.

872
Multi-Selecteasy

A company is implementing Microsoft Defender for Cloud to protect their Azure environment. Which TWO of the following are security best practices that should be enabled? (Choose two.)

Select 2 answers
A.Cloud Security Posture Management (CSPM)
B.Microsoft Defender for Cloud workload protection
C.Microsoft Defender for Office 365
D.Microsoft Defender for Endpoint onboarding
E.Microsoft Sentinel integration
AnswersA, B

CSPM provides continuous assessment of security controls.

Why this answer

Cloud Security Posture Management (CSPM) is a core feature of Microsoft Defender for Cloud that continuously assesses your Azure environment against security benchmarks (e.g., Azure Security Benchmark) and provides actionable recommendations to harden configurations. Enabling CSPM is a foundational best practice because it proactively identifies misconfigurations (like open management ports or unencrypted storage) before they can be exploited, directly aligning with the 'prevent' phase of the shared responsibility model.

Exam trap

The trap here is that candidates often confuse 'security best practices that should be enabled' with 'all available security products,' leading them to select options like Defender for Office 365 or Sentinel, which are valuable but not mandatory foundational practices for Azure environment protection in the context of Defender for Cloud.

873
MCQeasy

Your company uses Microsoft Purview to protect sensitive data. You need to automatically apply a retention label to documents containing credit card numbers detected in SharePoint Online. What should you configure?

A.Configure a Data Loss Prevention (DLP) policy to apply the label.
B.Create a sensitivity label with auto-labeling for SharePoint.
C.Use a trainable classifier to detect credit card numbers and apply the label.
D.Create an auto-labeling policy for retention labels targeting sensitive info types.
AnswerD

Auto-labeling policies can automatically apply retention labels based on sensitive info types.

Why this answer

Option D is correct because auto-labeling policies in Microsoft Purview can automatically apply retention labels to documents based on sensitive info types, such as credit card numbers. This allows you to enforce retention rules without manual intervention, directly targeting the detected sensitive data in SharePoint Online.

Exam trap

The trap here is that candidates confuse retention labels with sensitivity labels, or assume DLP policies can apply retention labels directly, when in fact DLP applies sensitivity labels and auto-labeling policies are the correct mechanism for retention labels.

How to eliminate wrong answers

Option A is wrong because DLP policies are designed to prevent data loss by blocking or alerting on sensitive data, not to apply retention labels; they can apply sensitivity labels but not retention labels. Option B is wrong because sensitivity labels with auto-labeling are for classification and protection (e.g., encryption), not for retention; retention labels are a separate concept in Purview. Option C is wrong because trainable classifiers are used to identify content based on patterns or machine learning, but they do not directly apply retention labels; they can be used in auto-labeling policies, but the policy itself must be configured for retention labels targeting sensitive info types.

874
MCQhard

Wide World Importers is deploying a critical line-of-business application on Azure Kubernetes Service (AKS). The application processes financial transactions and must meet SOX compliance. You need to design a security solution that includes: encryption of secrets (e.g., database connection strings) using Azure Key Vault, automatic certificate rotation for TLS termination, network isolation of the AKS cluster, and audit logging of all access to secrets. The solution should use a managed identity for the AKS cluster to access Key Vault. Which of the following designs meets the requirements?

A.Enable managed identity for the AKS cluster, integrate Key Vault with AKS using the Secrets Store CSI driver, deploy the cluster as a private cluster, and enable diagnostic settings on Key Vault to send logs to a Log Analytics workspace.
B.Use a service principal for AKS to access Key Vault, store secrets as Kubernetes secrets, configure a private cluster, and enable audit logging on Key Vault.
C.Enable managed identity for the AKS cluster, store secrets in the cluster's native Kubernetes secrets, use a private endpoint for the AKS API server, and enable Azure Monitor for containers.
D.Use a service principal to access Key Vault, store secrets as encrypted Kubernetes secrets with a customer-managed key, deploy a public cluster with network policies, and enable Key Vault logging.
AnswerA

Managed identity provides secure access, CSI driver mounts secrets securely, private cluster provides network isolation, and diagnostic settings provide audit logs.

Why this answer

Option C is correct because it uses managed identity for secure secret access, Key Vault integration for secrets, private cluster for network isolation, and diagnostic settings for audit logging. Option A is wrong because private cluster is needed for network isolation, not just a private endpoint. Option B is wrong because secrets should be stored in Key Vault, not in Kubernetes secrets.

Option D is wrong because service principal is less secure than managed identity, and Kubernetes secrets are not encrypted at rest by default.

875
MCQhard

Your organization plans to use Microsoft Sentinel and Microsoft Defender XDR to manage security incidents. You need to design a solution that ensures all Defender for Cloud Apps alerts are automatically synchronized to Microsoft Sentinel as incidents with the least administrative effort. What should you configure?

A.Enable the Microsoft Defender for Cloud Apps data connector in Microsoft Sentinel.
B.Create a custom Azure Function that polls the Defender for Cloud Apps API and sends alerts to Sentinel via a custom Log Analytics table.
C.Enable the Microsoft Entra ID (Azure AD) data connector in Microsoft Sentinel.
D.Enable the Microsoft Defender XDR data connector in Microsoft Sentinel and set incident creation to 'All alerts'.
AnswerD

This is the simplest and most efficient method; it automatically synchronizes all Defender alerts as incidents.

Why this answer

Option D is correct because enabling the Microsoft Defender XDR connector in Sentinel automatically ingests alerts from all Defender workloads, including Defender for Cloud Apps, and creates incidents. Option A (manual API) is not minimal effort. Option B (Defender for Cloud Apps connector) is legacy and duplicates effort.

Option C (Azure AD connector) does not include Defender for Cloud Apps alerts.

876
MCQhard

Your organization is adopting Microsoft Copilot for Security. You need to ensure that the AI model does not expose sensitive data during interactions. What is the primary security control you should implement?

A.Microsoft Entra Conditional Access policies
B.Microsoft Entra Privileged Identity Management
C.Microsoft Purview Information Protection sensitivity labels
D.Microsoft Purview Data Loss Prevention policies for Copilot
AnswerD

DLP policies can detect and block sensitive data in Copilot interactions.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) policies for Copilot for Security are the primary control to prevent sensitive data exposure because they can inspect and block sensitive information (e.g., credit card numbers, health records) in real-time during Copilot interactions. DLP policies integrate directly with Copilot to enforce data protection rules on both prompts and responses, ensuring that sensitive data is not leaked through the AI model. This is the most direct and effective control for preventing data exposure in AI interactions.

Exam trap

The trap here is that candidates often confuse data classification (sensitivity labels) with data loss prevention (DLP), assuming that labeling data is sufficient to prevent exposure, but DLP is the active enforcement mechanism required for real-time AI interactions.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Conditional Access policies control access to resources based on conditions like location or device compliance, but they do not inspect or block sensitive data within Copilot interactions. Option B is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged role assignments and does not have any capability to scan or prevent data leakage in AI conversations. Option C is wrong because Microsoft Purview Information Protection sensitivity labels classify and protect data at rest (e.g., documents, emails) but do not enforce real-time data loss prevention rules during active Copilot sessions.

877
MCQmedium

Your organization uses Microsoft Sentinel to monitor hybrid workloads. You need to design a solution to detect lateral movement attempts using pass-the-hash attacks. Which data source should you prioritize for ingestion?

A.Sysmon Event ID 1 (Process creation)
B.DNS Query Logs
C.Azure Activity Logs
D.Windows Security Events (Event ID 4624)
AnswerD

Event ID 4624 captures successful logons with logon type and credential details, critical for detecting pass-the-hash.

Why this answer

Option B is correct because Windows Security Event ID 4624 (successful logon) with LogonType 3 (network) and hashed credentials is key for detecting pass-the-hash. Option A is wrong because Azure Activity Logs record control plane events, not authentication details. Option C is wrong because Sysmon Event ID 1 is process creation, not authentication.

Option D is wrong because DNS logs may show network connections but not credential theft.

878
MCQeasy

You are designing a secure remote access solution for employees using Windows 10/11 devices that are managed by Microsoft Intune. The solution must enforce device compliance before allowing access to corporate resources and must support single sign-on (SSO). Which technology should you use?

A.Deploy a traditional VPN with certificate-based authentication.
B.Set up Azure AD Application Proxy for remote access.
C.Implement Microsoft Defender for Endpoint to block non-compliant devices.
D.Use Microsoft Entra ID with Conditional Access policies that require compliant devices.
AnswerD

Conditional Access integrates with Intune compliance and provides SSO.

Why this answer

Option B is correct because Microsoft Entra ID with Conditional Access can evaluate device compliance from Intune and provide SSO. Option A is incorrect because VPN alone does not enforce device compliance. Option C is incorrect because Microsoft Defender for Endpoint is an endpoint protection solution, not an access control mechanism.

Option D is incorrect because Azure AD Application Proxy is for on-prem apps, but it does not natively enforce device compliance without Conditional Access.

879
MCQmedium

A company plans to implement Microsoft Purview to enforce data loss prevention (DLP) policies. They need to prevent users from sharing credit card numbers via email. What should they configure?

A.Create a sensitivity label and apply it to emails
B.Enable communication compliance policies
C.Create a DLP policy that detects and blocks credit card numbers in Exchange Online
D.Configure a retention policy for email
AnswerC

DLP policies in Microsoft Purview can detect sensitive info types like credit card numbers and block sharing via email.

Why this answer

Option C is correct because Microsoft Purview Data Loss Prevention (DLP) policies can be configured to detect sensitive data types, such as credit card numbers, in Exchange Online emails. When a DLP policy is created with a rule that identifies credit card numbers and blocks the email from being sent, it directly prevents users from sharing that data via email. This is the native mechanism for enforcing DLP on email traffic in Microsoft 365.

Exam trap

The trap here is that candidates often confuse sensitivity labels (which classify data) with DLP policies (which enforce actions on data in motion), leading them to select Option A instead of the correct DLP policy.

How to eliminate wrong answers

Option A is wrong because sensitivity labels are used to classify and protect data based on sensitivity, but they do not inherently detect or block specific sensitive information like credit card numbers in transit; they require manual or automatic labeling and rely on other controls (like DLP) for enforcement. Option B is wrong because communication compliance policies are designed to detect and remediate inappropriate or policy-violating communications (e.g., harassment, insider trading), not to block the sharing of specific sensitive data patterns like credit card numbers. Option D is wrong because retention policies control how long data is kept or deleted, not how data is shared or blocked in real-time; they have no effect on preventing the transmission of credit card numbers via email.

880
MCQmedium

You are designing a backup strategy for a Microsoft 365 tenant. You need to ensure that Exchange Online mailbox items deleted by users can be recovered up to 30 days after deletion, without using third-party tools. What should you configure?

A.Place the mailbox on litigation hold.
B.Create a Microsoft 365 retention policy for Exchange mailboxes.
C.Enable single item recovery for the mailbox.
D.Configure Azure Backup for Microsoft 365.
AnswerC

This allows recovery of deleted items within the retention period.

Why this answer

Option A is correct because single item recovery in Exchange Online allows recovery of deleted items up to 30 days. Option B is wrong because litigation hold preserves items indefinitely, not recovery after deletion. Option C is wrong because retention policies are for retention, not recovery.

Option D is wrong because Azure Backup for Microsoft 365 is a third-party-like feature (actually Microsoft but not the simplest built-in).

881
Multi-Selectmedium

Your company uses Microsoft Intune to manage corporate devices. You need to protect company data on devices by preventing data leakage to personal apps. Which TWO policies should you configure? (Choose TWO.)

Select 2 answers
A.Device compliance policies
B.App protection policies (MAM)
C.Device configuration profiles
D.Windows Information Protection (WIP)
E.Conditional access policies requiring approved client apps
AnswersB, E

Prevent data transfer to unmanaged apps.

Why this answer

Option A and Option D are correct. App protection policies (MAM) can prevent data transfer to unmanaged apps, and conditional access can restrict access to managed apps. Option B is incorrect because device compliance policies focus on device health, not data leakage.

Option C is incorrect because Windows Information Protection (WIP) is for Windows devices, not cross-platform. Option E is incorrect because configuration profiles set device settings, not data protection.

882
MCQmedium

You are designing a security solution for a hybrid identity environment that uses Microsoft Entra ID and on-premises Active Directory. The company wants to enforce Zero Trust principles by continuously verifying user access. Which feature should you implement?

A.Implement Microsoft Entra Hybrid Join for all devices
B.Implement Conditional Access policies that evaluate session risk in real time using continuous access evaluation
C.Implement Microsoft Entra Seamless Single Sign-On
D.Implement Microsoft Entra ID Protection to require multi-factor authentication for all users
AnswerB

CAE revokes tokens based on risk events, enforcing continuous verification.

Why this answer

Option B is correct because session risk-based Conditional Access with continuous access evaluation (CAE) enables real-time risk assessment and enforcement. Option A is wrong because Azure AD Join is for devices, not continuous verification. Option C is wrong because Seamless SSO simplifies sign-on but does not enforce continuous verification.

Option D is wrong because MFA registration does not provide continuous verification during sessions.

883
MCQmedium

A security administrator applies the Azure Policy definition shown in the exhibit to a management group containing multiple subscriptions. After the policy is assigned, a development team reports they cannot create a new storage account in their subscription. What is the most likely cause?

A.The storage account was created using an older API version that does not support Azure Policy enforcement.
B.The storage account was created in a region that does not support the premium tier.
C.The storage account was assigned a network security group (NSG) that blocks inbound HTTPS traffic.
D.The storage account was created with the 'Secure transfer required' setting disabled.
AnswerD

The policy denies storage accounts where 'supportsHttpsTrafficOnly' is false, meaning secure transfer is not enabled.

Why this answer

The Azure Policy definition in the exhibit likely includes an effect (e.g., 'Deny') that requires the 'Secure transfer required' setting to be enabled on storage accounts. When the development team attempts to create a storage account with this setting disabled, the policy denies the request, preventing the creation. This is the most direct cause because Azure Policy enforces compliance rules at resource creation time, and disabling secure transfer violates the policy's condition.

Exam trap

The trap here is that candidates may confuse post-creation network controls (like NSGs) with pre-creation policy enforcement, or assume API version or regional limitations are the cause, when the actual denial stems from a specific property mismatch in the policy rule.

How to eliminate wrong answers

Option A is wrong because Azure Policy enforcement is independent of the API version used; older API versions still trigger policy evaluation, and the policy would deny the request regardless. Option B is wrong because the premium tier support per region is a service availability constraint, not a policy-driven denial; the policy would not block creation based on region unless explicitly configured, and the exhibit shows no such condition. Option C is wrong because network security groups (NSGs) are applied to network interfaces or subnets, not to storage accounts directly; blocking HTTPS traffic would affect connectivity after creation, not prevent the creation itself.

884
MCQeasy

A company is designing a Zero Trust architecture for their hybrid identity environment. They plan to require multifactor authentication (MFA) for all users accessing sensitive applications. Which Microsoft Entra ID capability should they use to enforce MFA based on risk level?

A.Self-service password reset
B.Microsoft Entra Privileged Identity Management
C.Conditional Access
D.Microsoft Entra ID Protection
AnswerC

Conditional Access policies enforce MFA based on risk signals.

Why this answer

Option D is correct because Conditional Access policies can enforce MFA based on sign-in risk and user risk. Option A is wrong because Identity Protection detects risks but doesn't enforce access controls by itself. Option B is wrong because PIM manages roles, not access conditions.

Option C is wrong because SSPR is unrelated to MFA enforcement.

885
Multi-Selectmedium

A company uses Microsoft Purview to classify and label sensitive data. They want to automatically apply a sensitivity label to documents containing a specific custom sensitive information type. Which TWO components are required for this?

Select 2 answers
A.Data loss prevention (DLP) policy
B.Retention label
C.Custom sensitive information type
D.Auto-labeling policy
E.Trainable classifier
AnswersC, D

Custom types define the pattern to match.

Why this answer

Option C is correct because a custom sensitive information type defines the specific data pattern (e.g., a proprietary employee ID format) that Microsoft Purview can detect in documents. Option D is correct because an auto-labeling policy uses that custom sensitive information type as a condition to automatically apply a sensitivity label to matching content, without requiring user intervention.

Exam trap

The trap here is that candidates often confuse the role of a DLP policy (which enforces actions like blocking) with an auto-labeling policy (which applies labels), or they mistakenly think a trainable classifier is needed when a custom sensitive information type already provides deterministic pattern matching.

886
MCQeasy

Refer to the exhibit. What is the purpose of this KQL query?

A.To count the number of SQL injection alerts by severity.
B.To retrieve SQL injection alerts from the past 7 days with specific fields.
C.To join security alerts with other data sources to find compromised entities.
D.To list all security alerts generated in the last 7 days.
AnswerB

The query selects alerts where AlertName contains 'SQL injection' and projects selected columns.

Why this answer

Option B is correct. The query filters for SQL injection alerts in the last 7 days and projects relevant columns. Option A is wrong because it does not show all alerts, only SQL injection ones.

Option C is wrong because it does not join with other tables. Option D is wrong because it does not aggregate or count alerts.

887
MCQeasy

Your organization uses Microsoft Defender XDR to detect and respond to threats. The SOC team wants to automatically isolate a device when a high-severity incident is confirmed. Which automation feature should you configure?

A.Microsoft Defender for Office 365 Safe Attachments policy
B.Automated investigation and response (AIR)
C.Manual device isolation from Microsoft 365 Defender portal
D.Microsoft Defender for Endpoint's endpoint detection and response (EDR)
AnswerB

AIR can automatically isolate devices based on incident severity.

Why this answer

Automated investigation and response (AIR) in Microsoft Defender XDR is designed to automatically respond to confirmed high-severity incidents, including isolating devices, without manual intervention. This feature leverages playbooks and machine learning to contain threats rapidly, aligning with the SOC's requirement for automatic isolation upon incident confirmation.

Exam trap

The trap here is that candidates confuse EDR's detection capabilities with automated response, forgetting that AIR is the specific feature that orchestrates and executes automatic containment actions like device isolation.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 Safe Attachments policy is a email security feature that scans attachments for malware, not a device isolation mechanism. Option C is wrong because manual device isolation from the Microsoft 365 Defender portal requires human action, contradicting the requirement for automatic isolation. Option D is wrong because Microsoft Defender for Endpoint's endpoint detection and response (EDR) provides detection and investigation capabilities but does not include automated response actions like device isolation; that is handled by AIR.

888
Multi-Selecteasy

Your organization wants to enable Microsoft Defender for Cloud Apps to monitor and control the use of Box and Dropbox. Which TWO steps must you perform?

Select 2 answers
A.Connect the app using an app connector
B.Add Box and Dropbox to the unsanctioned list
C.Deploy a forward proxy
D.Configure Conditional Access App Control
E.Run a cloud discovery report
AnswersA, D

App connectors allow Defender for Cloud Apps to monitor and control the app.

Why this answer

Option A is correct because you need to connect the app via an app connector to allow monitoring. Option C is correct because Conditional Access App Control enables session-level control. Option B is wrong because cloud discovery automatically detects apps, but for sanctioned apps you use app connectors.

Option D is wrong because you deploy a reverse proxy, not a forward proxy. Option E is wrong because you need to add the app to the sanctioned list after connecting.

889
Drag & Dropmedium

Order the steps to configure Azure Policy to enforce tagging on resources.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Policy requires definition, assignment with parameters, and compliance monitoring.

890
Multi-Selecthard

Which THREE components are included in Microsoft Defender XDR?

Select 3 answers
A.Microsoft Defender for Office 365
B.Microsoft Defender for IoT
C.Microsoft Defender for Identity
D.Microsoft Defender for Endpoint
E.Microsoft Defender for Cloud
AnswersA, C, D

Defender for Office 365 is part of Defender XDR.

Why this answer

Microsoft Defender XDR (Extended Detection and Response) is a unified security suite that natively integrates Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Endpoint. These three components work together to correlate signals across email, identity, and endpoint layers, providing a single-pane-of-glass view for threat detection and automated response. Microsoft Defender for Office 365 protects against email-based threats like phishing and malware, Defender for Identity monitors on-premises Active Directory and cloud identities for lateral movement and privilege escalation, and Defender for Endpoint provides endpoint detection and response (EDR) for Windows, macOS, Linux, Android, and iOS devices.

Exam trap

The trap here is that candidates often assume all 'Defender' branded products are automatically part of Microsoft Defender XDR, but Microsoft Defender for IoT and Microsoft Defender for Cloud are separate services that integrate via connectors rather than being core components of the unified XDR suite.

891
MCQhard

Refer to the exhibit. You are reviewing a Conditional Access policy JSON. The policy is intended to block legacy authentication. However, users are still able to access email using Outlook (modern auth). What is the most likely reason?

A.The policy does not include 'Microsoft Office 365' in applications
B.The clientAppTypes list does not include 'modernAuth'
C.The grant control should be 'require MFA' instead of 'block'
D.The policy state is set to 'enabled' incorrectly
AnswerB

Modern Outlook uses modernAuth client app type, which is not blocked.

Why this answer

Option B is correct because the 'clientAppTypes' list in the Conditional Access policy must include 'modernAuth' to explicitly target and block modern authentication clients. Without this entry, the policy only applies to legacy authentication protocols (e.g., POP, IMAP, SMTP), leaving modern auth flows (like Outlook using OAuth 2.0) unaffected. The JSON snippet shows 'clientAppTypes': ['exchangeActiveSync', 'other'], which omits 'modernAuth', so Outlook (modern auth) bypasses the block.

Exam trap

The trap here is that candidates assume a 'block' policy on legacy authentication implicitly blocks modern auth, but Conditional Access requires explicit inclusion of 'modernAuth' in clientAppTypes to affect modern authentication clients.

How to eliminate wrong answers

Option A is wrong because 'Microsoft Office 365' is a cloud app that includes Exchange Online, and the policy's 'applications' field likely already includes it (or the policy is scoped to 'All cloud apps'), so missing it is not the issue. Option C is wrong because the grant control 'block' is correct for blocking access; 'require MFA' would allow access after MFA, not block legacy auth. Option D is wrong because the policy state being 'enabled' is correct for an active policy; setting it to 'disabled' would make the policy ineffective, but the issue is misconfiguration, not the enabled state.

892
MCQeasy

A software company, SouthRidge, is deploying a multi-tier application on Azure Virtual Machines. The web tier runs IIS, the application tier runs a .NET application, and the data tier runs SQL Server. You need to ensure that all traffic between tiers is encrypted, and that the application tier can access the database using a managed identity. The solution should also include a web application firewall (WAF) to protect the web tier from common attacks. Which of the following designs should you use?

A.Use application-level encryption between tiers, deploy Azure Application Gateway with WAF in front of the web tier, and use a service principal to access SQL Server.
B.Use SSL/TLS termination at the Azure Load Balancer, deploy Azure Front Door with WAF, and use a managed identity for the web tier to access SQL Server.
C.Use IPsec encryption between tiers, deploy Azure Application Gateway with WAF, and use a managed identity for the web tier to access SQL Server.
D.Use IPsec encryption between tiers, deploy Azure Application Gateway with WAF in front of the web tier, and use a managed identity for the application tier to access SQL Server.
AnswerD

IPsec encrypts traffic between VMs, WAF protects web tier, and managed identity provides secure database access from the application tier.

Why this answer

Option D is correct because it provides encryption between tiers via IPsec, WAF for web protection, and managed identity for database access. Option A is wrong because application-level encryption is complex and not standard. Option B is wrong because SSL/TLS termination at the load balancer means traffic inside the VNet is unencrypted.

Option C is wrong because the web tier should not have direct database access; application tier should.

893
Multi-Selecthard

A company is designing a solution to protect Azure Functions that process sensitive data. They need to ensure that only authenticated and authorized callers can invoke the function, and that secrets are not hard-coded. Which THREE actions should they take?

Select 3 answers
A.Store connection strings in application settings
B.Require client certificates
C.Use managed identity to access Azure Key Vault for secrets
D.Enable Azure AD authentication for the function app
E.Set authorization level to 'Function' or 'Admin'
AnswersC, D, E

Managed identity allows the function to securely retrieve secrets without storing credentials.

Why this answer

Option A is correct because using managed identity eliminates secrets in code. Option C is correct because Azure AD authentication validates tokens from callers. Option D is correct because function-level authorization keys (like 'Function' or 'Admin') provide an additional layer.

Option B is wrong because connection strings are not for authentication of callers. Option E is wrong because client certificates are not the primary method for caller authentication in Azure Functions; managed identity and Azure AD are preferred.

894
MCQeasy

Refer to the exhibit. The ContosoPlatform management group has an Azure Policy assignment that denies all deployments without encryption. The App1 subscription contains a storage account that was created without encryption. Why is the storage account still non-compliant?

A.The storage account is in App1 subscription, which is under ContosoApplication, not ContosoPlatform
B.The policy is assigned at ContosoPlatform, but App1 is not a direct child
C.The policy is assigned at ContosoRoot, but ContosoPlatform overrides it
D.Azure Policy does not inherit from parent management groups
AnswerA

Policy assignments only affect subscriptions within the assigned management group hierarchy.

Why this answer

Option A is correct because Azure Policy inheritance only applies to direct child management groups and subscriptions. The App1 subscription is a direct child of the ContosoApplication management group, not ContosoPlatform. Since the policy denying deployments without encryption is assigned at ContosoPlatform, it does not inherit to App1 because App1 is not a direct descendant of ContosoPlatform.

The storage account was created without encryption and is not subject to the policy, so it remains non-compliant.

Exam trap

The trap here is that candidates assume Azure Policy inheritance applies across all management groups under the same root, but it only applies to direct descendants, not siblings or indirect children.

How to eliminate wrong answers

Option B is wrong because Azure Policy does inherit from a parent management group to its direct children; the issue here is that App1 is not a direct child of ContosoPlatform, not that it is not a direct child. Option C is wrong because the exhibit shows the policy is assigned at ContosoPlatform, not ContosoRoot, and there is no indication of an override; the policy simply does not apply to App1. Option D is wrong because Azure Policy does inherit from parent management groups to direct child management groups and subscriptions; the statement is factually incorrect.

895
MCQhard

You are designing a secure CI/CD pipeline for a web application deployed to Azure Kubernetes Service (AKS). The security team requires that container images are scanned for vulnerabilities before deployment. Which two services should you integrate?

A.Azure DevOps and Azure Key Vault
B.Azure Policy and Azure DevOps
C.Microsoft Defender for Containers and Azure Container Registry
D.Azure Key Vault and Azure Container Registry
AnswerC

Defender for Containers can scan images in ACR for vulnerabilities before deployment.

Why this answer

Option C is correct because Microsoft Defender for Containers integrates with ACR to scan images. Option A is wrong because Azure Policy can enforce rules but does not scan images. Option B is wrong because Azure DevOps does not scan images natively.

Option D is wrong because Azure Key Vault stores secrets.

896
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to detect anomalous behavior such as impossible travel. What should you configure?

A.Anomaly detection policies in Microsoft Defender for Cloud Apps
B.Data loss prevention (DLP) policies in Microsoft Purview
C.Session policies in Microsoft Defender for Cloud Apps
D.App permission policies in Microsoft Entra ID
AnswerA

These policies detect behavioral anomalies like impossible travel.

Why this answer

Option A is correct because Microsoft Defender for Cloud Apps uses anomaly detection policies to detect impossible travel and other suspicious activities. Option B is wrong because DLP policies focus on data protection, not activity anomalies. Option C is wrong because app permissions are for OAuth apps.

Option D is wrong because session policies control real-time access, not anomaly detection.

897
MCQhard

A company is migrating a legacy on-premises application to Azure. The application currently uses Windows Integrated Authentication (Kerberos) and requires access to a SQL Server database on the same network. In Azure, the application will run on Azure Virtual Machines and the database will be migrated to Azure SQL Managed Instance. You need to ensure the application can authenticate to the database without storing credentials. What should you implement?

A.Store the database credentials in Azure Key Vault and retrieve them at runtime.
B.Use SQL authentication with a contained database user.
C.Join the virtual machine to an Azure AD Domain Services domain and configure the application to use Azure AD Kerberos authentication.
D.Create a service principal in Azure AD and grant it access to the database.
AnswerC

This enables Windows Integrated Authentication to Azure SQL Managed Instance without credentials.

Why this answer

Azure SQL Managed Instance supports Azure AD authentication. By joining the VM to an Azure AD Domain Services domain and using Azure AD Kerberos authentication, the application can use Windows Integrated Authentication to connect to the managed instance without storing credentials. Option D is correct.

Key Vault is unnecessary. SQL authentication requires credentials. Service principal is not compatible with Kerberos.

898
Multi-Selecteasy

Your company is planning to use Microsoft Intune for mobile device management (MDM). You need to ensure that devices are compliant before accessing corporate resources. Which TWO components should you configure?

Select 2 answers
A.Device configuration policies.
B.Enrollment restrictions.
C.Conditional Access policies in Microsoft Entra ID.
D.Compliance policies.
E.App protection policies.
AnswersC, D

Enforce access based on compliance.

Why this answer

Option B is correct because compliance policies define the conditions for device compliance. Option D is correct because Conditional Access policies enforce access based on compliance. Option A is wrong because configuration policies are for settings, not compliance.

Option C is wrong because app protection policies are for app-level, not device-level compliance. Option E is wrong because enrollment restrictions are for device enrollment, not compliance.

899
Multi-Selecthard

Your organization is designing a Zero Trust architecture using Microsoft 365 security features. You need to ensure that all access requests are verified and least-privilege principles are applied. Which TWO capabilities should you implement?

Select 2 answers
A.Privileged Identity Management (PIM)
B.Microsoft Defender for Cloud Apps
C.Microsoft Entra ID
D.Microsoft Purview
E.Conditional Access
AnswersA, E

PIM enforces least-privilege with just-in-time access.

Why this answer

Option B and Option D are correct. Conditional Access verifies access requests based on conditions, and Privileged Identity Management (PIM) provides just-in-time access for least privilege. Option A is wrong because Microsoft Entra ID is the identity provider, not a specific verification mechanism.

Option C is wrong because Microsoft Defender for Cloud Apps is a CASB, not primarily for identity verification. Option E is wrong because Microsoft Purview is for data governance.

900
MCQmedium

A company is implementing Microsoft Purview Compliance Manager to manage compliance activities. They need to assign a specific control action to a compliance officer. Which role should be assigned to the user in Purview Compliance Manager?

A.Security Operator
B.Compliance Manager
C.Global Administrator
D.Compliance Administrator
AnswerB

Specifically allows users to manage compliance assessments and control actions.

Why this answer

The Compliance Manager role provides permissions to manage compliance assessments and actions. The other roles do not have the necessary permissions to assign control actions within Compliance Manager.

Page 11

Page 12 of 13

Page 13