Microsoft Cybersecurity Architect (SC-100) — Questions 901969

969 questions total · 13pages · All types, answers revealed

Page 12

Page 13 of 13

901
MCQeasy

Refer to the exhibit. You are reviewing a Bicep template for deploying an Azure SQL Database server. Which security best practice is violated?

A.Minimal TLS version is set to 1.2, which is acceptable.
B.Administrator password is hardcoded in plain text.
C.Public network access is disabled, which may affect connectivity.
D.Azure AD authentication is not configured.
AnswerB

Passwords should not be in code; use Azure Key Vault.

Why this answer

Option D is correct because hardcoding passwords in code is a security risk. Option A is wrong because publicNetworkAccess is disabled. Option B is wrong because TLS version is set to 1.2.

Option C is wrong because Azure SQL does not require Azure AD auth by default.

902
MCQeasy

You need to secure Azure Kubernetes Service (AKS) clusters by ensuring that only approved container images from a private Azure Container Registry (ACR) can be deployed. The solution should enforce this at admission time. Which Azure Policy effect should you use?

A.modify
B.enforceRegoPolicy
C.audit
D.deny
AnswerB

This effect uses OPA Gatekeeper to enforce custom admission policies, such as restricting container image sources.

Why this answer

The 'enforceRegoPolicy' effect for Azure Policy on AKS uses Open Policy Agent (OPA) Gatekeeper to enforce that only images from specific registries are allowed. 'audit' only logs, 'deny' is not directly applicable for AKS admission, 'modify' changes resources but does not block.

903
MCQmedium

A company uses Microsoft Entra ID to authenticate users for a web application. They want to enable self-service password reset (SSPR) for users. What is the minimum licensing requirement?

A.Microsoft 365 E3
B.Microsoft Entra ID P2
C.Microsoft Entra ID Free
D.Microsoft Entra ID P1
AnswerD

P1 includes SSPR with password writeback.

Why this answer

Option B is correct because Microsoft Entra ID P1 includes SSPR with writeback to on-premises Active Directory. Option A is wrong because the free tier does not include SSPR. Option C is wrong because P2 adds Identity Protection, not required for basic SSPR.

Option D is wrong because Microsoft 365 E3 includes Entra ID P1, but the question asks for minimum licensing.

904
MCQmedium

Your organization is planning to deploy Microsoft Defender for Cloud to protect a hybrid environment that includes on-premises servers and Azure virtual machines. You need to ensure that the security recommendations and threat detections are consistently applied across all resources. What should you configure?

A.Connect on-premises servers using Azure Arc and assign a built-in policy initiative.
B.Enable auto-provisioning for the Log Analytics agent on all subscriptions.
C.Configure an Azure Policy to require the deployment of the Log Analytics agent.
D.Use Azure Policy to assign the 'Deploy Log Analytics agent' initiative to the management group.
AnswerB

Auto-provisioning ensures all VMs are monitored and security recommendations are consistently applied.

Why this answer

Option A is correct because enabling auto-provisioning for the Log Analytics agent ensures that all existing and future VMs (both on-premises and Azure) are automatically monitored and security recommendations are applied consistently. Option B is wrong because Azure Arc is for managing on-premises machines, but it does not by itself provide consistent security policy application. Option C is wrong because just assigning a policy does not enforce monitoring.

Option D is wrong because Azure Policy is used to enforce compliance, but it does not replace the need for auto-provisioning.

905
MCQeasy

Your organization is using Microsoft Defender for Cloud to assess the security posture of your Azure resources. You need to ensure that all storage accounts have secure transfer required enabled. Which Defender for Cloud feature should you use?

A.Security policies and initiatives
B.File integrity monitoring
C.Adaptive network hardening
D.Just-In-Time VM access
AnswerA

Policies can enforce that secure transfer is enabled on storage accounts.

Why this answer

Option A is correct: Security policies and initiatives allow you to define and enforce compliance requirements. Option B is wrong: Just-In-Time VM access is for network access. Option C is wrong: Adaptive network hardening is for NSGs.

Option D is wrong: File integrity monitoring is for critical files.

906
Multi-Selecthard

Which TWO of the following are requirements for implementing Azure Disk Encryption on Windows VMs? (Choose two.)

Select 2 answers
A.The BitLocker Drive Encryption feature must be available (Windows)
B.The VM must be a supported VM size
C.The VM must have a public IP address
D.An Azure Key Vault with the EnabledForDiskEncryption property set to true
E.An Azure Backup vault in the same region
AnswersA, D

BitLocker is required; it's available in supported Windows versions.

Why this answer

Option B (Key Vault with EnabledForDiskEncryption) and Option E (BitLocker feature available) are requirements. Option A is not required because the VM does not need a public IP. Option C is incorrect because Azure Backup is not required.

Option D is incorrect because the VM must be a supported size, but any size is not correct.

907
MCQeasy

Your organization wants to enforce that all users authenticate using Microsoft Authenticator app for Microsoft Entra ID. Which authentication method should you configure as the primary?

A.FIDO2 security keys
B.Email one-time passcode
C.Microsoft Authenticator passwordless phone sign-in
D.SMS-based verification
AnswerC

Authenticator app provides passwordless sign-in.

Why this answer

The question requires that all users authenticate using the Microsoft Authenticator app. The Microsoft Authenticator passwordless phone sign-in (option C) is the only method that both uses the Microsoft Authenticator app and provides a passwordless primary authentication experience. This method leverages FIDO2-based key attestation within the app, allowing users to sign in with a biometric or PIN gesture without entering a password.

Exam trap

The trap here is that candidates often confuse the Microsoft Authenticator app's TOTP mode (which requires a password) with its passwordless phone sign-in mode, leading them to incorrectly select SMS or email OTP as primary methods when the question explicitly mandates the Authenticator app as the sole authentication method.

How to eliminate wrong answers

Option A is wrong because FIDO2 security keys are hardware-based external devices, not the Microsoft Authenticator app, and while they support passwordless authentication, they do not meet the requirement of using the Authenticator app. Option B is wrong because Email one-time passcode is a passwordless method for users without a strong authentication method, but it does not use the Microsoft Authenticator app and is typically used as a fallback for unregistered users. Option D is wrong because SMS-based verification is a legacy multi-factor authentication method that requires a password first and does not use the Microsoft Authenticator app; it also does not support passwordless primary authentication.

908
Matchingmedium

Match each compliance framework to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Information security management system

Controls for service organizations

Payment card data security

Protected health information privacy and security

Cloud security for US federal agencies

Why these pairings

These are common compliance standards relevant to Azure.

909
Multi-Selecthard

Your organization uses Azure DevOps for CI/CD. You need to ensure that secrets (e.g., API keys) used in pipeline tasks are securely stored and accessed. The security requirements are: secrets must be encrypted at rest, access must be audited, and secrets must be automatically rotated. Which THREE services or features should you use? (Choose three.)

Select 3 answers
A.Azure Key Vault access policy to grant permissions.
B.Azure DevOps Variable Groups to store secrets.
C.Azure Key Vault to store secrets.
D.Azure Active Directory service principal to access secrets.
E.Azure Key Vault key rotation policy.
AnswersA, C, E

Access policies control who can read secrets, with auditing.

Why this answer

Azure Key Vault provides encrypted storage for secrets with access auditing. Managed identities allow secure access without storing credentials. Key Vault supports automatic rotation for some secret types.

Azure DevOps Variable Groups can link to Key Vault but do not provide rotation. Azure AD is not a secret store. Pipeline secrets are not centrally managed.

Options A, B, and C together meet all requirements.

910
MCQhard

A financial services company is deploying a new application on Azure Kubernetes Service (AKS). The application must meet PCI DSS compliance requirements, which mandate encryption of data at rest and in transit, as well as network segmentation. The application will use Azure SQL Database. What is the MOST secure approach to meet these requirements?

A.Deploy the application in an Azure App Service Environment (ASE) with a private endpoint and enable SQL Server encryption.
B.Use Azure Service Endpoints for the AKS cluster and enable Transparent Data Encryption (TDE) on Azure SQL Database.
C.Deploy Azure Firewall in front of the AKS cluster and enable SSL/TLS termination at the firewall for all incoming traffic.
D.Use Azure Policy to enforce encryption and network policies in AKS, and enable TDE and Always Encrypted for Azure SQL Database.
AnswerD

Azure Policy can enforce encryption at rest and in transit; network policies provide segmentation; TDE and Always Encrypted protect data at rest and in use.

Why this answer

Option C is correct because it combines Azure Policy to enforce encryption, network policies for segmentation, and Azure SQL Database with TDE and Always Encrypted for data protection. Option A is wrong because service endpoints do not encrypt in-transit traffic and do not provide segmentation. Option B is wrong because Azure Firewall is a perimeter firewall, not granular network policy within AKS.

Option D is wrong because App Service Environment is not used for AKS.

911
Multi-Selecteasy

Which THREE are components of Microsoft's Zero Trust model?

Select 3 answers
A.Data
B.Assume breach
C.Microsoft Defender for Cloud
D.Identities
E.Endpoints
AnswersA, D, E

Protect data at rest, in transit, and in use.

Why this answer

Option A is correct because data is one of the six foundational pillars of Microsoft's Zero Trust model (identities, endpoints, data, apps, infrastructure, and network). The Zero Trust model explicitly treats data as a critical asset that must be protected regardless of location, using encryption, labeling, and Data Loss Prevention (DLP) policies to enforce least-privilege access and continuous validation.

Exam trap

The trap here is that candidates confuse the Zero Trust guiding principles (like 'Assume breach') with the architectural components (identities, endpoints, data, apps, infrastructure, network), leading them to select 'Assume breach' as a component rather than a principle.

912
Multi-Selecteasy

Your organization uses Microsoft Purview. You need to design a solution that discovers and classifies sensitive data across Microsoft 365 services. Which two services should you include in your data map? (Choose TWO.)

Select 2 answers
A.Power BI
B.SharePoint Online
C.Azure SQL Database
D.OneDrive for Business
E.Azure Blob Storage
AnswersB, D

SharePoint is a key source for sensitive documents.

Why this answer

Options A and C are correct because Microsoft Purview Data Map can scan SharePoint Online and OneDrive for sensitive data. Option B (Azure SQL Database) is not a Microsoft 365 service. Option D (Azure Blob Storage) is not Microsoft 365.

Option E (Power BI) is a Microsoft 365 service but is not typically scanned for sensitive data classification in the same way; however, it can be included, but the question asks for data across Microsoft 365 services, and SharePoint and OneDrive are the primary sources.

913
MCQeasy

Your organization is adopting Microsoft Copilot for Microsoft 365. You need to ensure that Copilot respects the existing sensitivity labels when processing data. What should you configure?

A.Create Data Loss Prevention (DLP) policies.
B.Configure sensitivity labels in Microsoft Purview Information Protection.
C.Use Azure Information Protection.
D.Apply retention labels to documents.
AnswerB

Copilot respects sensitivity labels.

Why this answer

Option A is correct because Microsoft Purview Information Protection sensitivity labels are respected by Microsoft Copilot. Option B is wrong because DLP policies are for data loss prevention, not labeling. Option C is wrong because Retention labels are for retention, not sensitivity.

Option D is wrong because sensitivity labels are the correct solution.

914
MCQmedium

You are designing a solution to protect an Azure App Service web app that authenticates users via Microsoft Entra ID. The app needs to ensure that only users from specific external partner organizations can access it. You do not want to create user objects for each partner user in your tenant. What should you configure?

A.Configure a Conditional Access policy that restricts access to partners' IP ranges.
B.Enable Microsoft Entra B2B collaboration and configure the application to accept tokens from partner tenants.
C.Create guest user accounts for each external user and assign them to a group.
D.Use Azure AD B2C custom policies to allow partner authentication.
AnswerB

B2B allows external users to authenticate using their own tenants without creating user objects.

Why this answer

B2B collaboration allows external users to use their own identities without creating separate user objects. B2C is for customer-facing apps. Conditional Access policies can restrict access but require user objects.

Application permissions are for app-to-app scenarios. Option D is correct.

915
MCQmedium

A company is implementing Microsoft Priva to manage subject rights requests. Users submit requests to access their personal data stored in Exchange Online, SharePoint, and Teams. The privacy team needs to automate the retrieval of data from these sources. Which Priva capability should they use?

A.Subject Rights Requests
B.Consent Management
C.Data Inventory
D.Data Breach Notifications
AnswerA

Subject Rights Requests automates the search and retrieval of personal data from Microsoft 365 services.

Why this answer

Option C is correct because Priva Subject Rights Requests includes built-in data retrieval from Microsoft 365 sources. Option A is wrong because Data Inventory scans but does not retrieve data for requests. Option B is wrong because Consent Management handles consent, not data retrieval.

Option D is wrong because Data Breach Notifications are for incident response.

916
Multi-Selecteasy

Your company, Fabrikam, is designing a solution to securely store and manage secrets (e.g., API keys, database passwords) for cloud applications. The solution must use Azure Key Vault and support automatic rotation of secrets. The applications will run on Azure VMs and Azure App Service. Which TWO of the following should you include in your design?

Select 2 answers
A.Use service principals with client secrets to authenticate to Key Vault.
B.Rotate secrets manually using Azure Automation runbooks on a schedule.
C.Store secrets in application configuration files encrypted with Azure Key Vault.
D.Implement automatic secret rotation using Key Vault with Event Grid and Azure Functions.
E.Use managed identities for Azure resources to authenticate to Key Vault.
AnswersD, E

Key Vault integration with Event Grid and Functions enables automated rotation.

Why this answer

Option B is correct because managed identities allow VMs and App Service to authenticate to Key Vault without storing credentials. Option D is correct because Key Vault can rotate secrets automatically using Event Grid and Azure Functions. Option A is wrong because storing secrets in application configuration is insecure.

Option C is wrong because service principals require credential management. Option E is wrong because Azure Automation is not designed for secret rotation.

917
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a solution that automatically creates an incident in Microsoft Sentinel when a Defender for Endpoint alert of severity 'High' is triggered for any device. The solution should minimize latency and administrative overhead. What should you configure?

A.Enable the Azure AD Identity Protection connector in Microsoft Sentinel to ingest sign-in and user risk alerts.
B.Enable the Microsoft Defender XDR data connector in Microsoft Sentinel and ensure the 'Create incidents' toggle is enabled.
C.Configure a scheduled analytics rule in Microsoft Sentinel that runs every hour and queries the Defender for Endpoint logs via API.
D.Create a custom Azure Logic App that queries the Microsoft Defender for Endpoint APIs and pushes alerts to a custom log table in Log Analytics.
AnswerB

This connector automatically ingests alerts and creates incidents with low latency and minimal effort.

Why this answer

Option B is correct because Microsoft Sentinel has a built-in data connector for Microsoft Defender XDR that enables automatic incident creation with low latency and minimal configuration. Option A (custom logic app) would add latency and complexity. Option C (manual ingestion) would not be automatic.

Option D (Azure AD Identity Protection) is for identity-based alerts, not device alerts.

918
MCQeasy

A company's security team wants to automate response to common incidents like malware detected on endpoints. They have Microsoft 365 Defender and Microsoft Sentinel. Which feature should they use to create automated playbooks?

A.Microsoft Purview's data loss prevention policies
B.Microsoft Sentinel automation rules and playbooks
C.Azure Policy
D.Microsoft Defender for Cloud's workflow automation
AnswerB

Integrates with Logic Apps for automated response to incidents.

Why this answer

Microsoft Sentinel's automation rules and playbooks are the correct choice because they are specifically designed to automate incident response by triggering predefined actions (e.g., running a Logic App) when a detection event, such as malware on an endpoint, is ingested from Microsoft 365 Defender. This integration allows security teams to create custom, automated workflows that respond to common incidents without manual intervention.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud's workflow automation (which can send notifications or trigger a Logic App for Defender for Cloud alerts) with Sentinel's full playbook engine, but Sentinel is the correct choice because it is the centralized SIEM/SOAR platform that ingests alerts from Microsoft 365 Defender and orchestrates complex, multi-step automated responses across the entire security ecosystem.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview's data loss prevention policies focus on classifying and protecting sensitive data (e.g., preventing unauthorized sharing), not on automating incident response to security alerts like malware. Option C is wrong because Azure Policy is used to enforce compliance rules on Azure resources (e.g., ensuring VMs have specific tags), not to orchestrate response actions to security incidents. Option D is wrong because Microsoft Defender for Cloud's workflow automation is limited to triggering actions (e.g., sending email) for security recommendations and alerts within Defender for Cloud, but it lacks the deep integration and flexible Logic Apps-based playbook engine that Sentinel provides for multi-source incident response.

919
MCQhard

You are designing a network security architecture for an Azure application that uses Azure Front Door and Azure Application Gateway. The application must be protected from DDoS attacks and common web exploits. Application traffic should be inspected by a web application firewall (WAF) before reaching the backend. What is the recommended deployment order?

A.Azure Front Door with WAF only, no Application Gateway.
B.Azure Front Door without WAF in front of Azure Application Gateway without WAF.
C.Azure Application Gateway with WAF in front of Azure Front Door.
D.Azure Front Door with WAF in front of Azure Application Gateway with WAF.
AnswerD

Defender for Cloud supports AWS and GCP via connectors, providing unified recommendations.

Why this answer

Option B is correct because Azure Front Door should be the outermost layer for global DDoS protection and TLS termination, then Azure Application Gateway with WAF provides regional web application firewall inspection. Option A is wrong because that would inspect traffic at the gateway first, missing Front Door's global DDoS protection. Option C is wrong because placing WAF only at Front Door leaves backend traffic uninspected.

Option D is wrong because Application Gateway should have WAF enabled for web exploit protection.

920
MCQhard

You are a security architect for a large multinational organization that uses Microsoft 365, Azure, and third-party SaaS applications. The organization has recently experienced a breach where an attacker compromised a user account via a phishing email and then used that account to access sensitive data in SharePoint Online and exfiltrate it via email. The security team wants to implement a comprehensive solution that aligns with the Zero Trust principles of 'verify explicitly', 'use least privilege', and 'assume breach'. You need to design a solution that includes identity protection, conditional access, data protection, and continuous monitoring. You have the following requirements: 1. Block phishing attacks in real time. 2. Enforce least privilege access to sensitive data. 3. Detect and respond to anomalous user behavior. 4. Protect data at rest and in transit. 5. Enable automated response to incidents. Which combination of Microsoft security services and configurations should you recommend?

A.Implement Microsoft Defender for Cloud Apps to discover and control SaaS apps. Use Conditional Access with app control. Deploy Microsoft Purview Data Lifecycle Management. Use Azure Sentinel for monitoring.
B.Implement Microsoft Entra ID Protection to detect and block risky sign-ins. Use Conditional Access policies to require MFA and block legacy authentication. Use Microsoft Purview sensitivity labels to classify data and Azure Monitor to collect logs.
C.Implement Microsoft Defender for Office 365 to block phishing emails. Use Conditional Access policies with session risk to enforce access controls. Deploy Microsoft Purview DLP and sensitivity labels to protect data. Use Microsoft Sentinel with automation rules and playbooks to detect and respond to incidents.
D.Implement Microsoft Defender for Identity to detect on-premises threats. Use Conditional Access with device compliance policies. Deploy Microsoft Purview Information Protection. Use Azure Security Center for monitoring.
AnswerC

Covers all requirements: phishing block, least privilege, data protection, and automated response.

Why this answer

Option B is correct because it combines Microsoft Defender for Office 365 to block phishing, Conditional Access with risk policies to enforce least privilege, Microsoft Purview DLP and sensitivity labels to protect data, and Microsoft Sentinel with automation to detect and respond. Option A is wrong because it uses Azure AD (now Entra ID) Identity Protection but lacks DLP and monitoring. Option C is wrong because it does not include phishing prevention.

Option D is wrong because it uses Microsoft Defender for Cloud Apps alone, which is insufficient for email and identity protection.

921
MCQeasy

Your company is migrating to Azure and needs to secure virtual networks with network segmentation. You need to design a solution that filters traffic between subnets based on application requirements. Which Azure service should you use?

A.Azure DDoS Protection
B.Azure Firewall
C.Azure Bastion
D.Network Security Groups (NSGs)
AnswerD

NSGs provide stateful filtering between subnets and VMs within a VNet.

Why this answer

Option B is correct because Network Security Groups (NSGs) filter traffic between subnets and VMs. Option A is wrong because Azure Firewall is a managed firewall for inbound/outbound but at a higher level. Option C is wrong because Azure DDoS Protection mitigates DDoS attacks, not segmentation.

Option D is wrong because Azure Bastion is for secure RDP/SSH access.

922
MCQhard

Refer to the exhibit. A security architect is reviewing an ARM template for an Azure Key Vault. The vault must be accessible from a backend subnet via private endpoint. What is the missing configuration component?

A.Enable RBAC authorization on the vault
B.Add a Microsoft.Network/privateEndpoints resource and a private DNS zone
C.Assign a system-assigned managed identity to the vault
D.Set the defaultAction to Allow for the network ACLs
AnswerB

Private endpoints are separate resources that provide private connectivity; a private DNS zone enables name resolution

Why this answer

The exhibit shows network ACLs with virtual network rules, but to use private endpoints, the template must include a private endpoint resource and a private DNS zone. Option B is correct because private endpoints are required for private connectivity, and they are not part of the vault resource itself. Option A is wrong because enabling RBAC authorization is not required for private endpoint access.

Option C is wrong because disabling public network access is done via the network ACLs, but private endpoints still need a separate resource. Option D is wrong because a system-assigned managed identity is not needed for private endpoint connectivity.

923
MCQhard

A company uses Microsoft Sentinel with a workspace in the East US region. They want to ingest logs from Azure resources in West Europe. To minimize data transfer costs, what should they do?

A.Use Azure ExpressRoute to connect West Europe to East US
B.Configure data collection rules to filter logs at source
C.Create a new Sentinel workspace in West Europe and ingest logs there
D.Use the existing workspace; inter-region costs are negligible
AnswerC

This minimizes data transfer costs by keeping logs in the same region.

Why this answer

To minimize costs, the best practice is to create a Sentinel workspace in the same region as the data sources. Since West Europe resources are in West Europe, a workspace there is optimal. However, the question states the workspace is already in East US.

To minimize transfer costs, they could create a new workspace in West Europe and ingest logs there, then use cross-workspace queries. But that adds complexity. Alternatively, they could continue to use the East US workspace and accept the costs.

The best answer is to create a new workspace in West Europe.

924
MCQeasy

Your organization uses Microsoft Sentinel to centralize security events. You need to ensure that alerts from Microsoft Defender for Cloud are automatically ingested into Sentinel. Which data connector should you enable?

A.DNS connector
B.Office 365 connector
C.Microsoft Defender for Cloud connector
D.Azure Activity connector
AnswerC

Directly ingests alerts and recommendations from Defender for Cloud.

Why this answer

The Microsoft Defender for Cloud connector (formerly Azure Security Center) is specifically designed to ingest alerts and recommendations from Defender for Cloud into Sentinel. The other options are unrelated: Office 365 connector ingests Office logs, Azure Activity logs track Azure resource operations, and DNS connector ingests DNS queries.

925
MCQhard

A company is migrating its on-premises Active Directory to Microsoft Entra ID. They have line-of-business applications that use Windows Integrated Authentication. You need to design a solution that allows users to access these applications from domain-joined devices without prompting for credentials, while also supporting hybrid identity. What should you implement?

A.Deploy Pass-through Authentication (PTA) with Seamless SSO.
B.Configure Microsoft Entra hybrid join and enable Seamless SSO.
C.Use Azure AD Application Proxy with pre-authentication.
D.Implement Active Directory Federation Services (AD FS).
AnswerB

Hybrid join provides SSO for on-prem apps from domain-joined devices.

Why this answer

Option D is correct because Microsoft Entra hybrid join allows domain-joined devices to authenticate to both on-prem and cloud resources, enabling SSO. Option A is incorrect because Azure AD Application Proxy requires separate authentication. Option B is incorrect because Pass-through Authentication is for cloud apps, not on-prem.

Option C is incorrect because Federation does not provide device-based SSO for on-prem apps.

926
MCQeasy

A security architect is designing a solution to detect and respond to advanced threats across email, endpoints, and identities. Which Microsoft security solution should they use?

A.Microsoft Purview
B.Microsoft Sentinel
C.Microsoft Defender XDR
D.Microsoft Intune
AnswerC

Defender XDR provides integrated protection across email, endpoints, identities, and apps.

Why this answer

Microsoft Defender XDR (Extended Detection and Response) is the correct solution because it provides unified pre- and post-breach detection, investigation, and response across email, endpoints, and identities. It correlates signals from Microsoft Defender for Endpoint, Defender for Office 365, and Defender for Identity into a single incident queue, enabling automated remediation of advanced multi-vector attacks.

Exam trap

The trap here is that candidates confuse Microsoft Sentinel (a SIEM) with Microsoft Defender XDR (an XDR), but Sentinel is a log aggregation and analysis tool requiring manual correlation, while Defender XDR provides native, automated cross-domain detection and response across email, endpoints, and identities.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview is a data governance, compliance, and risk management solution (e.g., data loss prevention, eDiscovery, insider risk), not a threat detection and response platform. Option B is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR that ingests logs from multiple sources for broad security analytics, but it is not purpose-built for unified cross-domain detection and automated response across email, endpoints, and identities; it requires custom correlation rules and playbooks. Option D is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service for endpoint configuration and compliance, not a threat detection or response tool.

927
Multi-Selecthard

Your organization uses Microsoft Sentinel. You need to design a solution to detect and respond to threats across on-premises and cloud workloads. Which TWO components are essential for this? (Select two.)

Select 2 answers
A.UEBA
B.Workbooks
C.Analytics rules
D.Data connectors
E.Playbooks
AnswersC, D

Define detection logic for threats.

Why this answer

Data connectors ingest logs from various sources, and analytics rules detect threats. Playbooks automate response, but are not essential for detection. Workbooks visualize data, and UEBA enriches analytics but is not a separate essential component.

928
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only devices with a specific minimum OS version can access corporate resources. Which configuration should you use?

A.Device compliance policy with minimum OS version rule
B.Device configuration profile
C.Enrollment restrictions
D.App protection policy
AnswerA

Directly enforces OS version compliance.

Why this answer

A device compliance policy with a minimum OS version rule is the correct choice because Intune compliance policies evaluate device attributes—including OS version—against defined rules before granting access to corporate resources. When a device fails the minimum OS version check, Conditional Access blocks access until the device is updated or remediated, ensuring only compliant devices can connect.

Exam trap

The trap here is confusing enrollment restrictions (which only check OS version at the point of enrollment) with compliance policies (which enforce OS version continuously after enrollment), leading candidates to pick enrollment restrictions as a one-time gate rather than an ongoing control.

How to eliminate wrong answers

Option B is wrong because a device configuration profile manages settings and features on the device (e.g., Wi-Fi, VPN, restrictions) but does not enforce access control based on OS version; it lacks the conditional access integration needed to block non-compliant devices. Option C is wrong because enrollment restrictions control which devices can enroll in Intune (e.g., by platform, manufacturer, or OS version at enrollment time), but they do not enforce ongoing compliance after enrollment—a device could be enrolled with a compliant OS and later be downgraded or fail to update. Option D is wrong because an app protection policy (APP) manages data protection within applications (e.g., preventing copy/paste or requiring PIN) and does not evaluate device-level OS version; APP applies to apps on both managed and unmanaged devices, not to device compliance for resource access.

929
Multi-Selectmedium

An organization uses Microsoft Defender XDR to detect and respond to threats. Which THREE data sources does Defender XDR ingest? (Choose three.)

Select 3 answers
A.Microsoft Defender for Identity
B.Microsoft Defender for Endpoint
C.Microsoft Sentinel
D.Microsoft Defender for Office 365
E.Microsoft Intune
AnswersA, B, D

Identity-based threat signals.

Why this answer

Microsoft Defender XDR ingests signals from Microsoft Defender for Identity to correlate on-premises Active Directory activities with cloud-based threats. This integration allows Defender XDR to detect identity-based attacks like Kerberoasting or pass-the-hash by analyzing domain controller logs and authentication events.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel as a data source for Defender XDR, when in reality Sentinel is a SIEM that consumes data from Defender XDR, not the reverse.

930
Multi-Selecthard

Your company is designing a secure baseline for Azure Linux virtual machines using Azure Policy. You need to ensure that all Linux VMs have SSH access restricted, disk encryption enabled, and vulnerability assessments installed. Which THREE built-in policies should you assign? (Choose THREE.)

Select 3 answers
A.Microsoft Antimalware for Azure must be configured with automatic update
B.[Preview]: Configure Linux VMs to install the Azure Security Agent for vulnerability assessment
C.Windows Defender Credential Guard should be enabled on Windows VMs
D.Disk encryption should be applied on virtual machines
E.[Preview]: Linux machines should meet requirements for the Azure compute security baseline
AnswersB, D, E

This policy deploys the vulnerability assessment agent on Linux.

Why this answer

Options A, B, and D are correct. A restricts SSH from the internet, B enables encryption, and D deploys vulnerability assessment. Option C is wrong because it requires Microsoft Antimalware, which is for Windows.

Option E is wrong because it enforces Windows Defender Credential Guard, which is Windows-specific.

931
MCQeasy

Your organization needs to enforce multi-factor authentication (MFA) for all users accessing Microsoft Entra ID integrated applications. However, users in the finance department should be exempted from MFA when accessing a specific legacy financial app that does not support modern authentication. What should you design?

A.Enable security defaults for all users
B.Enable per-user MFA and exclude the finance department
C.Use Microsoft Entra Identity Protection to require MFA based on risk
D.Create a Conditional Access policy that requires MFA for all cloud apps except the legacy app
AnswerD

Conditional Access policy can be scoped to exclude specific applications, allowing the finance department to access the legacy app without MFA.

Why this answer

Option B is correct because Conditional Access policies allow granular control, including exemption for specific applications. Option A is wrong because security defaults would apply MFA to all users and apps with no exemption. Option C is wrong because per-user MFA is outdated and does not offer app-based exemptions.

Option D is wrong because Identity Protection is for risk-based policies, not app exemptions.

932
MCQmedium

Your organization deploys Microsoft Sentinel and wants to automatically respond to phishing emails reported by users. You need to recommend a solution that creates an incident in Sentinel and blocks the email sender in Exchange Online. What should you configure?

A.Use a watchlist to store known phishing senders.
B.Create an automation rule that runs a playbook when an incident is created.
C.Enable UEBA to detect anomalous email behavior.
D.Create an analytics rule that queries user-reported phishing data.
AnswerB

Automation rules trigger playbooks on incident creation, which can then block the sender via Exchange Online actions.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel can trigger playbooks when an incident is created. Option B is wrong because analytics rules create incidents from data, not from existing incidents. Option C is wrong because watchlists are for reference data, not automation.

Option D is wrong because UEBA is for user behavior analytics.

933
MCQhard

Your organization uses Azure SQL Database with Azure AD authentication. You need to ensure that database administrators (DBAs) can only perform management tasks from a specific Azure region and only during business hours. Which solution should you use?

A.Azure AD Conditional Access policies
B.Azure RBAC with custom roles
C.Azure Policy with custom policy
D.Azure SQL Database firewall rules
AnswerA

Can enforce location and time conditions for Azure AD authenticated access.

Why this answer

Option A is correct because Conditional Access can enforce location and time restrictions for Azure AD authenticated users. Option B is wrong because Azure SQL Firewall rules filter by IP, not user identity. Option C is wrong because Azure Policy cannot enforce time-based access.

Option D is wrong because Azure RBAC cannot enforce location or time.

934
Multi-Selecteasy

Your company uses Microsoft 365 and wants to prevent sensitive data from being copied to personal cloud storage services like Dropbox. Which TWO Microsoft Purview capabilities should you use?

Select 2 answers
A.Data Loss Prevention (DLP) policies in Microsoft Purview
B.Endpoint Data Loss Prevention (Endpoint DLP)
C.Azure Information Protection (AIP) unified labeling client
D.Sensitivity labels
E.Microsoft Defender for Cloud Apps (formerly Cloud App Security)
AnswersA, B

DLP policies can detect and block sharing of sensitive data to unauthorized cloud services.

Why this answer

Options B and D are correct. Endpoint DLP can block copying to personal cloud storage from devices, and DLP policies in Microsoft 365 can detect and block such actions. Option A is wrong because sensitivity labels classify but don't block actions.

Option C is wrong because AIP is deprecated in favor of Purview. Option E is wrong because Cloud App Security can block downloads from cloud apps but not from endpoint to personal cloud.

935
MCQeasy

A company is implementing Microsoft Purview to protect sensitive data in SharePoint Online. They need to automatically apply a 'Highly Confidential' label to documents that contain credit card numbers. What should they create?

A.A communication compliance policy
B.A data loss prevention (DLP) rule
C.A manual labeling policy
D.An auto-labeling policy for sensitivity labels
AnswerD

Auto-labeling policies scan documents and apply labels automatically.

Why this answer

Option D is correct because Microsoft Purview auto-labeling policies for sensitivity labels can automatically detect sensitive data types (e.g., credit card numbers) in SharePoint Online documents and apply a 'Highly Confidential' label without user intervention. This meets the requirement for automatic, policy-driven labeling based on content inspection.

Exam trap

The trap here is that candidates confuse DLP rules (which detect and protect data) with auto-labeling policies (which apply sensitivity labels), but the question specifically asks for automatic label application, not just detection or blocking.

How to eliminate wrong answers

Option A is wrong because communication compliance policies are designed to detect and remediate inappropriate communications (e.g., harassment, insider trading) in Exchange Online and Teams, not to automatically label documents based on sensitive data patterns. Option B is wrong because a data loss prevention (DLP) rule can detect credit card numbers and block or alert, but it does not apply sensitivity labels; DLP rules and sensitivity labels are separate controls. Option C is wrong because manual labeling requires users to apply the label themselves, which contradicts the requirement for automatic application.

936
MCQhard

A company uses Microsoft Defender for Cloud Apps to monitor SaaS apps. They discover that a user is downloading large volumes of data from SharePoint Online from an atypical IP address. The security team wants to automatically suspend the user's access to all cloud apps. What is the most efficient way to achieve this?

A.Tag the user as suspicious using an app tag.
B.Create a file policy that triggers when a user downloads many files.
C.Create a session policy that blocks the user's session based on the anomaly.
D.Create an OAuth app policy to revoke permissions.
AnswerC

Session policies provide real-time access control and can block sessions.

Why this answer

Option B is correct because session policies enforce real-time controls and can block access. Option A is wrong because file policies control data at rest, not access. Option C is wrong because app tags categorize apps.

Option D is wrong because OAuth app policies manage third-party app permissions.

937
MCQhard

A company plans to use Microsoft Purview to manage data governance across their on-premises SQL Server databases and Azure SQL databases. They need to classify sensitive data and create a unified data map. Which resource should they deploy?

A.Microsoft Purview
B.Azure Synapse Analytics
C.Azure Data Factory
D.Azure SQL Database
AnswerA

Microsoft Purview provides unified data governance and classification.

Why this answer

Microsoft Purview is the correct choice because it provides a unified data governance service that can scan both on-premises SQL Server and Azure SQL databases, automatically classify sensitive data using built-in classifiers (e.g., PII, financial info), and build a centralized data map. This aligns with the requirement to manage data governance across hybrid environments with a single pane of glass.

Exam trap

The trap here is that candidates often confuse Azure Data Factory's data movement capabilities with Purview's governance role, or mistakenly think Azure Synapse Analytics can perform classification because it includes data warehousing and some security features.

How to eliminate wrong answers

Option B (Azure Synapse Analytics) is wrong because it is an analytics service for large-scale data warehousing and big data processing, not a data governance or classification tool. Option C (Azure Data Factory) is wrong because it is a data integration and orchestration service for ETL/ELT pipelines, lacking native data classification and data map capabilities. Option D (Azure SQL Database) is wrong because it is a specific database platform, not a governance service; it cannot unify metadata or classify data across multiple sources like on-premises SQL Server.

938
MCQmedium

Refer to the exhibit. A KQL query is used in Microsoft Sentinel to detect brute-force attacks. The query returns no results despite known brute-force attempts. What is the most likely issue?

A.The EventID 4625 may not cover all authentication failures
B.The query lacks a time filter
C.The 'IPAddress' field does not exist in SecurityEvent
D.The 'count()' aggregation is incorrect
AnswerA

Some authentication failures use other EventIDs.

Why this answer

EventID 4625 in Windows Security logs specifically records failed logon attempts, but brute-force attacks may target other authentication protocols (e.g., RDP, SMB, or network-level authentication) that generate different EventIDs (such as 4648, 4776, or 5156). Additionally, some brute-force attempts might be blocked at the network layer or use non-Windows authentication methods, so relying solely on EventID 4625 will miss those events. Therefore, the query returns no results because it does not capture all authentication failure scenarios.

Exam trap

Microsoft often tests the misconception that a single EventID (like 4625) covers all authentication failures, when in reality different protocols and authentication methods generate distinct EventIDs, and candidates must consider the broader log source landscape.

How to eliminate wrong answers

Option B is wrong because the absence of a time filter would cause the query to return results from all available data, not zero results; a missing time filter might cause performance issues or overly broad results, but it would not suppress known brute-force attempts. Option C is wrong because if the 'IPAddress' field did not exist in the SecurityEvent table, the query would fail with a schema error or return no results for that field, but the question states the query returns no results at all, implying the field exists but the filter is too narrow. Option D is wrong because the 'count()' aggregation is syntactically correct and commonly used in KQL to count events; an incorrect aggregation would cause a syntax error or unexpected counts, but it would not cause the query to return zero results for known brute-force attempts.

939
MCQeasy

Your organization is planning to use Microsoft Sentinel for security information and event management (SIEM). You need to ingest security logs from on-premises Active Directory. What should you deploy?

A.Microsoft Monitoring Agent (MMA)
B.Log Analytics agent
C.Microsoft Defender for Cloud agent
D.Azure Monitor Agent
AnswerD

Azure Monitor Agent is the modern unified agent for collecting logs.

Why this answer

Option A is correct because Azure Monitor Agent is the current agent for collecting Windows events from on-premises VMs and sending to Log Analytics workspace, which is used by Sentinel. Option B is wrong because Log Analytics agent is legacy. Option C is wrong because MMA is also legacy.

Option D is wrong because Defender for Cloud agent focuses on security baselines, not general event collection.

940
Multi-Selectmedium

Which TWO actions should you take to implement a defense-in-depth strategy for an Azure application? (Choose two.)

Select 2 answers
A.Enable encryption at rest for all storage accounts
B.Enable Azure DDoS Protection on the virtual network
C.Enable Azure Firewall on all subnets
D.Use managed identities for Azure resources
E.Enable network security groups (NSGs) on all subnets
AnswersB, E

DDoS Protection mitigates large-scale attacks, adding a network layer.

Why this answer

Option B is correct because Azure DDoS Protection provides defense against volumetric network-layer attacks, which is a critical component of a defense-in-depth strategy. By enabling it on the virtual network, you add a layer of protection at the network perimeter, complementing other security controls. This aligns with the principle of layered security, where multiple controls address different attack vectors.

Exam trap

The trap here is that candidates often confuse defense-in-depth with a single security control, such as encryption or identity management, and fail to recognize that network-layer protections like DDoS Protection and NSGs are essential for a layered security posture.

941
MCQhard

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. What is the purpose of this query?

A.Identify the top 10 users who have been targeted by Mimikatz attacks
B.Show the severity of Mimikatz alerts for each user
C.List all Mimikatz alerts with detailed entity information
D.Count the total number of Mimikatz alerts in the last 7 days
AnswerA

The query counts alerts per user and shows the top 10.

Why this answer

The KQL query uses the `summarize` operator with `count()` to aggregate Mimikatz alerts by `UserPrincipalName`, then sorts the results by count in descending order and limits the output to 10 rows. This directly identifies the top 10 users who have been targeted by Mimikatz attacks, as each alert represents a detection event associated with a specific user.

Exam trap

Microsoft often tests the distinction between aggregation (count, sum) and attribute display (severity, details), so candidates may mistakenly think a `count()` query shows severity or detailed entity information when it only provides numerical summaries.

How to eliminate wrong answers

Option B is wrong because the query does not include any field or aggregation related to severity (e.g., `Severity` column or `max(Severity)`), so it cannot show severity levels. Option C is wrong because the query only returns `UserPrincipalName` and a count, not detailed entity information such as IP addresses, process names, or device IDs. Option D is wrong because while the query counts alerts, it does not filter by a specific time range (e.g., `where TimeGenerated > ago(7d)`), so it does not count alerts only in the last 7 days.

942
MCQeasy

Your organization uses Microsoft Purview to classify data assets. You need to design a solution that automatically scans data sources in Azure SQL Database for sensitive information. Which Purview scanner should you configure?

A.Azure SQL Scanner (Purview)
B.Purview scanning rule set for Azure SQL Database
C.Purview Insights
D.Microsoft Defender for SQL
AnswerB

Purview can scan Azure SQL Database using built-in scanning rule sets.

Why this answer

Option C is correct because Purview's scanning capability supports Azure SQL Database natively. Option A is wrong because Purview does not have a scanner named 'Azure SQL Scanner'; it uses the built-in scan. Option B is wrong because Microsoft Defender for SQL is a security product, not a classification scanner.

Option D is wrong because Purview Insights is a reporting feature.

943
Multi-Selecthard

Your organization is implementing a defense-in-depth strategy for a multi-tier application hosted on Azure. You need to secure the network layers. Which THREE measures should you implement?

Select 3 answers
A.Enable Azure DDoS Protection on the virtual network.
B.Configure Azure Front Door to protect the application layer.
C.Implement Azure Firewall for traffic inspection and filtering.
D.Deploy a site-to-site VPN gateway.
E.Use network security groups (NSGs) to control traffic between subnets.
AnswersA, C, E

DDoS Protection is a key network security layer.

Why this answer

Option B is correct because Azure Firewall provides centralized inbound and outbound traffic filtering. Option C is correct because network security groups (NSGs) provide micro-segmentation at the subnet or NIC level. Option D is correct because Azure DDoS Protection helps mitigate volumetric attacks.

Option A is wrong because a VPN gateway is for connectivity, not a network security layer. Option E is wrong because Azure Front Door is an application delivery and security service, but it is not a general network security layer for all tiers; it is more specific to web applications.

944
MCQeasy

A company wants to protect their Azure App Service web application from common web vulnerabilities like SQL injection and XSS. Which Azure service should they enable?

A.Azure DDoS Protection
B.Azure Firewall
C.Azure Front Door with WAF
D.Azure Web Application Firewall (WAF) on Application Gateway
AnswerD

Protects against SQL injection, XSS, etc.

Why this answer

Azure Web Application Firewall (WAF) on Application Gateway is the correct choice because it provides centralized, inbound protection for web applications against common exploits such as SQL injection and cross-site scripting (XSS). WAF inspects HTTP/HTTPS traffic at the application layer (Layer 7) using OWASP Core Rule Sets (CRS) to block malicious payloads before they reach the App Service. This service is specifically designed to defend web workloads, unlike network-layer or generic firewall solutions.

Exam trap

The trap here is that candidates often confuse Azure Front Door with WAF (a global, CDN-based WAF) with Azure Application Gateway WAF (a regional, load-balancer-based WAF), but for protecting a single Azure App Service within a region, the Application Gateway WAF is the direct and intended service, while Front Door is typically used for multi-region or global scenarios.

How to eliminate wrong answers

Option A is wrong because Azure DDoS Protection operates at the network and transport layers (Layers 3 and 4) to mitigate volumetric attacks, not application-layer threats like SQL injection or XSS. Option B is wrong because Azure Firewall is a stateful, network-layer firewall (Layer 3/4) that filters traffic based on IP addresses, ports, and protocols, and it lacks the deep packet inspection (DPI) and rule sets needed to detect application-layer attacks. Option C is wrong because Azure Front Door with WAF does provide WAF capabilities, but the question specifically asks for a service to protect an Azure App Service web application; while Front Door can front App Services, the most direct and commonly deployed service for this purpose is WAF on Application Gateway, which is explicitly listed as the correct answer and is the standard pattern for regional web application protection.

945
MCQhard

Your company, Lucerne Publishing, is migrating its on-premises SQL Server databases to Azure SQL Managed Instance. The databases contain sensitive customer data subject to GDPR. You need to design a security solution that includes: (1) Always Encrypted for sensitive columns, (2) dynamic data masking for non-privileged users, (3) auditing of all data access, and (4) encryption at rest using customer-managed keys stored in Azure Key Vault. Which of the following configurations should you implement?

A.Enable Always Encrypted for sensitive columns, configure dynamic data masking, enable auditing via Azure Policy, and enable TDE with a customer-managed key stored in Azure Key Vault.
B.Enable Always Encrypted for sensitive columns, configure dynamic data masking, disable TDE to improve performance, and use row-level security to restrict access.
C.Enable Always Encrypted for sensitive columns, configure dynamic data masking, enable SQL Server auditing to Azure Blob Storage, and enable Transparent Data Encryption (TDE) with a service-managed key.
D.Enable Always Encrypted for sensitive columns, configure dynamic data masking, enable Azure SQL auditing to a Log Analytics workspace, and enable TDE with a customer-managed key stored in Azure Key Vault.
AnswerD

All requirements are met: column encryption, masking, auditing, and CMK encryption.

Why this answer

Option B is correct because it includes all required features: Always Encrypted for column-level encryption, dynamic data masking, auditing via SQL Audit with Log Analytics, and TDE with CMK in Key Vault. Option A is wrong because TDE with service-managed keys does not meet CMK requirement. Option C is wrong because auditing via server-level audit is possible but not as integrated with Log Analytics.

Option D is wrong because disabling TDE is not secure.

946
Multi-Selectmedium

You are designing a security solution for Azure SQL Database. The requirements include: encrypting data at rest and in transit, and masking sensitive data from non-privileged users. Which two features should you implement? (Choose two.)

Select 2 answers
A.Dynamic Data Masking
B.Azure Firewall
C.Transparent Data Encryption (TDE)
D.Column-level encryption
E.Always Encrypted
AnswersA, C

Masks sensitive data from non-privileged users.

Why this answer

Options A and B are correct: TDE encrypts data at rest, and Dynamic Data Masking hides sensitive data from non-privileged users. Option C is wrong because Always Encrypted protects data in transit between client and server but does not mask data. Option D is wrong because Azure Firewall is a network security service, not a database feature.

Option E is wrong because Transparent Data Encryption is at rest, not column-level.

947
MCQmedium

South Ridge School District uses Microsoft 365 Education and Azure for administrative systems. They have a large number of students and staff. The district wants to implement a security solution that protects against phishing attacks, ransomware, and inappropriate content. They also need to comply with the Children's Online Privacy Protection Act (COPPA) and other educational regulations. The solution should be cost-effective and easy to manage. What should you recommend?

A.Use Microsoft Sentinel to analyze security logs. Deploy Microsoft Defender for Endpoint on all devices. Use Azure Policy to enforce compliance. Implement third-party web filtering.
B.Upgrade to Microsoft 365 E5 for all users. Implement Azure AD Identity Protection and PIM. Use Microsoft Defender for Identity. Use Microsoft Sentinel for SIEM.
C.Use Microsoft 365 Business Premium for staff only. Use free Microsoft 365 Education for students. Implement Conditional Access policies. Use Microsoft Cloud App Security to block risky apps.
D.Use Microsoft Defender for Office 365 to protect against phishing and malware. Deploy Microsoft Intune for Education to manage student devices and enforce security policies. Enable Microsoft Purview Communication Compliance to monitor for inappropriate content. Use Microsoft Entra ID (free tier) with Security Defaults for identity protection.
AnswerD

Education-appropriate, cost-effective, covers key threats.

Why this answer

Option D is correct because it provides a cost-effective, education-focused security solution that directly addresses the district's requirements. Microsoft Defender for Office 365 protects against phishing and malware in email and collaboration tools, Microsoft Intune for Education enables policy enforcement and device management for students, Microsoft Purview Communication Compliance monitors for inappropriate content to meet COPPA and other regulations, and Microsoft Entra ID (free tier) with Security Defaults provides baseline identity protection without additional licensing costs.

Exam trap

The trap here is that candidates often assume a full E5 or SIEM solution is necessary for compliance and security, but the SC-100 exam emphasizes cost-effective, education-specific solutions that leverage free tiers and built-in capabilities like Security Defaults and Intune for Education.

How to eliminate wrong answers

Option A is wrong because it recommends Microsoft Sentinel, which is a SIEM solution that requires significant cost and expertise, and Azure Policy is for Azure resource compliance, not student device or content monitoring; third-party web filtering adds unnecessary complexity and cost. Option B is wrong because upgrading all users to Microsoft 365 E5 is prohibitively expensive for a school district and includes features like Microsoft Defender for Identity and Sentinel that are overkill for the stated requirements, while not specifically addressing student content monitoring or device management. Option C is wrong because using Microsoft 365 Business Premium for staff only leaves students unprotected against phishing and malware, and Microsoft Cloud App Security (now part of Microsoft Defender for Cloud Apps) requires additional licensing and does not directly address inappropriate content monitoring or device management for students.

948
Multi-Selectmedium

A company is deploying a new API management solution using Azure API Management. The APIs will be consumed by external partners. Security requirements include: protecting against OWASP Top 10 attacks, throttling requests per subscription, and validating JSON schemas. Which TWO policies should you configure? (Choose two.)

Select 2 answers
A.Validate content policy to check JSON schema.
B.Rate limit policy to throttle requests per subscription.
C.Validate JWT policy to ensure tokens are valid.
D.IP filter policy to restrict access to partner IPs.
E.Cross domain policy to allow CORS.
AnswersA, B

Validates request body against a defined schema.

Why this answer

Azure API Management policies can be added to protect APIs. The 'Validate JWT' policy is for token validation, not OWASP protection. The 'Rate limit' policy throttles requests per subscription.

The 'Validate content' policy can validate JSON schemas. The 'Cross domain' policy is for CORS. The 'IP filter' restricts by IP.

Options B and D meet the requirements.

949
Multi-Selecthard

You are designing a Microsoft Purview data security solution for a multinational organization subject to GDPR and CCPA. Which THREE Purview capabilities should you include to meet regulatory requirements?

Select 3 answers
A.Data Loss Prevention (DLP) policies
B.Advanced eDiscovery
C.Microsoft Purview Audit (Premium) and Activity Explorer
D.Data classification and sensitivity labels
E.Data Lifecycle Management (retention policies)
AnswersA, C, D

Prevents unauthorized sharing of personal data.

Why this answer

Data Loss Prevention (DLP) policies are correct because they allow the organization to detect and prevent the accidental or intentional sharing of sensitive data—such as personally identifiable information (PII) covered under GDPR and CCPA—across email, SharePoint, OneDrive, and endpoints. By scanning content for sensitive information types (e.g., credit card numbers, EU passport numbers) and applying protective actions (e.g., blocking transmission, showing policy tips), DLP directly enforces data protection mandates required by these regulations.

Exam trap

The trap here is that candidates often confuse 'detective' controls (like eDiscovery) with 'preventive' controls (like DLP and sensitivity labels), or they mistakenly think retention policies alone satisfy data security requirements, when in fact GDPR and CCPA demand active protection against data breaches and unauthorized disclosure.

950
MCQeasy

Your organization wants to implement a security information and event management (SIEM) solution that can ingest logs from multiple sources, including on-premises servers, Azure resources, and third-party SaaS applications. Which Microsoft service should you choose?

A.Microsoft Purview
B.Microsoft Defender for Cloud
C.Microsoft Sentinel
D.Azure Monitor
AnswerC

Sentinel is a scalable SIEM for log ingestion from diverse sources.

Why this answer

Microsoft Sentinel is the correct choice because it is a cloud-native SIEM solution specifically designed to ingest logs from diverse sources, including on-premises servers, Azure resources, and third-party SaaS applications, using built-in connectors for over 100 data sources. It provides centralized security analytics, threat detection, and incident response, making it the appropriate service for this multi-source log ingestion requirement.

Exam trap

The trap here is that candidates often confuse Azure Monitor with a SIEM because it collects logs and metrics, but it lacks the security-specific correlation, threat intelligence integration, and incident management features that define a true SIEM like Microsoft Sentinel.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview is a data governance and compliance solution focused on data classification, labeling, and risk management, not a SIEM for ingesting and analyzing security logs. Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform that provides security recommendations and alerts for Azure and hybrid resources, but it lacks the comprehensive log ingestion and SIEM capabilities needed for multi-source log aggregation. Option D is wrong because Azure Monitor is a monitoring and diagnostics service for Azure resources and applications, primarily collecting metrics and logs for performance and operational health, not a SIEM solution designed for security event correlation and threat hunting across diverse sources.

951
MCQmedium

You are a security architect for a healthcare organization that is adopting Microsoft 365 and Azure. The organization must comply with HIPAA and has the following requirements: - All users must use multi-factor authentication (MFA) when accessing Microsoft 365 from outside the corporate network. - Mobile devices must be managed and must be compliant before accessing email. - Access to Azure virtual machines must be limited to specific admin users and must be audited. - All sensitive data stored in Azure SQL Database must be encrypted at rest and in transit. You have the following technologies: Microsoft Entra ID, Microsoft Intune, Azure SQL Database, Azure Policy, Azure Key Vault, Microsoft Defender for Cloud, and Azure Bastion. Which combination of services and configurations should you implement?

A.Configure Conditional Access to require MFA only for external access, use Intune for mobile device management, deploy Always Encrypted for Azure SQL Database, and use Azure AD Application Proxy for VM access.
B.Configure Microsoft Entra PIM for MFA, use Intune for mobile devices, deploy Azure VPN Gateway for VM access, and enable Double Encryption for Azure SQL Database.
C.Configure Conditional Access policies for MFA, use Intune compliance policies for mobile devices, deploy Azure Bastion for VM access with audit logging, and enable TDE and enforce TLS for Azure SQL Database.
D.Use Azure AD Identity Protection for MFA, use Microsoft Endpoint Manager for device compliance, deploy Azure Firewall for VM access, and use Azure Key Vault for SQL encryption keys.
AnswerC

Meets all requirements: MFA, device compliance, secure VM access, encryption.

Why this answer

Option B is correct: Conditional Access with MFA for external access; Intune compliance policies for mobile devices; Azure Bastion for secure VM access with audit; Transparent Data Encryption (TDE) for at-rest encryption and TLS for in-transit. Option A is incorrect: Always Encrypted is for column-level encryption, but TDE is simpler for HIPAA. Option C is incorrect: Azure AD Application Proxy is not for VM access.

Option D is incorrect: Azure Firewall does not provide audit for VM access.

952
MCQmedium

A company is designing a Zero Trust network strategy. They want to ensure that all network traffic between on-premises and Azure is inspected and logged, regardless of source or destination. Which Azure service should they use to achieve this?

A.Azure Front Door
B.Azure Bastion
C.Azure Firewall
D.Azure DDoS Protection
AnswerC

Azure Firewall can inspect and log all traffic between on-premises and Azure.

Why this answer

Azure Firewall is a managed, cloud-based network security service that provides inbound and outbound traffic inspection and logging for all traffic between on-premises networks and Azure, regardless of source or destination. It supports application and network-level filtering, threat intelligence-based filtering, and integrates with Azure Monitor for comprehensive logging, making it the correct choice for a Zero Trust network strategy that requires full traffic inspection and logging.

Exam trap

The trap here is that candidates may confuse Azure Firewall with Azure Front Door or Azure Bastion, thinking that any security or access service can inspect all traffic, but only Azure Firewall provides the necessary stateful inspection and logging for all network traffic between on-premises and Azure.

How to eliminate wrong answers

Option A is wrong because Azure Front Door is a global, scalable entry point for web applications, focusing on HTTP/HTTPS load balancing and acceleration, not on inspecting and logging all network traffic between on-premises and Azure (it does not handle non-web protocols or provide stateful packet inspection). Option B is wrong because Azure Bastion is a fully managed PaaS service that provides secure RDP/SSH connectivity to virtual machines directly from the Azure portal, without exposing public IPs; it does not inspect or log general network traffic between on-premises and Azure. Option D is wrong because Azure DDoS Protection is a service that protects against distributed denial-of-service attacks by monitoring and mitigating volumetric attacks at the network layer, but it does not provide general traffic inspection or logging for all network flows.

953
MCQhard

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You need to create an analytics rule in Sentinel that triggers an incident when a device is reported as 'high risk' by MDE. Which data source and rule type should you use?

A.Microsoft Sentinel's Anomalous Activity rule
B.Microsoft 365 Defender connector with an NRT query rule
C.Microsoft Defender XDR connector with a Scheduled query rule
D.Microsoft Defender for Cloud connector with a Fusion rule
AnswerC

The XDR connector ingests MDE alerts and device info; scheduled query can detect high risk.

Why this answer

The Microsoft Defender XDR connector ingests alerts from Microsoft Defender for Endpoint (MDE) into Sentinel. A Scheduled query rule is required to run a KQL query at a defined interval (e.g., every 5 minutes) that checks for devices with a 'high risk' severity level in the ingested alert data. This combination allows you to create an incident when MDE reports a device as high risk.

Exam trap

The trap here is confusing the Microsoft Defender XDR connector (which covers MDE, MDO, MDI, and MDCA) with the Microsoft 365 Defender connector (which is deprecated or used for legacy scenarios), leading candidates to incorrectly choose Option B.

How to eliminate wrong answers

Option A is wrong because Anomalous Activity rules use machine learning to detect unusual patterns in time-series data, not to trigger on a specific static alert severity like 'high risk' from MDE. Option B is wrong because the Microsoft 365 Defender connector is used for Microsoft 365 Defender (formerly Microsoft Threat Protection) alerts, not for MDE alerts directly; also, NRT (near-real-time) query rules are designed for low-latency scenarios but require a specific connector (Microsoft Defender XDR) for MDE data. Option D is wrong because the Microsoft Defender for Cloud connector ingests security alerts from Azure and hybrid workloads, not from MDE endpoint devices; Fusion rules correlate multiple alert types across different products, not a single static condition.

954
Multi-Selecthard

A company uses Microsoft Intune to manage devices. They need to ensure that only compliant devices can access corporate email. They plan to use Conditional Access in Microsoft Entra ID. Which THREE components must be configured?

Select 3 answers
A.Device registration in Entra ID
B.Conditional Access policy in Entra ID
C.Windows Autopilot deployment profile
D.Compliance policy in Intune
E.Configuration profile in Intune
AnswersA, B, D

Devices must be registered to be evaluated.

Why this answer

Device registration in Entra ID (A) is required because Conditional Access policies evaluate device compliance based on the device's identity in Entra ID. Without registration, the device lacks a unique identity that Entra ID can assess for compliance status, making it impossible to enforce access controls based on device state.

Exam trap

The trap here is that candidates often confuse Configuration profiles (which apply settings) with Compliance policies (which define security requirements), leading them to incorrectly select Configuration profile instead of Compliance policy for enforcing device-based access control.

955
MCQhard

Your organization is deploying Azure SQL Managed Instance (SQL MI) with sensitive financial data. You need to design a security solution that includes data encryption at rest and in transit, threat detection, and fine-grained access control. The solution must also ensure that database administrators (DBAs) cannot access the data. What should you include?

A.Enable TDE and use server-level firewall rules. Use SQL authentication. Enable auditing.
B.Enable TDE and Always Encrypted for sensitive columns. Use Azure AD authentication. Enable Microsoft Defender for Cloud (SQL) for threat detection. Use Azure Policy to deny DBA access.
C.Use client-side encryption with Always Encrypted. Use SQL authentication. Enable Advanced Threat Protection.
D.Enable TDE and use row-level security (RLS). Use Azure AD authentication. Enable Defender for SQL.
AnswerB

TDE encrypts at rest; Always Encrypted prevents DBAs from seeing column data; Azure AD auth eliminates shared passwords; Defender for Cloud detects threats.

Why this answer

Option D uses TDE for at-rest encryption, Always Encrypted for column-level encryption, Defender for Cloud for threat detection, and Azure AD authentication to prevent DBA access. Option A lacks Always Encrypted; Option B lacks column encryption; Option C uses client-side encryption incorrectly.

956
MCQmedium

Your organization is designing a new application that will store sensitive customer data in Azure Cosmos DB. You need to ensure that data at rest is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. What should you configure?

A.Enable Transparent Data Encryption (TDE) on the Cosmos DB account.
B.Enable Azure Storage Service Encryption (SSE) on the Cosmos DB account.
C.Use Always Encrypted with Azure SQL Database.
D.Configure a customer-managed key in Azure Key Vault and assign it to the Cosmos DB account.
AnswerD

Azure Cosmos DB supports CMK via Azure Key Vault.

Why this answer

Option A is correct because Azure Cosmos DB supports CMK by creating an encryption key in Azure Key Vault and associating it with the Cosmos DB account. Option B is wrong because Transparent Data Encryption (TDE) is for SQL databases, not Cosmos DB. Option C is wrong because Always Encrypted is for SQL Server.

Option D is wrong because Azure Storage Service Encryption is for storage accounts, not Cosmos DB.

957
MCQhard

A company is planning a migration to Azure and wants to ensure that their security operations center (SOC) has visibility into all Azure resources. They need to collect security logs from multiple subscriptions into a central workspace. Which Azure service should they use?

A.Azure Security Center
B.Azure Policy
C.Azure Monitor
D.Azure Sentinel
AnswerD

Sentinel is a SIEM that can centralize logs from multiple subscriptions.

Why this answer

Azure Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) solution designed to ingest security logs from multiple Azure subscriptions, on-premises sources, and third-party clouds into a single central workspace. It provides the SOC with unified visibility, threat detection, and incident response across all Azure resources, meeting the requirement for centralized security log collection.

Exam trap

The trap here is that candidates often confuse Azure Monitor (a general monitoring service) with Azure Sentinel (a SIEM), but Azure Monitor lacks the security-specific log correlation, threat intelligence, and incident response features required for a SOC's centralized security operations.

How to eliminate wrong answers

Option A is wrong because Azure Security Center (now part of Microsoft Defender for Cloud) is a cloud security posture management (CSPM) tool that provides security recommendations and threat protection, but it does not serve as a central log collection and SIEM platform for multiple subscriptions. Option B is wrong because Azure Policy is a governance service that enforces compliance rules and resource configurations, not a log aggregation or SIEM service. Option C is wrong because Azure Monitor is a monitoring service for collecting metrics, logs, and alerts from Azure resources, but it lacks the advanced SIEM capabilities (e.g., correlation rules, threat intelligence, incident management) required for a SOC's centralized security operations.

958
MCQmedium

You are analyzing sign-in logs in Microsoft Sentinel. The query returns users with ResultType 50074. What does this result type indicate?

A.The user was blocked by a conditional access policy.
B.The user did not pass strong authentication.
C.The user successfully signed in with MFA.
D.The user failed to sign in due to incorrect password.
AnswerB

50074 indicates strong auth failure.

Why this answer

Option B is correct because ResultType 50074 indicates that strong authentication was required but the user did not pass it (e.g., MFA challenge failure or not performed). Option A is wrong because 50074 is not generic failure. Option C is wrong because 50074 is specific to strong authentication.

Option D is wrong because it's not about conditional access policy, but authentication strength.

959
Multi-Selecteasy

Which TWO of the following are best practices for securing Microsoft 365 tenants? (Choose two.)

Select 2 answers
A.Enable security defaults in Microsoft Entra ID
B.Use Conditional Access policies to enforce MFA
C.Enable basic authentication for all apps
D.Disable modern authentication for legacy protocols
E.Allow all external sharing in SharePoint
AnswersA, B

Security defaults enforce common security policies like MFA.

Why this answer

Enabling security defaults provides a baseline of security. Using Conditional Access policies allows granular access control. These are best practices.

Disabling modern authentication is counterproductive. Allowing all external sharing is risky. Using basic authentication is insecure.

So the correct two are A and B.

960
MCQeasy

Refer to the exhibit. You configure this mail flow rule in Exchange Online. What happens to emails with 'FREE' in the subject?

A.Emails are deleted
B.Emails have a custom header added
C.Emails are moved to the Junk Email folder
D.Emails are blocked and not delivered
AnswerC

Marking as spam in Exchange Online typically moves the email to the Junk Email folder.

Why this answer

The mail flow rule is configured to add the header 'X-CustomHeader' with the value 'Free' to emails that have 'FREE' in the subject. However, the rule also has the action 'Increase the spam confidence level (SCL) to 9', which causes Exchange Online to treat the message as high-confidence spam. When the SCL is set to 9, Exchange Online automatically moves the email to the Junk Email folder for the recipient, unless a transport rule or mailbox setting overrides this behavior.

Therefore, the emails are not deleted, blocked, or simply have a header added; they are moved to the Junk Email folder due to the SCL increase.

Exam trap

The trap here is that candidates see the 'add a custom header' action and assume that is the only effect, overlooking that the subsequent 'increase SCL to 9' action takes precedence and causes the email to be moved to the Junk Email folder, making the header addition secondary.

How to eliminate wrong answers

Option A is wrong because the rule does not include a 'Delete the message without notifying anyone' action; it only adds a header and increases the SCL, which does not result in deletion. Option B is wrong because while the rule does add a custom header ('X-CustomHeader: Free'), this is not the final outcome—the SCL increase to 9 overrides this action by causing the message to be moved to Junk Email, so the primary effect is the junking, not just header addition. Option D is wrong because the rule does not use a 'Reject the message' action (such as with a non-delivery report or 550 status code); increasing the SCL to 9 does not block delivery but instead routes the message to the Junk Email folder.

961
MCQmedium

Your organization is using Microsoft Defender for Cloud to manage security across multiple Azure subscriptions. You need to ensure that all virtual machines in the subscriptions are monitored by Defender for Cloud and that security alerts are sent to the security operations team. You also need to enforce that any new VMs are automatically onboarded to Defender for Cloud. You have a Log Analytics workspace in the central subscription. What should you do?

A.Enable Defender for Cloud on each subscription and configure email notifications for alerts.
B.Assign an Azure Policy that deploys the Log Analytics agent to all VMs.
C.In Defender for Cloud, enable auto-provisioning for the Log Analytics agent at the management group level and specify the central workspace.
D.Create a Log Analytics workspace in each subscription and configure Defender for Cloud to use that workspace.
AnswerC

Auto-provisioning at management group level ensures all subscriptions are covered and new VMs are automatically onboarded.

Why this answer

Option C is correct because enabling auto-provisioning of the Log Analytics agent at the management group scope ensures all VMs across subscriptions are monitored and new VMs are automatically onboarded. Option A is wrong because configuring only the workspace does not auto-provision. Option B is wrong because Azure Policy can enforce agent deployment, but auto-provisioning is simpler and more direct.

Option D is wrong because enabling Defender for Cloud at the subscription level does not automatically install the agent.

962
MCQmedium

A healthcare organization is using Microsoft Purview to govern its data estate. They have multiple Azure Data Lake Storage accounts and Azure SQL Databases. They need to classify sensitive data such as patient health information (PHI) and apply protection automatically when data is exported from these sources to an external location. The organization also wants to prevent unauthorized users from accessing sensitive data in Azure SQL Database by using built-in security features. The compliance team requires that any access to sensitive data be logged and auditable. You need to design a solution that meets these requirements. What should you implement?

A.Use Microsoft Purview to scan and classify data. Auto-apply sensitivity labels. Implement Azure AD authentication and row-level security in Azure SQL Database. Enable auditing and send to Log Analytics.
B.Use Microsoft Purview to scan and classify data. Apply sensitivity labels manually. Configure Azure SQL Database firewall to block all but admin. Use Azure SQL auditing.
C.Use Microsoft Defender for Cloud to identify sensitive data. Implement Azure SQL Database always encrypted. Use Azure Monitor to log queries.
D.Use Microsoft Purview to classify data. Apply data masking in Azure SQL Database for PHI columns. Use Azure SQL Database threat detection.
AnswerA

Automated classification, granular access control, and auditing.

Why this answer

Microsoft Purview can scan data sources and classify sensitive data. Sensitivity labels can be applied automatically based on classification. Azure SQL Database supports Azure AD authentication and row-level security to restrict access.

Auditing logs can be sent to Log Analytics. Option B combines all these. Option A uses Azure Information Protection (now part of Purview) but does not cover SQL access control.

Option C uses data masking which doesn't prevent access. Option D uses Defender for Cloud but not data classification.

963
MCQeasy

A company wants to protect sensitive email data from being exfiltrated by malicious insiders. They need a solution that can detect and block anomalous outbound email traffic in real time. Which Microsoft solution should they use?

A.Microsoft Purview Information Protection
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Office 365
D.Microsoft Sentinel
AnswerC

Defender for Office 365 includes anti-phishing, anti-spam, and anomaly detection for email.

Why this answer

Microsoft Defender for Office 365 (MDO) is the correct solution because it provides real-time detection and blocking of anomalous outbound email traffic through its outbound spam filtering and anti-phishing policies. MDO uses machine learning models to analyze email sending patterns, such as sudden spikes in volume or unusual recipient domains, and can automatically quarantine or block suspicious outbound messages to prevent data exfiltration by malicious insiders.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps (a CASB for cloud app activity monitoring) with Defender for Office 365, which is specifically built to protect email traffic at the transport layer, including outbound anomaly detection.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Information Protection focuses on classifying, labeling, and encrypting data at rest or in transit, but it does not provide real-time detection or blocking of anomalous outbound email traffic. Option B is wrong because Microsoft Defender for Cloud Apps is a CASB that monitors cloud app usage and can detect anomalous behavior, but it is not designed to inspect and block outbound email traffic in real time at the email transport layer. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR solution that aggregates and analyzes security logs for threat detection and response, but it does not natively perform real-time email traffic inspection or blocking at the mail flow level.

964
MCQhard

Refer to the exhibit. You are reviewing an ARM template for an Azure Function App. The function app uses a user-assigned managed identity and references a Key Vault secret for the storage connection string. The deployment fails because the function app cannot access the Key Vault secret. What is the most likely cause?

A.The function app is configured with a custom DNS server that cannot resolve the Key Vault URI
B.The secret name in the URI does not match the actual secret name in Key Vault
C.The Key Vault reference syntax is incorrect; it should use '@Microsoft.KeyVault(SecretUri=...)'
D.The user-assigned managed identity does not have a Key Vault access policy to get secrets
AnswerD

The identity needs an access policy to retrieve secrets from Key Vault.

Why this answer

Option A is correct because the user-assigned managed identity must have a Key Vault access policy to read secrets. Option B is wrong because the secret name is 'storage-connection', not 'storage-connection-string'. Option C is wrong because the reference syntax is correct for Key Vault references.

Option D is wrong because a custom DNS is not relevant.

965
MCQhard

Refer to the exhibit. A security architect is reviewing the network configuration of an Azure App Service app named 'finance-app'. The app needs to be accessible from a backend subnet via private endpoint. Which additional configuration is required?

A.Set publicNetworkAccess to Enabled
B.Configure regional VNet integration for the app
C.Create a private endpoint and associate it with the App Service
D.Enable IP-based SSL for the app
AnswerC

Private endpoint is required for inbound private connectivity; the vNet rule alone does not enable private endpoint

Why this answer

The exhibit shows network ACLs with a virtual network rule allowing traffic from a subnet. However, to use private endpoint, the app must be integrated with a private endpoint resource. The 'publicNetworkAccess' is disabled, but private endpoint access requires a private endpoint resource to be created and associated with the app.

Option A is correct. Option B is wrong because IP-based SSL is unrelated to network access. Option C is wrong because a regional VNet integration provides outbound connectivity, not inbound private access.

Option D is wrong because enabling public access would defeat the purpose of private endpoint.

966
MCQhard

You are a security architect for a large organization that uses Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Entra ID. The organization has a hybrid identity environment with on-premises Active Directory synchronized to Azure AD. The security team needs to detect and automatically respond to a specific attack pattern: an attacker compromises a user's credentials and then uses a new device to sign in to a critical application from an unusual location. The response should block the user's account for one hour and reset the user's password. You have already configured Microsoft Sentinel to receive sign-in logs from Azure AD. You need to design the detection and automated response. What should you do?

A.Create a Microsoft Sentinel scheduled analytics rule that queries sign-in logs for unusual location and new device, then trigger a playbook to block the user and reset password.
B.Create a custom detection rule in Microsoft Defender XDR for the attack pattern and configure an automated action to block the user.
C.Enable the Microsoft Entra ID Protection data connector in Microsoft Sentinel, create an analytics rule from the 'Sign-in from new device' template, and configure a playbook to block the user and reset password.
D.Enable Microsoft Entra ID Protection and configure a risk-based Conditional Access policy to block access and require password change.
AnswerC

This leverages ID Protection's risk detections and Sentinel's automation capabilities.

Why this answer

Option C is correct because the Microsoft Entra ID Protection connector provides risk detections that can be ingested into Sentinel, and a playbook can be triggered to block the user and reset the password via the Azure AD API. Option A is incorrect because ID Protection can detect risky sign-ins, but the requirement is to use Sentinel for detection and response. Option B is incorrect because a scheduled query would be less efficient and not leverage ID Protection's risk assessments.

Option D is incorrect because custom detection rules are less accurate than ID Protection's machine learning.

967
MCQhard

Proseware, a pharmaceutical company, is deploying a new AI-powered application using Azure OpenAI Service. The application will process sensitive research data and must comply with HIPAA. The security team wants to ensure that the data sent to the Azure OpenAI endpoint is not logged or stored by Microsoft, and that access to the service is restricted to authorized users with appropriate data classification. They also need to monitor for potential data exfiltration and prompt injection attacks. What should you recommend?

A.Use Azure OpenAI Service with default settings. Implement Microsoft Sentinel to detect threats. Use Azure Policy to enforce tagging of resources. Use Azure AD Conditional Access to require MFA for access.
B.Use Azure OpenAI Service with a private endpoint. Deploy Azure Information Protection to classify data. Use Azure Firewall to restrict access. Implement Azure DDoS Protection.
C.Use Azure OpenAI Service with managed identity. Configure Conditional Access to restrict access by IP. Use Azure Monitor to track usage. Implement Azure Key Vault for API keys.
D.Provision Azure OpenAI Service with a 'data processing addendum' (DPA) to ensure no data is stored or logged. Configure Content Filtering to block sensitive data. Use Microsoft Purview Data Classification to label research data. Use Microsoft Defender for Cloud Apps (part of Defender XDR) to create a session policy that monitors and blocks data exfiltration attempts. Enable audit logging to Microsoft Sentinel for anomaly detection.
AnswerD

Addresses data privacy, classification, and real-time exfiltration protection.

Why this answer

Option D is correct because it combines a Data Processing Addendum (DPA) to contractually prevent Microsoft from logging or storing data, Microsoft Purview Data Classification for labeling sensitive research data, and Microsoft Defender for Cloud Apps session policies to monitor and block data exfiltration. Additionally, enabling audit logging to Microsoft Sentinel provides anomaly detection for prompt injection attacks, fulfilling all HIPAA compliance and security requirements.

Exam trap

The trap here is that candidates often overlook the contractual Data Processing Addendum (DPA) as a requirement for HIPAA compliance, assuming technical controls alone suffice, and may confuse deprecated Azure Information Protection with the current Microsoft Purview solution.

How to eliminate wrong answers

Option A is wrong because default Azure OpenAI Service settings do not prevent Microsoft from logging or storing data, and Azure Policy tagging does not restrict access or monitor for data exfiltration. Option B is wrong because Azure Information Protection is deprecated in favor of Microsoft Purview, and Azure Firewall alone cannot monitor application-level data exfiltration or prompt injection. Option C is wrong because Conditional Access by IP does not prevent data logging by Microsoft, and Azure Monitor tracks usage but does not block data exfiltration or detect prompt injection attacks.

968
MCQeasy

Refer to the exhibit. You are reviewing an ARM template for an Azure storage account. The security team requires that only HTTPS traffic is allowed and that TLS 1.2 is enforced. Does this template meet the requirements?

A.No, because 'minimumTlsVersion' should be 'TLS1_0'
B.No, because 'supportsHttpsTrafficOnly' should be false
C.No, because 'defaultAction': 'Deny' blocks all traffic including HTTPS
D.Yes, the template correctly enforces HTTPS and TLS 1.2
AnswerD

Both properties are set correctly.

Why this answer

Option D is correct because the ARM template sets 'supportsHttpsTrafficOnly' to true, which enforces HTTPS-only traffic, and 'minimumTlsVersion' to 'TLS1_2', which enforces TLS 1.2 as the minimum protocol version. These two properties together fully satisfy the security team's requirement that only HTTPS traffic is allowed and TLS 1.2 is enforced.

Exam trap

The trap here is that candidates may confuse 'defaultAction': 'Deny' in network rules with blocking all traffic, when in fact it only denies traffic that does not match an explicit allow rule, and HTTPS traffic can still be permitted through a separate rule.

How to eliminate wrong answers

Option A is wrong because 'minimumTlsVersion' should be 'TLS1_2', not 'TLS1_0', as 'TLS1_0' would allow older, less secure TLS versions. Option B is wrong because 'supportsHttpsTrafficOnly' should be true to enforce HTTPS-only traffic; setting it to false would allow HTTP traffic. Option C is wrong because 'defaultAction': 'Deny' in a network rule set does not block all traffic including HTTPS; it blocks traffic that does not match an explicit allow rule, and HTTPS traffic can still be allowed via a separate rule.

969
Multi-Selecthard

Your organization uses Microsoft Entra ID and needs to implement a Zero Trust identity strategy. Which THREE principles should you apply?

Select 3 answers
A.Use least privilege access
B.Verify explicitly
C.Trust implicitly
D.Use a single authentication method
E.Assume breach
AnswersA, B, E

Least privilege limits access to only what is needed.

Why this answer

Option A is correct because least privilege access is a core Zero Trust principle that ensures users, devices, and services are granted only the minimum permissions necessary to perform their tasks. In Microsoft Entra ID, this is implemented through features like Privileged Identity Management (PIM), Conditional Access policies, and role-based access control (RBAC) to reduce the attack surface and limit lateral movement.

Exam trap

The trap here is that candidates often confuse 'Trust implicitly' with the legacy perimeter-based security model and select it as a valid principle, or mistakenly think a single authentication method simplifies management, but Zero Trust explicitly rejects both for continuous verification and defense-in-depth.

Page 12

Page 13 of 13