Microsoft Cybersecurity Architect (SC-100) — Questions 76150

969 questions total · 13pages · All types, answers revealed

Page 1

Page 2 of 13

Page 3
76
MCQeasy

A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They want to receive alerts when a resource is deployed without encryption enabled. What should they configure?

A.Azure Blueprints
B.Microsoft Defender for Cloud regulatory compliance dashboard
C.Microsoft Defender for Cloud security alerts
D.Azure Policy definition to audit or deny resources without encryption
AnswerD

Correct: Azure Policy enforces encryption requirements.

Why this answer

Azure Policy with a custom policy definition can audit or deny resources without encryption. Defender for Cloud's regulatory compliance dashboard shows compliance status. Security alerts are for threats, not configuration drift.

Azure Blueprints are for packaging resources.

77
Multi-Selectmedium

Which TWO of the following are valid methods to protect privileged accounts in Microsoft Entra ID?

Select 2 answers
A.Configure Conditional Access policies for privileged roles
B.Implement Privileged Identity Management (PIM)
C.Enable Identity Protection for all users
D.Enable Self-Service Password Reset (SSPR)
E.Use Azure AD Connect to sync privileged accounts
AnswersA, B

Conditional Access can enforce MFA and other controls for privileged roles.

Why this answer

Conditional Access policies can be configured to require stronger authentication, device compliance, or location-based controls specifically for users assigned to privileged roles (e.g., Global Administrator, Privileged Role Administrator). This directly protects privileged accounts by enforcing additional security requirements before granting access to Entra ID resources.

Exam trap

The trap here is that candidates often confuse general security features (like Identity Protection or SSPR) with dedicated privileged account protection mechanisms, failing to recognize that only PIM and Conditional Access policies for privileged roles directly control and restrict privileged access in Entra ID.

78
MCQmedium

Your organization uses Microsoft Entra ID for identity and access management. You are developing a web application that needs to access Microsoft Graph API on behalf of the signed-in user. Which authentication flow should you implement?

A.Implicit Flow
B.Client Credentials Flow
C.Authorization Code Flow with PKCE
D.Device Code Flow
AnswerC

Recommended for web apps accessing APIs on behalf of user.

Why this answer

Option B is correct because the Authorization Code Flow with PKCE is the recommended flow for web applications that need to access APIs on behalf of the user. Option A is wrong because Client Credentials Flow is for daemon applications, not on behalf of a user. Option C is wrong because Device Code Flow is for devices without browsers.

Option D is wrong because Implicit Flow is legacy and less secure.

79
MCQeasy

Your company uses Microsoft Entra ID for identity management. You need to implement a solution to automatically detect and remediate risky sign-ins using machine learning. What should you configure?

A.Configure Microsoft Entra Connect to sync on-premises identities.
B.Configure Conditional Access policies with session controls.
C.Configure Microsoft Entra ID Protection and enable risk-based policies.
D.Configure Privileged Identity Management (PIM) for admin roles.
AnswerC

Identity Protection detects risky users and sign-ins and can auto-remediate.

Why this answer

Option C is correct because Identity Protection uses ML to detect risks and can automatically remediate (e.g., require MFA, block sign-in). Option A is wrong because Conditional Access policies enforce access controls but do not detect risks. Option B is wrong because Privileged Identity Management (PIM) manages privileged roles.

Option D is wrong because Azure AD (Entra ID) Connect syncs identities, not risk detection.

80
MCQmedium

A retail company uses Microsoft Defender for APIs to protect its online store API. The security team notices unusual API calls from an IP address that is not in the allowed list. They want to block this IP address for 24 hours. What should they configure?

A.Configure API schema validation
B.Modify the authentication settings
C.Update the API collection
D.Create a rate-limiting rule
AnswerD

Rate-limiting rules can block specific IP addresses for a defined period.

Why this answer

Option A is correct because Defender for APIs allows creating a rate-limiting rule to block an IP. Option B is wrong because API schema validation validates request structure, not blocks IPs. Option C is wrong because authentication settings verify tokens.

Option D is wrong because API collections group APIs.

81
MCQhard

A company is designing a microservices architecture on Azure Kubernetes Service (AKS). Each microservice needs to authenticate to Azure SQL Database using its own identity. The security team requires that no service principal secrets or certificates be stored in the cluster. What should you implement to authenticate the microservices to Azure SQL Database?

A.Create a service principal and store its secret in Azure Key Vault; use the Key Vault Secrets Store CSI driver to mount it.
B.Enable a system-assigned managed identity on the AKS cluster nodes and have pods use it.
C.Use Azure AD Workload Identity for each pod to authenticate to Azure SQL Database using managed identities.
D.Store the Azure SQL connection string with credentials in a Kubernetes secret.
AnswerC

Workload Identity assigns an Azure AD identity to each pod, enabling secure authentication without secrets.

Why this answer

Azure AD Workload Identity (formerly AAD Pod Identity) allows pods to assume an Azure AD identity and authenticate to Azure resources without secrets. This integrates with Azure SQL's Azure AD authentication. Option A is the correct approach.

Service Principal with Key Vault still stores a secret. Managed identity at the node level is too broad. Storage of client secrets is not allowed.

82
MCQhard

You are a security architect for a global financial services company that uses Microsoft 365 E5 and Azure. The company has 50,000 users across 10 regions. The security team needs to detect and respond to identity-based threats in real-time, automate remediation for compromised accounts, and meet regulatory requirements for audit logging. The following requirements must be met: (1) Detect risky sign-ins and user anomalies, (2) Automatically block sign-ins when risk level is high, (3) Provide a centralized dashboard for security analysts to investigate incidents, (4) Retain logs for at least one year for compliance, (5) Minimize false positives by using machine learning. You have the following services available: Microsoft Entra ID P2, Microsoft Sentinel, Microsoft Defender for Identity, Microsoft Purview, and Microsoft Intune. Which combination of services should you use to meet all requirements?

A.Microsoft Intune and Microsoft Defender for Cloud
B.Microsoft Entra ID Protection (P2) and Microsoft Sentinel
C.Microsoft Defender for Identity and Microsoft Purview
D.Microsoft Purview and Microsoft Sentinel
AnswerB

Entra ID Protection detects risks and blocks high-risk sign-ins; Sentinel provides centralized SIEM with long-term retention.

Why this answer

Option D is correct because Microsoft Entra ID Protection (included in P2) detects risky sign-ins and user anomalies, and can automatically block high-risk sign-ins. Microsoft Sentinel ingests logs from Entra ID and other sources, provides a centralized SIEM dashboard for investigation, and retains logs for up to two years. Machine learning in both Entra ID Protection and Sentinel helps minimize false positives.

Option A is wrong because Intune does not provide identity threat detection or centralized SIEM. Option B is wrong because Defender for Identity is for on-premises AD, not cloud-only identity. Option C is wrong because Purview is for data governance, not identity threat detection.

83
MCQhard

Your organization uses Microsoft Entra Verified ID to issue verifiable credentials to employees. You need to design a solution that allows employees to prove their employment status to third-party apps without exposing their full identity. What should you implement?

A.Microsoft Entra ID custom roles
B.Verifiable credentials with a custom credential type
C.Azure managed identities
D.Conditional Access policy with session controls
AnswerB

Verifiable credentials allow selective disclosure of attributes, such as employment status, without revealing full identity.

Why this answer

Option B is correct because a verifiable credential can contain only the attributes required (e.g., employment status) and is presented via a wallet. Option A is wrong because a custom role does not issue credentials. Option C is wrong because Conditional Access controls access but does not issue proofs.

Option D is wrong because managed identities are for Azure resources, not user identity.

84
MCQhard

A company uses Azure DevOps and wants to implement a DevSecOps practice by scanning code for secrets and vulnerabilities before deployment. Which tool should they integrate into their pipeline?

A.Azure Policy
B.Microsoft Purview
C.GitHub Advanced Security
D.Microsoft Defender for DevOps
AnswerD

Defender for DevOps integrates with Azure DevOps and GitHub to scan for secrets and vulnerabilities.

Why this answer

Option A is correct because Microsoft Defender for DevOps (now part of Microsoft Defender for Cloud) provides secret scanning, vulnerability scanning, and infrastructure-as-code scanning integrated into Azure DevOps and GitHub. Option B is wrong because Azure Policy enforces compliance but does not scan code. Option C is wrong because Microsoft Purview is for data governance.

Option D is wrong because GitHub Advanced Security is for GitHub, not Azure DevOps; Defender for DevOps supports Azure DevOps.

85
MCQmedium

Refer to the exhibit. A network policy is applied in the production namespace. What is the effect on the webapp pod's ability to reach external services?

A.Ingress traffic is blocked
B.The pod can only communicate with kube-dns
C.The pod can communicate with any service
D.All egress traffic except to kube-dns is denied
AnswerD

The policy denies egress by default except for DNS.

Why this answer

Option D is correct because the network policy in the exhibit defines an egress rule that only allows traffic to kube-dns (port 53, UDP) and denies all other egress traffic by default. Since no other egress rules are specified, the webapp pod cannot reach any external services except the cluster's DNS resolver.

Exam trap

The trap here is that candidates often assume a network policy only affects ingress traffic or that a single egress rule allows all traffic, but in Kubernetes, any egress rule in a policy triggers a default-deny for all other egress traffic unless explicitly allowed.

How to eliminate wrong answers

Option A is wrong because the policy does not restrict ingress traffic; it only defines egress rules, so ingress traffic is unaffected. Option B is wrong because the pod can communicate with kube-dns, but the policy does not restrict communication to only kube-dns; it denies all other egress traffic, meaning the pod cannot reach any other service, including external ones. Option C is wrong because the policy explicitly denies all egress traffic except to kube-dns, so the pod cannot communicate with any arbitrary service.

86
MCQhard

A company is designing a hybrid identity solution with Microsoft Entra ID. They need to ensure that users can access resources from unmanaged devices while maintaining security. The security team requires that all access from unmanaged devices must be limited to browser-only access to web apps and must block native client apps. Which conditional access grant control should you configure?

A.Require multi-factor authentication
B.Require device to be marked as compliant
C.Require approved client app
D.Require hybrid Azure AD joined device
AnswerB

This grant control ensures only compliant devices (managed) get access; for unmanaged devices, you can combine with a session control to allow browser-only access.

Why this answer

Option B is correct because the 'Require device to be marked as compliant' grant control, when combined with a device compliance policy (e.g., via Microsoft Intune), enforces that only compliant devices can access resources. However, to achieve the specific requirement of limiting access from unmanaged devices to browser-only access to web apps and blocking native client apps, you must configure a session control (not a grant control) such as 'Use app enforced restrictions' or 'Require device to be compliant' with a conditional access policy that targets unmanaged devices and uses the 'Browser' client app condition. The correct grant control for this scenario is actually 'Require device to be marked as compliant' only if the device is managed; for unmanaged devices, the appropriate approach is to use a session control like 'Use Conditional Access App Control' or 'Require device to be compliant' is not directly applicable because unmanaged devices cannot be compliant.

The question's answer is flawed; the correct control is 'Require device to be marked as compliant' is not the right answer for unmanaged devices. The intended correct answer is likely 'Require device to be marked as compliant' but that only works for managed devices. The actual correct grant control for unmanaged devices is none of these; you would use a session control.

Given the options, the closest is B, but it is technically incorrect for unmanaged devices.

Exam trap

The trap here is that candidates confuse grant controls with session controls, assuming 'Require device to be marked as compliant' can be applied to unmanaged devices, when in fact it only works for devices enrolled in Intune or co-managed.

How to eliminate wrong answers

Option A is wrong because requiring multi-factor authentication does not restrict access to browser-only or block native client apps; it only adds an authentication factor. Option C is wrong because 'Require approved client app' allows native client apps that are approved (e.g., Microsoft apps), which contradicts the requirement to block native client apps entirely. Option D is wrong because 'Require hybrid Azure AD joined device' mandates domain-joined devices, which excludes unmanaged devices, failing the requirement to allow access from unmanaged devices.

87
Multi-Selecthard

Refer to the exhibit. You are reviewing an ARM template for a storage account. The security team has mandated that all storage accounts must enforce HTTPS traffic and use TLS 1.2 or higher. Which two changes must be made to the template to comply? (Choose two.)

Select 2 answers
A.Change 'minimumTlsVersion' to 'TLS1_2'
B.Set 'kind' to 'BlobStorage'
C.Add 'networkAcls' with defaultAction Deny
D.Change 'sku.name' to 'Standard_LRS'
E.Set 'supportsHttpsTrafficOnly' to true
AnswersA, E

TLS 1.0 is deprecated; must be at least 1.2.

Why this answer

Option A is correct because setting 'minimumTlsVersion' to 'TLS1_2' explicitly enforces that only TLS 1.2 or higher is accepted for HTTPS connections to the storage account, meeting the security mandate. Option E is correct because setting 'supportsHttpsTrafficOnly' to true ensures that all traffic to the storage account must use HTTPS, blocking any HTTP requests and aligning with the requirement to enforce HTTPS traffic.

Exam trap

Microsoft often tests the misconception that network access controls (like network ACLs) or storage account type changes can enforce encryption or TLS version requirements, when in fact only the explicit 'minimumTlsVersion' and 'supportsHttpsTrafficOnly' properties control these security settings.

88
Multi-Selecteasy

Your organization is using Microsoft Sentinel for security operations. Which THREE data sources can be connected to Microsoft Sentinel out of the box? (Choose THREE.)

Select 3 answers
A.Azure Active Directory (now Microsoft Entra ID)
B.Amazon Web Services (AWS) CloudTrail
C.Azure DevOps
D.Microsoft 365 Defender
E.Power BI
AnswersA, B, D

Entra ID logs are a common connector.

Why this answer

Options A, C, and D are valid out-of-the-box connectors. Option B is wrong because Azure DevOps is not a default data connector. Option E is wrong because Power BI is not a data source connector.

89
Multi-Selectmedium

Your company uses Azure Backup to protect VMs. You need to ensure that backup data is encrypted at rest and during transit. Which features should you enable? (Choose three.)

Select 3 answers
A.Azure Disk Encryption (BitLocker/DM-Crypt)
B.Azure Backup using Storage Service Encryption (SSE) or customer-managed keys
C.HTTPS for backup traffic
D.Azure Information Protection
E.Soft delete for Azure Backup
AnswersB, C, E

Encrypts backup data at rest.

Why this answer

Options A, C, and D are correct: Azure Backup encrypts data at rest using SSE or customer-managed keys, encrypts in transit using HTTPS, and soft delete prevents accidental deletion. Option B is wrong because Azure Disk Encryption encrypts OS/data disks but is not required for backup encryption. Option E is wrong because Azure Information Protection is for labeling, not backup encryption.

90
MCQhard

Your organization, Contoso Ltd., is a multinational company with 50,000 employees. They use Microsoft 365 E5, Azure, and Microsoft Sentinel. The security team wants to implement a data security solution that meets the following requirements: 1. All sensitive data stored in SharePoint Online and OneDrive for Business must be automatically classified and protected using sensitivity labels. 2. When a user attempts to share a file labeled 'Highly Confidential' with an external user, the action should be blocked and an alert sent to the security team. 3. The solution must detect and prevent data exfiltration from endpoints by monitoring copy/paste and print actions on sensitive data. 4. All data security events must be centralized in Microsoft Sentinel for correlation and investigation. 5. The solution must comply with regulatory requirements that mandate data retention and eDiscovery capabilities. You need to design the data security solution. Which combination of Microsoft security components should you use?

A.Microsoft Intune and Microsoft Entra ID
B.Microsoft Defender for Endpoint and Microsoft Sentinel
C.Microsoft Defender for Cloud Apps and Microsoft Entra ID
D.Microsoft Purview Information Protection, Microsoft Purview DLP, and Microsoft Purview eDiscovery
AnswerD

Covers all requirements.

Why this answer

Option D is correct. Microsoft Purview Information Protection auto-labeling policies meet requirement 1. DLP policies in Purview block sharing and alert (requirement 2).

Endpoint DLP in Purview monitors copy/paste/print (requirement 3). Purview audit logs are ingested into Microsoft Sentinel (requirement 4). Microsoft Purview eDiscovery and retention policies meet requirement 5.

Option A is wrong because Microsoft Defender for Cloud Apps does not provide endpoint DLP or eDiscovery. Option B is wrong because Microsoft Intune does not provide DLP or eDiscovery. Option C is wrong because Microsoft Defender for Endpoint focuses on endpoint protection, not data classification or eDiscovery.

91
MCQmedium

Your company is migrating from on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can authenticate using their existing on-premises credentials while gradually moving to cloud-only authentication. Which authentication method should you implement first?

A.Azure AD Connect
B.Active Directory Federation Services (AD FS)
C.Pass-through Authentication (PTA)
D.Password Hash Synchronization (PHS) with Seamless SSO
AnswerD

PHS is simple and supports gradual migration to cloud authentication.

Why this answer

Password Hash Synchronization (PHS) quickly syncs password hashes and allows Seamless SSO. Option B is correct. Option A requires more infrastructure.

Option C is for federation. Option D is a broader strategy, not a method.

92
Multi-Selecthard

Your organization uses Microsoft Entra ID and Microsoft Intune. You need to design a solution that allows corporate users to access a sensitive internal application only from managed devices that are compliant with company security policies. The solution should block access from personal devices. Which two components should you use? (Choose TWO.)

Select 2 answers
A.Microsoft Intune app protection policy
B.Microsoft Entra ID Conditional Access policy that requires hybrid Azure AD join
C.Microsoft Intune device enrollment
D.Microsoft Intune device compliance policy
E.Microsoft Entra ID Conditional Access policy that requires a compliant device
AnswersD, E

Defines the compliance requirements for managed devices.

Why this answer

Options A and C are correct because Intune compliance policies define the security requirements (e.g., encryption, OS version), and Conditional Access policies in Entra ID use the device compliance status to grant or block access. Option B (CA policies) is redundant with A. Option D (app protection policy) is for app-level protection, not device management.

Option E (device enrollment) is a prerequisite but not the enforcement mechanism.

93
Multi-Selecthard

Your company uses Microsoft Sentinel to manage security incidents. You need to design a solution that automatically triages low-severity incidents and enriches them with threat intelligence. Which THREE capabilities would you include? (Choose three.)

Select 3 answers
A.Advanced hunting queries to investigate incidents.
B.Analytics rules to generate alerts for low-severity incidents.
C.Playbooks to perform enrichment actions like querying threat intelligence.
D.Automation rules to trigger playbooks on incident creation.
E.Watchlists to store known indicators for correlation.
AnswersC, D, E

Playbooks can enrich incidents with threat intelligence data.

Why this answer

Option A is correct because automation rules can take actions on incident creation. Option B is correct because playbooks can run complex workflows. Option C is correct because watchlists can be used for enrichment data.

Option D is wrong because analytics rules create incidents, not triage. Option E is wrong because hunting queries are for proactive hunting, not triage.

94
MCQmedium

Refer to the exhibit. You run the PowerShell command to retrieve information about a Managed HSM in Azure. The output shows that the HSM is in 'Provisioned' state and has two security domains. What is the purpose of the security domains?

A.To manage the HSM's private endpoint connections.
B.To back up and restore the HSM's key material and configuration.
C.To enable role-based access control (RBAC) for the HSM.
D.To define the HSM's network access and firewall rules.
AnswerB

Security domains contain the HSM's master key and are required for disaster recovery.

Why this answer

Option A is correct because Managed HSM security domains are used to back up the HSM's key material for disaster recovery. Option B is wrong because HSM pools are for standard Key Vault, not Managed HSM. Option C is wrong because private endpoints are configured separately.

Option D is wrong because security domains are not for RBAC; RBAC is managed via Azure RBAC.

95
MCQeasy

You are designing a security solution for Azure resources. You need to ensure that any changes to network security groups (NSGs) are automatically logged and sent to a central Log Analytics workspace. Which Azure feature should you use?

A.Diagnostic settings on the Azure Activity Log
B.Azure Policy
C.NSG flow logs
D.Azure Monitor alerts
AnswerA

Activity Log records control plane events; diagnostic settings can stream these to Log Analytics.

Why this answer

Diagnostic settings on the Azure Activity Log capture all control-plane operations, including changes to NSGs (e.g., rule additions or deletions). By configuring a diagnostic setting to stream the Activity Log to a Log Analytics workspace, you ensure that every NSG modification is automatically logged and centralized for monitoring and alerting.

Exam trap

The trap here is confusing NSG flow logs (which log network traffic) with the Activity Log (which logs configuration changes), leading candidates to select NSG flow logs instead of diagnostic settings on the Activity Log.

How to eliminate wrong answers

Option B (Azure Policy) is wrong because Azure Policy enforces compliance rules (e.g., preventing NSG changes that allow all inbound traffic) but does not automatically log changes; it can trigger remediation but not send logs to Log Analytics. Option C (NSG flow logs) is wrong because NSG flow logs capture IP traffic data (source/destination, ports, protocols) through the NSG, not configuration changes to the NSG itself. Option D (Azure Monitor alerts) is wrong because alerts are reactive notifications based on log data or metrics; they do not capture or forward logs themselves.

96
Multi-Selectmedium

Which TWO data protection mechanisms should you implement to protect data at rest in Azure SQL Database?

Select 2 answers
A.Transparent Data Encryption (TDE)
B.Azure Policy
C.Role-Based Access Control (RBAC)
D.Azure Firewall
E.Always Encrypted
AnswersA, E

TDE encrypts the database files at rest.

Why this answer

Options A and D are correct. TDE encrypts the database files, and Always Encrypted protects data in use and at rest by encrypting columns. Option B is wrong because Azure Firewall is a network security service.

Option C is wrong because RBAC controls access, not encryption. Option E is wrong because Azure Policy enforces compliance but does not encrypt.

97
MCQhard

Your company uses Microsoft Defender for Cloud to protect Azure resources. A critical application uses an Azure SQL Database. You need to ensure that all queries to the database are encrypted in transit and that the encryption protocol is the most secure version available. Which configuration should you enforce?

A.Set the minimal TLS version to 1.2 in the server's firewall rules.
B.Configure the database to reject unencrypted connections.
C.Set the connection policy to Proxy and force TCP.
D.Enable 'Force SSL' on the database.
AnswerA

This enforces that only clients using TLS 1.2 or higher can connect.

Why this answer

Option B is correct because Azure SQL Database supports TLS 1.2 by default and can be enforced via server-level firewall rules or connection policy. Option A is wrong because TCP is a transport protocol, not encryption. Option C is wrong because forcing SSL only ensures encryption but may allow older TLS versions.

Option D is wrong because encrypted connections are not the default for all clients; you must enforce minimal TLS version.

98
MCQeasy

A company is moving to a zero-trust security model. Which principle is most important for securing network traffic?

A.Rely on perimeter firewalls to block threats
B.Verify explicitly every access request
C.Trust all traffic within the corporate network
D.Allow all traffic and monitor for anomalies
AnswerB

Zero-trust requires explicit verification for each access attempt.

Why this answer

In a zero-trust model, the principle of 'verify explicitly' means every access request—regardless of source—must be authenticated, authorized, and encrypted before being allowed. This eliminates implicit trust based on network location, which is the core shift from traditional perimeter-based security.

Exam trap

The trap here is that candidates often confuse zero-trust with traditional defense-in-depth, mistakenly thinking perimeter firewalls or anomaly detection are sufficient, when the exam specifically tests the 'verify explicitly' principle as the foundational requirement for zero-trust network traffic.

How to eliminate wrong answers

Option A is wrong because relying solely on perimeter firewalls assumes a trusted internal network, which violates zero-trust's 'never trust, always verify' mandate; threats can originate from inside the network. Option C is wrong because trusting all traffic within the corporate network is the opposite of zero-trust; it ignores lateral movement risks and assumes internal traffic is safe, which is a common attack vector. Option D is wrong because allowing all traffic and monitoring for anomalies is a detect-and-respond approach, not a prevent-and-verify one; zero-trust requires explicit denial by default and only allowing traffic after verification, not passive monitoring.

99
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Sentinel analytics rule in your workspace. The output shows the rule 'MFA Disabled' is enabled with severity Medium. The query returns events where MFA is absent. What is the primary issue with this rule?

A.The rule should be disabled until tuned.
B.The severity should be High.
C.The trigger threshold is too low.
D.The query does not include a time range, which will cause excessive alerts.
AnswerD

Without a time filter, the rule will fire on all historical data.

Why this answer

Option C is correct because the query is too broad and will generate excessive alerts (no time filter). Option A is wrong because the severity is Medium, which is acceptable. Option B is wrong because the rule is enabled.

Option D is wrong because the threshold and operator are defined.

100
MCQmedium

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to design a solution to detect brute-force attacks against Azure virtual machines. The solution should use Azure Activity Logs and Windows Security Events. What should you configure in Sentinel?

A.Create a threat intelligence watchlist
B.Create a workbook
C.Create a scheduled analytics rule
D.Create a playbook
AnswerC

Scheduled analytics rules run queries at intervals to detect threats.

Why this answer

Option C is correct because Sentinel can ingest Azure Activity Logs and Windows Events, and then use analytics rules to detect brute-force patterns. Option A is wrong because watchlists are for reference data, not detection logic. Option B is wrong because workbooks visualize data, not detect.

Option D is wrong because playbooks automate responses, not detect.

101
MCQhard

You are designing a security baseline for Azure resources that host a critical application. The application uses Azure SQL Database, Azure Storage, and Azure Key Vault. You need to ensure that all resources use managed identities for authentication and that no secrets are stored in code or configuration files. Which combination of controls should you include in the baseline?

A.Use user-assigned managed identities for all resources. Configure Key Vault access policies to allow the managed identity. Disable anonymous access to Storage.
B.Use system-assigned managed identities for all resources. Store connection strings in Key Vault secrets and configure SQL Database to use Azure AD authentication.
C.Use system-assigned managed identities for all resources. Configure each resource to use the managed identity. Disable local authentication on Key Vault and Storage. Enable Azure AD-only authentication on SQL Database.
D.Use user-assigned managed identities for all resources. Create a service principal with a client secret for Key Vault access.
AnswerC

This eliminates secrets entirely by using managed identities and disabling local authentication, enforcing Azure AD-only access.

Why this answer

Option C is correct because it enforces the principle of using managed identities for authentication without storing any secrets. System-assigned managed identities are tied directly to each Azure resource, eliminating the need for credential management. Disabling local authentication on Key Vault and Storage, and enabling Azure AD-only authentication on SQL Database, ensures that only managed identities (or other Azure AD identities) can authenticate, meeting the requirement that no secrets are stored in code or configuration files.

Exam trap

The trap here is that candidates often think storing secrets in Key Vault is sufficient, but the question explicitly requires that no secrets be stored anywhere, including Key Vault, so the correct approach is to eliminate secrets entirely by using managed identities and disabling local authentication methods.

How to eliminate wrong answers

Option A is wrong because user-assigned managed identities are not required for this scenario; system-assigned identities are simpler and directly tied to each resource. More critically, configuring Key Vault access policies alone does not disable local authentication, leaving a potential attack surface where secrets could be stored or used. Option B is wrong because storing connection strings in Key Vault secrets still requires retrieving those secrets at runtime, which introduces a secret into memory or configuration; the requirement is to use managed identities directly without any secrets.

Option D is wrong because creating a service principal with a client secret reintroduces a secret that must be stored and managed, violating the 'no secrets stored in code or configuration files' mandate; user-assigned managed identities are also unnecessary here.

102
Multi-Selecthard

Your organization uses Microsoft Purview to protect sensitive data. You need to implement a solution that automatically detects and protects personally identifiable information (PII) in Microsoft 365. Which THREE should be part of your solution? (Choose THREE.)

Select 3 answers
A.Azure Policy
B.Microsoft Defender for Cloud
C.Microsoft Purview Information Protection scanner
D.Microsoft Purview Data Loss Prevention (DLP) policies
E.Sensitivity labels in Microsoft Purview Information Protection
AnswersC, D, E

Scans on-premises data for sensitive content.

Why this answer

B, C, and E are correct. Microsoft Purview Data Loss Prevention (DLP) policies can detect PII and apply actions. Sensitivity labels can classify data and enforce protection.

Microsoft Purview Information Protection (formerly Azure Information Protection) scanners can scan on-premises data. Option A is wrong because Microsoft Defender for Cloud is for cloud security posture, not data classification. Option D is wrong because Azure Policy is for resource configuration, not data scanning.

103
MCQeasy

You are designing a security operations strategy for Microsoft 365. You need to prioritize alerts from Microsoft Defender XDR based on their impact on business operations. Which security best practice should you follow?

A.Prioritize alerts based on a risk assessment that considers asset criticality, threat severity, and business impact
B.Prioritize alerts based on a qualitative risk assessment only
C.Treat all alerts with equal severity to ensure none are missed
D.Prioritize alerts based solely on the MITRE ATT&CK technique involved
AnswerA

Risk-based prioritization ensures resources are focused on the most impactful threats.

Why this answer

Option A is correct because Microsoft Defender XDR integrates with Microsoft 365 Defender's risk-based alert prioritization, which uses a combination of asset criticality (e.g., from Microsoft Purview or Defender for Cloud Apps), threat severity (e.g., from the Microsoft Defender portal's alert severity levels: Informational, Low, Medium, High), and business impact (e.g., via sensitivity labels or data classification). This aligns with the security best practice of risk-based alert triage, ensuring that high-impact alerts are addressed first to minimize business disruption.

Exam trap

The trap here is that candidates may choose Option D because MITRE ATT&CK is a common framework in security operations, but they overlook that Microsoft Defender XDR's prioritization engine uses a multi-faceted risk assessment (including asset criticality and business impact) rather than a single technique-based filter.

How to eliminate wrong answers

Option B is wrong because a qualitative risk assessment alone lacks the quantitative data (e.g., asset criticality scores, threat severity levels) that Microsoft Defender XDR uses to dynamically prioritize alerts, leading to subjective and inconsistent triage. Option C is wrong because treating all alerts with equal severity ignores the risk-based prioritization built into Microsoft Defender XDR, which uses machine learning and threat intelligence to assign different severity levels (e.g., High, Medium, Low) and would overwhelm security operations with noise. Option D is wrong because prioritizing solely on the MITRE ATT&CK technique ignores asset criticality and business impact; for example, a low-severity technique on a critical server may be more impactful than a high-severity technique on a non-critical endpoint, and Microsoft Defender XDR's alert enrichment includes asset context beyond just the technique.

104
MCQeasy

A company is adopting Microsoft Purview for data security. They need to prevent users from sharing sensitive data like credit card numbers via email. Which feature should you configure?

A.Audit log search
B.Data Loss Prevention (DLP) policy
C.Insider Risk Management policy
D.Sensitivity labels
AnswerB

Specifically blocks sharing of sensitive information.

Why this answer

Data Loss Prevention (DLP) policies in Microsoft Purview are specifically designed to detect and prevent the accidental or intentional sharing of sensitive information, such as credit card numbers, through email and other channels. By configuring a DLP policy with a rule that scans for credit card number patterns (using predefined or custom sensitive info types), the system can block, quarantine, or notify users when such data is sent via Exchange Online. This directly addresses the requirement to prevent sharing sensitive data via email.

Exam trap

The trap here is that candidates often confuse Sensitivity labels as a direct replacement for DLP, but labels are for classification and protection (e.g., encryption), not for real-time content inspection and blocking of specific data patterns like credit card numbers in email.

How to eliminate wrong answers

Option A is wrong because Audit log search is a forensic tool for reviewing past activities, not a preventive control that blocks data sharing in real time. Option C is wrong because Insider Risk Management policies focus on identifying and investigating risky user behaviors (e.g., data exfiltration patterns) rather than enforcing content-based restrictions on outbound email. Option D is wrong because Sensitivity labels classify and protect data through encryption and visual markings, but they do not inherently block the transmission of specific sensitive data types like credit card numbers via email without being combined with a DLP policy.

105
MCQeasy

Tailwind Traders is a small business that uses Microsoft 365 Business Premium. They have no dedicated IT staff. The owner wants to implement basic security measures to protect against common threats like phishing, ransomware, and unauthorized access. They need a simple, cost-effective solution that aligns with Microsoft's security best practices for small businesses. Which set of actions should you recommend?

A.Implement Privileged Identity Management (PIM) for all accounts. Use Azure Information Protection to classify all emails. Set up a SIEM using Microsoft Sentinel.
B.Deploy Microsoft Intune to manage devices. Configure Conditional Access policies to require compliant devices. Use Microsoft Defender for Endpoint for antivirus. Set up a VPN for remote access.
C.Purchase Azure AD Premium P2 for all users. Use Identity Protection to detect risks. Configure Conditional Access with session controls. Use Azure AD Identity Governance for access reviews.
D.Enable Security Defaults in Microsoft Entra ID to enforce MFA for all users. Configure Microsoft Defender for Office 365 to protect against phishing and malware. Use Microsoft Defender for Business (included) for endpoint protection. Regularly review the Microsoft 365 Secure Score and implement top recommendations.
AnswerD

Simple, built-in features that provide strong baseline security.

Why this answer

Option D is correct because it aligns with Microsoft's security best practices for small businesses with no dedicated IT staff. Security Defaults in Microsoft Entra ID provide a baseline of MFA enforcement without requiring complex configuration. Microsoft Defender for Office 365 and Defender for Business (included in Microsoft 365 Business Premium) offer integrated phishing, malware, and endpoint protection.

Regularly reviewing the Secure Score ensures continuous improvement against common threats like ransomware and unauthorized access.

Exam trap

The trap here is that candidates often over-engineer the solution by selecting advanced identity or endpoint management options (like PIM, Intune, or Azure AD Premium P2) that are technically valid but inappropriate for a small business with no IT staff, ignoring the cost and complexity constraints explicitly stated in the scenario.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) requires Azure AD Premium P2 licensing, which is not included in Microsoft 365 Business Premium and adds unnecessary complexity for a small business with no IT staff; Azure Information Protection and Microsoft Sentinel are also overkill and not cost-effective. Option B is wrong because Microsoft Intune requires additional licensing beyond Business Premium and managing device compliance via Conditional Access policies demands dedicated IT expertise; a VPN is not a core security control for phishing or ransomware and adds complexity. Option C is wrong because Azure AD Premium P2 for all users is expensive and unnecessary for a small business; Identity Protection and Identity Governance are advanced features designed for larger enterprises with dedicated identity teams, not a simple, cost-effective baseline.

106
MCQeasy

Your organization needs to monitor and respond to threats across email, endpoints, and identities. Which Microsoft solution provides a unified incident response experience?

A.Microsoft Purview
B.Microsoft Intune
C.Microsoft Defender XDR
D.Microsoft Sentinel
AnswerC

Defender XDR unifies incidents across domains.

Why this answer

Microsoft Defender XDR (Extended Detection and Response) is the correct choice because it provides a unified incident response experience by correlating alerts and signals from email (Defender for Office 365), endpoints (Defender for Endpoint), and identities (Defender for Identity) into a single incident queue. This cross-domain correlation enables security teams to investigate and remediate complex multi-stage attacks from a single pane of glass, rather than switching between separate consoles.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with Microsoft Defender XDR (an XDR), but Sentinel ingests logs and requires manual or KQL-based correlation, while Defender XDR provides automatic cross-domain incident correlation out of the box for Microsoft security signals.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview is a compliance and data governance solution focused on data classification, retention, and eDiscovery, not on real-time threat detection or incident response across email, endpoints, and identities. Option B is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service for managing devices and apps, not a security operations tool for monitoring and responding to threats. Option D is wrong because Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) that ingests logs from multiple sources and provides advanced analytics, but it does not natively unify incident response across Microsoft 365 security products; it requires separate data connectors and custom correlation rules to achieve similar cross-domain visibility.

107
MCQhard

A company uses Azure Kubernetes Service (AKS) with Azure Active Directory (Azure AD) integration. They want to restrict developers to only be able to create and manage pods and services, but not modify cluster-level resources like nodes or namespaces. What should they configure?

A.Assign the cluster-admin ClusterRole to the developers
B.Create a custom ClusterRole with rules for pods and services, then bind it to the developer group with a ClusterRoleBinding
C.Create a RoleBinding in each namespace for developers
D.Use Azure RBAC to grant Contributor role on the AKS cluster
AnswerB

This grants cluster-wide but limited access to only specified resources.

Why this answer

Option B is correct because Kubernetes RBAC allows fine-grained authorization. A custom ClusterRole can define rules for pods and services (core API group resources), and a ClusterRoleBinding binds it to the developer group across all namespaces. This grants the required permissions without allowing modifications to cluster-level resources like nodes or namespaces, which are not included in the custom role's rules.

Exam trap

The trap here is that candidates often confuse namespace-scoped RoleBindings with cluster-scoped ClusterRoleBindings, or mistakenly think that Azure RBAC's Contributor role provides the same granularity as Kubernetes RBAC, when in fact it grants overly broad permissions that include cluster-level modifications.

How to eliminate wrong answers

Option A is wrong because the cluster-admin ClusterRole grants superuser access to all resources, including cluster-level resources like nodes and namespaces, which violates the restriction. Option C is wrong because a RoleBinding in each namespace only grants permissions within that specific namespace, but the requirement is to allow developers to create and manage pods and services across all namespaces (or at least without namespace restriction), and it does not prevent cluster-level access if a ClusterRoleBinding is also present; however, the core issue is that RoleBindings are namespace-scoped and would require manual creation per namespace, which is less efficient and does not inherently restrict cluster-level resources. Option D is wrong because Azure RBAC's Contributor role on the AKS cluster grants broad management permissions that include the ability to modify cluster-level resources and even delete the cluster, far exceeding the required scope.

108
MCQmedium

A company uses Microsoft Intune to manage devices. They need to ensure that only devices with a minimum OS version can access corporate email. Which policy type should they implement?

A.Device enrollment restrictions
B.App protection policies
C.Compliance policies combined with conditional access
D.Device configuration profiles
AnswerC

Compliance policy checks OS version; conditional access blocks non-compliant.

Why this answer

Option B is correct because compliance policies define conditions like minimum OS version, and conditional access enforces them. Option A is wrong because configuration profiles set settings, not enforce access. Option C is wrong because apps are not relevant.

Option D is wrong because device enrollment restrictions are for enrollment, not access.

109
Multi-Selecteasy

Your organization uses Microsoft Purview Information Protection to label sensitive emails. You need to ensure that labels are applied automatically based on content. Which THREE methods can you use?

Select 3 answers
A.Manual labeling by users
B.File plan (for records management)
C.Sensitive information types
D.Auto-labeling policies in Microsoft Purview
E.Trainable classifiers
AnswersC, D, E

Sensitive info types detect data like credit cards for automatic labeling.

Why this answer

Sensitive information types (C) are predefined or custom patterns that detect sensitive data such as credit card numbers or social security numbers, enabling automatic label application. Auto-labeling policies in Microsoft Purview (D) apply labels automatically to emails and files based on conditions like sensitive information types or trainable classifiers. Trainable classifiers (E) use machine learning to identify content patterns and automatically apply labels without requiring explicit pattern definitions.

Exam trap

The trap here is that candidates may confuse manual labeling or records management tools (like file plans) with automatic content-based labeling mechanisms, but only sensitive information types, auto-labeling policies, and trainable classifiers directly support automatic label application based on content analysis.

110
MCQeasy

You are designing identity security for a hybrid organization using Microsoft Entra ID. You need to enforce multi-factor authentication (MFA) for all users accessing sensitive applications. What is the recommended approach?

A.Create a Conditional Access policy that requires MFA for the sensitive applications
B.Enable Security defaults
C.Enable per-user MFA in Entra ID
D.Use Azure AD Identity Protection user risk policy
AnswerA

Granular and recommended method.

Why this answer

Conditional Access policies in Entra ID are the recommended method to require MFA for specific applications. The other options are less granular or outdated: per-user MFA is legacy, Security defaults apply to all apps and cannot be scoped, and Azure AD Identity Protection focuses on risk-based policies.

111
MCQmedium

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that devices must have a minimum OS version and cannot be jailbroken. Which configuration profile type should you assign?

A.Device configuration policy.
B.Device restrictions profile.
C.Enrollment restriction.
D.Compliance policy.
AnswerD

Compliance policies define conditions like min OS version and jailbreak status.

Why this answer

Option B is correct because compliance policies define requirements like OS version and jailbreak detection. Option A is wrong because device restrictions enforce settings, not compliance. Option C is wrong because configuration policies are for settings.

Option D is wrong because enrollment restrictions apply during enrollment.

112
MCQeasy

You need to secure Azure Blob Storage by encrypting data at rest using customer-managed keys stored in Azure Key Vault. What should you configure?

A.Enable Azure Purview to manage encryption keys.
B.Enable Azure Disk Encryption for the storage account.
C.Configure encryption with customer-managed keys in Azure Key Vault and enable infrastructure encryption.
D.Enable Azure Information Protection for the storage account.
AnswerC

This provides double encryption with CMK.

Why this answer

Option C is correct because Azure Storage encryption with customer-managed keys uses Key Vault and requires enabling 'Infrastructure encryption' for double encryption. Option A is wrong because Azure Information Protection is for classification, not storage encryption. Option B is wrong because Azure Disk Encryption is for VM disks.

Option D is wrong because Azure Purview is for data governance, not encryption.

113
MCQeasy

Your company is deploying a critical application on Azure App Service. You need to secure the application by restricting access to only users within your organization. The application should be accessible from both corporate-managed devices and personal devices that are enrolled in Microsoft Intune. You want to use Microsoft Entra ID for authentication and require that users authenticate using multi-factor authentication (MFA). What should you configure?

A.Use Azure AD B2B collaboration to allow only users from your organization.
B.Configure a Conditional Access policy in Microsoft Entra ID that targets the application, requires MFA, and requires a compliant device.
C.Enable App Service authentication and authorization with Microsoft Entra ID as the identity provider.
D.Create an app registration in Microsoft Entra ID and assign users to the enterprise application.
AnswerB

Conditional Access can enforce MFA and device compliance via Intune.

Why this answer

Option A is correct because a Conditional Access policy can require MFA and compliant devices (via Intune) for access to the App Service app. Option B is wrong because App Service authentication alone does not enforce device compliance. Option C is wrong because an app registration alone does not enforce MFA.

Option D is wrong because Azure AD B2B is for external users, not internal.

114
Multi-Selectmedium

Which TWO actions should you take to implement a zero-trust identity strategy in Microsoft Entra ID?

Select 2 answers
A.Enable single sign-on for all applications
B.Require multi-factor authentication for all users
C.Implement passwordless authentication for all users
D.Synchronize all on-premises identities to the cloud
E.Configure Conditional Access policies based on user risk and device compliance
AnswersB, E

MFA is a key zero-trust principle.

Why this answer

A is correct because MFA is a core zero-trust control. D is correct because Conditional Access enforces policies based on signals. B is wrong because passwordless authentication is recommended but not a specific zero-trust action.

C is wrong because single sign-on is convenience, not zero-trust. E is wrong because synchronization is for hybrid identity, not zero-trust.

115
MCQhard

Refer to the exhibit. You are deploying this Bicep template to enable Microsoft Defender for Cloud's VM protection. After deployment, you notice that Agentless VM scanning is not enabled for existing VMs. What is the most likely reason?

A.The pricing tier must be 'Free' to enable agentless scanning.
B.Agentless scanning is only enabled for new VMs; existing VMs require rescanning.
C.The resource name 'VirtualMachines' is incorrect; it should be 'virtualMachines'.
D.The extension 'AgentlessVmScanning' must be defined outside the pricing resource.
AnswerB

The setting applies to new VMs; existing VMs need a manual rescan.

Why this answer

Option D is correct because the Bicep template sets pricing for 'VirtualMachines' but the extension for agentless scanning must be enabled at the subscription level or per VM; the extension in the pricing resource only enables the feature for new VMs, not existing ones. Option A is wrong because the name 'VirtualMachines' is correct. Option B is wrong because the pricing tier is Standard, which is correct.

Option C is wrong because the extension syntax is correct for Bicep.

116
MCQeasy

Your organization needs to audit all changes to Azure resources, including who made the change and what was changed. Which Azure service should you use to collect and analyze this audit data?

A.Azure Policy
B.Azure Monitor with activity logs
C.Microsoft Defender for Cloud
D.Microsoft Sentinel
AnswerB

Activity logs capture control-plane changes and are analyzed in Azure Monitor.

Why this answer

Azure Monitor with activity logs is the correct service because it captures all control-plane operations on Azure resources, including who performed the change (via Azure Active Directory authentication), what was changed (the resource and properties), and when it occurred. Activity logs are retained for 90 days by default and can be exported to Log Analytics workspaces for advanced querying and alerting, making them the native audit trail for Azure resource modifications.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel as the audit service because it is a SIEM, but Sentinel ingests logs from other sources (including activity logs) and is not the native collection mechanism; the question specifically asks for the service that collects and analyzes the audit data, which is Azure Monitor with activity logs.

How to eliminate wrong answers

Option A is wrong because Azure Policy is a governance tool that enforces compliance rules on resources (e.g., requiring specific tags or denying certain SKUs) and does not natively log who made changes or what was changed; it evaluates resource configurations against policies but does not provide an audit trail of modifications. Option C is wrong because Microsoft Defender for Cloud focuses on security posture management, threat detection, and vulnerability assessments, not on auditing all resource changes; it uses activity logs for some security alerts but is not designed as a primary audit log service. Option D is wrong because Microsoft Sentinel is a SIEM (Security Information and Event Management) solution that ingests logs from multiple sources, including activity logs, but it is not the service that collects the audit data itself; the underlying source for resource change auditing remains Azure Monitor activity logs.

117
MCQeasy

Your organization uses Microsoft Sentinel and wants to automatically respond to high-severity incidents. Which feature should you configure?

A.Configure an automation rule to run a playbook automatically
B.Create a playbook and run it manually for each incident
C.Set up an analytics rule with automatic response
D.Use a workbook to trigger a playbook
AnswerA

Automation rules can automatically run playbooks based on incident properties such as severity.

Why this answer

Automation rules in Microsoft Sentinel allow you to define automated responses that trigger when an incident is created or updated, including running playbooks (Azure Logic Apps workflows) automatically. This is the correct approach for automatically responding to high-severity incidents because it eliminates manual intervention and ensures consistent, immediate action based on incident properties like severity.

Exam trap

The trap here is confusing analytics rule automated responses (which run on alerts before incident creation) with automation rules (which run on incidents after creation), leading candidates to incorrectly select Option C for incident-level automation.

How to eliminate wrong answers

Option B is wrong because running a playbook manually for each incident defeats the purpose of automation and does not scale for high-severity incidents that require immediate response. Option C is wrong because analytics rules generate alerts, not incidents, and while they can have automated responses, those responses run on alerts before incidents are created; for incident-level automated response, you need automation rules. Option D is wrong because workbooks are visualization and reporting tools, not triggers for playbooks; they cannot initiate automated response actions.

118
MCQmedium

A company uses Microsoft Defender for Cloud Apps to discover and control cloud apps. They want to receive alerts when a user accesses a sanctioned app from an unusual location. Which feature should they configure?

A.Session policies
B.File policies
C.Anomaly detection policies
D.App discovery policies
AnswerC

Detect unusual user activities.

Why this answer

Option C is correct because anomaly detection policies in Microsoft Defender for Cloud Apps are specifically designed to identify behavioral deviations, such as a user accessing a sanctioned app from an unusual geographic location. These policies leverage machine learning to establish a baseline of normal user activity and trigger alerts when access patterns deviate from that baseline, enabling detection of potential account compromise or insider threats.

Exam trap

The trap here is that candidates often confuse anomaly detection policies with session policies, assuming that location-based alerts are enforced via real-time session controls, but session policies only act on traffic after access is granted, whereas anomaly detection policies are the correct detection mechanism for unusual location access.

How to eliminate wrong answers

Option A is wrong because session policies control real-time user actions within a cloud app (e.g., blocking downloads or requiring multi-factor authentication) but do not generate alerts based on location anomalies; they are reactive controls, not detection mechanisms. Option B is wrong because file policies monitor and enforce rules on file content and metadata (e.g., detecting sensitive data or malware in files), not user access patterns or location-based anomalies. Option D is wrong because app discovery policies identify and categorize cloud apps in use (sanctioned vs. unsanctioned) but do not monitor user behavior or location anomalies for already sanctioned apps; they focus on app inventory and risk assessment.

119
MCQeasy

Your organization is adopting Microsoft Entra ID as the identity provider for all SaaS applications. The security team wants to enforce multifactor authentication (MFA) for all users accessing these applications. Which approach aligns with security best practices and minimizes user friction?

A.Enable per-user MFA for all users in Microsoft Entra ID.
B.Disable MFA and rely on strong password policies.
C.Enable Microsoft Entra ID Security defaults.
D.Create a Conditional Access policy requiring MFA for all cloud apps, excluding trusted locations and devices.
AnswerD

Conditional Access provides risk-based MFA with exception handling.

Why this answer

Option D is correct because Conditional Access policies allow granular, risk-based MFA enforcement that excludes trusted locations (e.g., corporate offices) and trusted devices (e.g., compliant or hybrid-joined devices). This aligns with the Zero Trust principle of 'verify explicitly' while minimizing user friction by not prompting for MFA when the user is already in a trusted context. Security defaults (Option C) enforce MFA for all users but lack the ability to exclude trusted locations or devices, which can cause unnecessary friction.

Exam trap

The trap here is that candidates often confuse Security defaults (Option C) as the best practice for MFA enforcement, but Security defaults lack the exclusion capabilities of Conditional Access, which is the recommended approach for minimizing friction while maintaining security.

How to eliminate wrong answers

Option A is wrong because per-user MFA is a legacy approach that forces MFA on every authentication attempt regardless of context, leading to high user friction and no ability to exclude trusted locations or devices; it also lacks the granular control of Conditional Access. Option B is wrong because disabling MFA and relying solely on strong password policies violates security best practices, as passwords alone are vulnerable to phishing, credential stuffing, and brute-force attacks, and does not meet the requirement to enforce MFA. Option C is wrong because while Security defaults enforce MFA for all users, they do not allow exclusion of trusted locations or devices, which means users are prompted for MFA even from the corporate network or on compliant devices, increasing friction unnecessarily.

120
Multi-Selecthard

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a solution that investigates and responds to a ransomware incident. Which three actions should you take? (Choose THREE.)

Select 3 answers
A.Isolate affected devices using Microsoft Defender for Endpoint.
B.Review the incident timeline in Microsoft Defender XDR.
C.Create a new workbook to visualize the incident.
D.Delete all log data older than 24 hours to improve performance.
E.Run a hunting query in Microsoft Sentinel to identify affected devices.
AnswersA, B, E

Isolation prevents the ransomware from spreading.

Why this answer

Options A, C, and D are correct because running a hunting query can identify the scope, isolating devices prevents further spread, and reviewing the incident timeline in Defender XDR provides context. Option B (new workbook) is for reporting, not investigation. Option E (delete log data) would destroy evidence.

121
Multi-Selectmedium

A company is designing a secure data sharing solution with a partner organization. The data will be stored in Azure Blob Storage. Requirements include: encryption at rest with customer-managed keys, granular access control to specific blobs, and the ability to expire access automatically. Which TWO solutions should you combine? (Choose two.)

Select 2 answers
A.Generate shared access signatures (SAS) with specific permissions and expiry times.
B.Enable Azure Active Directory authentication for the storage account.
C.Configure a firewall on the storage account to allow only partner IP addresses.
D.Use Azure RBAC to assign the Storage Blob Data Reader role to partner users.
E.Use Azure Storage Service Encryption with customer-managed keys in Azure Key Vault.
AnswersA, E

SAS tokens provide granular, time-limited access to specific blobs.

Why this answer

Azure Storage Service Encryption with customer-managed keys (CMK) provides encryption at rest. Shared access signatures (SAS) provide granular, time-limited access to specific blobs. RBAC is less granular (container level).

Azure AD authentication is not time-limited by default. Option A and C together meet all requirements.

122
Multi-Selecthard

Which THREE are security best practices for Microsoft Entra ID? (Select three.)

Select 3 answers
A.Block legacy authentication protocols
B.Enable multifactor authentication for all administrators
C.Disable self-service password reset for users
D.Synchronize all on-premises user accounts to Microsoft Entra ID
E.Use Privileged Identity Management to enforce just-in-time access
AnswersA, B, E

Legacy auth does not support MFA and is a common attack vector.

Why this answer

Legacy authentication protocols (e.g., POP3, SMTP, IMAP4, and older versions of Office clients) do not support modern security controls like multifactor authentication (MFA) or conditional access. Blocking these protocols is a critical security best practice because they bypass MFA requirements, leaving accounts vulnerable to password spray and credential-stuffing attacks. Microsoft Entra ID allows administrators to block legacy authentication via Conditional Access policies or tenant-wide settings.

Exam trap

The trap here is that candidates often assume disabling self-service password reset (SSPR) improves security by reducing attack surface, but in reality, SSPR reduces help desk load and encourages users to reset compromised passwords quickly, while blocking legacy authentication is the actual critical control to prevent MFA bypass.

123
Multi-Selecthard

Which TWO components are required to enable Microsoft Sentinel to ingest data from Amazon Web Services (AWS) CloudTrail?

Select 2 answers
A.An Azure Function to pull logs from AWS.
B.An AWS S3 bucket to store CloudTrail logs.
C.An AWS Lambda function to process logs.
D.An AWS Simple Queue Service (SQS) queue to trigger ingestion.
E.An Azure Event Hubs namespace to receive logs.
AnswersB, D

The connector reads logs from S3.

Why this answer

Option B is correct because AWS CloudTrail logs must be delivered to an S3 bucket as a prerequisite for ingestion into Microsoft Sentinel. Sentinel's AWS CloudTrail data connector reads log files directly from the S3 bucket using the S3 REST API, making the bucket the required storage and access point for the logs.

Exam trap

The trap here is that candidates often assume an Azure Function or Event Hubs is needed for cross-cloud ingestion, but Sentinel's native AWS connector uses S3 and SQS directly, eliminating the need for intermediary compute or messaging services.

124
MCQhard

Your company is deploying Microsoft Defender XDR and wants to use automated investigation and response (AIR) to remediate confirmed threats. However, you need to ensure that high-impact actions like deleting email messages or isolating devices require manual approval from the security operations team. Which configuration should you set?

A.Set the automation level to 'Full - automatically remediate all threats'
B.Set the automation level to 'Semi - require approval for high-severity remediations'
C.Set the automation level to 'No automated remediation'
D.Create a custom automation rule in Microsoft Sentinel
AnswerB

This level requires manual approval for high-impact actions.

Why this answer

Option B is correct because the 'Semi - require approval for high-severity remediations' automation level in Microsoft Defender XDR ensures that high-impact actions (e.g., deleting email messages or isolating devices) require manual approval from the security operations team before execution. This setting balances automated efficiency with human oversight, specifically targeting high-severity threats while allowing lower-severity actions to proceed automatically.

Exam trap

The trap here is that candidates often confuse automation levels in Microsoft Defender XDR with automation rules in Microsoft Sentinel, or assume that 'Semi' requires approval for all actions rather than only high-severity ones, leading them to incorrectly select 'No automated remediation' or a Sentinel-based solution.

How to eliminate wrong answers

Option A is wrong because 'Full - automatically remediate all threats' would execute high-impact actions like device isolation or email deletion without any manual approval, violating the requirement for human oversight. Option C is wrong because 'No automated remediation' disables all automated responses entirely, requiring manual action for every threat, which defeats the purpose of using automated investigation and response (AIR) and increases operational overhead. Option D is wrong because creating a custom automation rule in Microsoft Sentinel is unrelated to Microsoft Defender XDR's AIR automation levels; Sentinel is a SIEM/SOAR tool that can orchestrate responses but does not control the native AIR settings within Defender XDR.

125
MCQhard

Refer to the exhibit. You are deploying an ARM template for a network security group. What is the security implication of this configuration?

A.The rule only allows traffic on port 443 from a specific IP range
B.The rule allows outbound traffic from the subnet to the Internet
C.The rule allows inbound HTTPS traffic from any Internet source to the subnet, which may be overly permissive
D.The rule blocks all inbound traffic from the Internet
AnswerC

Allowing Internet access to a subnet without restrictions is a security concern.

Why this answer

Option C is correct because the rule allows HTTPS from the Internet to the subnet 10.0.1.0/24, making the frontend accessible from anywhere, which is a security risk if not intended. Option A is wrong because the rule does allow Internet traffic. Option B is wrong because the rule is inbound, not outbound.

Option D is wrong because the rule allows traffic on port 443.

126
Multi-Selectmedium

A company uses Microsoft Defender XDR (formerly Microsoft 365 Defender) to protect their Microsoft 365 environment. They want to ensure that sensitive data is not leaked through Microsoft Teams messages. Which TWO capabilities should they use? (Choose TWO.)

Select 2 answers
A.Data Loss Prevention (DLP) policies
B.Information Barriers
C.Sensitivity labels
D.Communication Compliance
E.Retention policies
AnswersA, D

Can detect and block sharing of sensitive data in Teams messages.

Why this answer

DLP policies in Microsoft Purview can scan Teams messages for sensitive data, and Communication Compliance policies can help detect policy violations. Option A and Option C are correct. Option B is wrong because sensitivity labels are for manual or automatic classification, not real-time scanning of messages.

Option D is wrong because retention policies are for data retention, not prevention. Option E is wrong because Information Barriers prevent communication between groups, not data leakage.

127
MCQmedium

Your organization uses Microsoft Entra ID for identity and access management. You need to design a solution that allows external partners to access a specific SharePoint Online site without creating guest accounts. What should you use?

A.Anonymous sharing links
B.Microsoft Entra ID business-to-business (B2B) collaboration
C.SharePoint Online external sharing with authenticated external users
D.Azure Active Directory B2C (now part of Entra ID)
AnswerC

External sharing can use Entra ID B2B to grant access via guest accounts.

Why this answer

Option B is correct because SharePoint Online external sharing can be configured to allow sharing with authenticated external users via Entra ID B2B collaboration, which creates guest accounts. Option A is wrong because Azure AD B2C is for customer-facing apps. Option C is wrong because Entra ID business-to-business (B2B) requires guest accounts.

Option D is wrong because anonymous access is not secure for partners.

128
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to design a compliance policy that requires devices to have a minimum OS version and be encrypted. Which policy type should you use?

A.Create a device configuration profile in Microsoft Intune.
B.Create a Conditional Access policy in Microsoft Entra ID.
C.Create an app protection policy in Microsoft Intune.
D.Create a device compliance policy in Microsoft Intune.
AnswerD

Compliance policies enforce conditions like OS version and encryption.

Why this answer

Option A is correct because compliance policies in Intune define the rules devices must meet to be considered compliant, such as minimum OS version and encryption. Option B (configuration policy) is for settings like Wi-Fi. Option C (conditional access) is a separate Entra ID feature.

Option D (app protection policy) is for app-level data protection.

129
MCQmedium

Your organization uses Microsoft Defender for Endpoint (MDE) and wants to implement automated investigation and response (AIR) for ransomware. You need to ensure that when a suspicious file is detected, the investigation is automatically started and the file is contained. What should you configure?

A.Configure the automated investigation and response capabilities in MDE.
B.Create a custom detection rule in Microsoft 365 Defender.
C.Enable attack surface reduction rules.
D.Add the file hash to the indicators of compromise list.
AnswerA

AIR automates investigation and containment actions.

Why this answer

Option B is correct because AIR automates investigation and containment actions. Option A is wrong because attack surface reduction rules prevent but don't automate response. Option C is wrong because indicators of compromise are for blocking known threats.

Option D is wrong because custom detections create alerts but don't automate response.

130
MCQhard

Your organization, Contoso Ltd., uses Microsoft 365 E5 licenses and has deployed Microsoft Sentinel in Azure. The security operations center (SOC) receives thousands of alerts daily from Microsoft Defender for Cloud, Microsoft Defender for Office 365, and Microsoft Defender for Endpoint. The SOC team is overwhelmed and needs to prioritize incidents effectively. You need to design a solution that uses Microsoft Sentinel to automatically classify incidents as true positive, false positive, or benign positive based on threat intelligence and analytics. Additionally, the solution should automatically close low-confidence false positive incidents after 24 hours if no analyst interaction occurs. You must minimize manual effort and ensure that critical incidents are escalated immediately. What should you do?

A.Build a workbook that displays incident classification and assign analysts to review and close low-confidence incidents.
B.Create automation rules that trigger on incident creation to classify incidents using custom properties and run a playbook for escalation.
C.Use watchlists to define known false positive indicators and configure a playbook to run hourly to close matching incidents.
D.Modify the analytics rules to automatically close incidents based on a threshold of false positive indicators.
AnswerB

Automation rules can set incident properties and trigger playbooks for complex actions like escalation.

Why this answer

Option A is correct because automation rules with incident creation triggers can automatically classify and close incidents based on conditions, and playbooks can handle escalation. Option B is incorrect because workbooks are for visualization, not automated response. Option C is incorrect because analytics rules create incidents, not manage them.

Option D is incorrect because watchlists are for reference, not automation.

131
MCQmedium

Refer to the exhibit. What is the effect of this Azure Policy definition?

A.It denies creation of virtual networks that are not using HTTPS.
B.It denies creation or update of storage accounts that do not enforce HTTPS traffic.
C.It audits storage accounts to check if HTTPS traffic is enforced.
D.It denies creation of blob services that do not enforce HTTPS.
AnswerB

The policy denies when 'supportsHttpsTrafficOnly' is false, meaning secure transfer is not required.

Why this answer

Option A is correct. The policy checks if the storage account does not have 'Secure transfer required' enabled (supportsHttpsTrafficOnly equals false) and denies creation or update. Option B is wrong because the effect is 'deny', not 'audit'.

Option C is wrong because the condition is on storage accounts, not on virtual networks. Option D is wrong because the policy does not apply to blob services.

132
MCQmedium

Your company is designing a secure DevOps pipeline using Azure DevOps. You need to ensure that secrets (e.g., API keys) are stored securely and scanned for leaks in code repositories. The solution must integrate with Azure Policy to prevent deployment if secrets are exposed. You also need to enforce that only approved branches can deploy to production. What should you implement?

A.Store secrets in a file in a private Git repo. Use a custom script to scan for secrets. Use Azure Policy to enforce branch policy.
B.Use variable groups in Azure DevOps to store secrets. Use Azure Policy to block deployments if secrets are in code. Use release gates.
C.Store secrets in Azure Key Vault with a service connection. Use GitHub Advanced Security (secret scanning) integrated with Azure DevOps. Use branch policies to require pull requests for production.
D.Use Azure Key Vault with managed identities. Use Defender for Cloud to scan for secrets in repos. Use branch policies.
AnswerC

Key Vault securely stores secrets; GitHub Advanced Security scans for leaks; branch policies enforce approval.

Why this answer

Option A uses Key Vault for secrets, GitLeaks for scanning, and branch policies for control. Option B uses GitHub only; Option C lacks scanning; Option D uses wrong scanning tool.

133
MCQmedium

A company uses Microsoft Defender for Cloud Apps to control data exfiltration from sanctioned SaaS apps. Security admins want to block downloading sensitive files from SharePoint Online to unmanaged devices. Which method should be used?

A.Create a Conditional Access App Control session policy
B.Create a session policy in Defender for Cloud Apps that checks for device tags and blocks download
C.Create a Microsoft Purview Data Loss Prevention policy for SharePoint
D.Create a Microsoft Intune compliance policy to block unmanaged devices
AnswerB

Session policies can inspect device tags (managed/unmanaged) and block sensitive actions like downloading

Why this answer

Session policy with device tag check is the correct approach because Defender for Cloud Apps can inspect device tags during a session and block downloads if the device is unmanaged. Option A is wrong because Conditional Access App Control is the underlying framework, not a specific policy type. Option B is wrong because DLP policies in Purview are for classification, not real-time blocking in apps.

Option D is wrong because compliance policies are for device compliance, not session-level control.

134
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. You need to detect and block data exfiltration from sanctioned cloud apps to personal devices. What should you configure?

A.Create an OAuth app policy to revoke permissions.
B.Create an app discovery policy to identify unsanctioned apps.
C.Create a file policy to detect sensitive data in sanctioned apps.
D.Create a session policy with app governance to block download.
AnswerD

Session policies can block data exfiltration in real time.

Why this answer

Option C is correct because session policies with app governance can monitor and control data transfer in real time. Option A is wrong because discovery policies identify unsanctioned apps, not block actions. Option B is wrong because file policies are for static compliance.

Option D is wrong because OAuth app policies manage permissions, not data exfiltration.

135
MCQmedium

Your company uses Microsoft Purview to govern data across Azure and on-premises. You need to classify sensitive data such as credit card numbers in Azure SQL Database and apply automatic retention labels. What should you configure?

A.Create a scan in Microsoft Purview Data Map and apply retention labels based on classifications.
B.Enable Microsoft Defender for Cloud Apps to classify and label data in Azure SQL.
C.Configure sensitivity labels in Microsoft Purview Information Protection.
D.Use Microsoft Sentinel to detect credit card numbers and trigger a retention policy.
AnswerA

Data Map scans data sources and can automatically apply retention labels to classified data.

Why this answer

Option B is correct because Microsoft Purview Data Map can scan Azure SQL Database for sensitive data types like credit card numbers, and then apply retention labels automatically. Option A is wrong because Sensitivity labels are for classification, not retention. Option C is wrong because Microsoft Sentinel is for security analytics.

Option D is wrong because Microsoft Defender for Cloud Apps is for cloud app security.

136
MCQmedium

Your organization is implementing a privileged access workstation (PAW) strategy for administrators managing Azure resources. The PAWs are Windows 11 devices enrolled in Intune. You need to ensure that only approved applications can run on PAWs, and that device users cannot disable security features. The solution must also enforce that PAWs are used exclusively for administrative tasks. What should you configure?

A.Enable Azure AD B2B collaboration for external admins. Use Intune to enforce device encryption.
B.Configure Windows Defender Application Control (WDAC) and AppLocker policies in Intune to allow only approved administrative tools. Use Intune compliance policies to block non-compliant devices. Use Azure AD Conditional Access to require PAW as compliant.
C.Assign privileged roles using Azure AD Privileged Identity Management (PIM). Use Azure Policy to audit admin actions.
D.Use Azure AD Conditional Access to require multi-factor authentication and device compliance. Use Microsoft Defender for Cloud to monitor for admin activities.
AnswerB

WDAC and AppLocker restrict apps; Intune enforces settings; Conditional Access ensures only PAWs can access admin portals.

Why this answer

Option A uses Windows Defender Application Control (WDAC) and AppLocker to restrict apps, and Intune to enforce settings. Option B uses conditional access but not app control; Option C uses Azure AD roles but not device control; Option D is for guest access.

137
MCQmedium

Your organization uses Microsoft Intune to manage mobile devices. You need to design a policy that ensures corporate data on personally owned devices is protected, but does not allow IT to wipe the entire device if it is lost or stolen. Which Intune policy type should you configure?

A.Conditional Access policies requiring device compliance
B.App Protection Policies (MAM) without device enrollment
C.Device configuration profiles
D.Device compliance policies
AnswerB

MAM policies protect app data and allow selective wipe without wiping the device.

Why this answer

App Protection Policies (MAM) without device enrollment is correct because they protect corporate data at the app level and allow selective wipe of corporate data only. Option A (Device compliance policies) enforce device-level settings. Option C (Device configuration profiles) configure device settings.

Option D (Conditional Access policies) require device compliance but don't protect data selectively.

138
MCQeasy

Your company uses Microsoft Defender for Cloud Apps to discover and control shadow IT. You need to block the use of a newly discovered unsanctioned cloud storage app that poses a high risk. What should you configure?

A.In Defender for Cloud Apps, unsanction the app and create a session policy to block it
B.Create a Conditional Access policy in Microsoft Entra ID to block the app
C.Use Microsoft Intune to set a compliance policy that blocks the app
D.Add the app to the blocked list in Microsoft Defender for Cloud Apps
AnswerA

Unsanctioning marks the app as blocked; session policy enforces the block.

Why this answer

Option A is correct because Defender for Cloud Apps allows you to sanction/unsanction apps and create access policies to block unsanctioned apps. Option B is wrong because Conditional Access policies in Entra ID control access but not app blocking. Option C is wrong because Intune compliance policies manage device compliance.

Option D is wrong because Defender for Cloud Apps can block apps directly.

139
MCQmedium

Your organization plans to use Microsoft Defender for Cloud to protect a hybrid environment with servers in Azure and on-premises. You need to ensure that security policies are consistently applied across all servers. What should you configure?

A.Onboard all servers to Azure Arc and assign Defender for Cloud policies.
B.Deploy Azure Automation State Configuration (DSC) to all servers.
C.Connect all servers to Microsoft Sentinel and use analytics rules.
D.Use Azure Policy with guest configuration on all servers.
AnswerA

Azure Arc extends Azure management to non-Azure servers, enabling consistent policy assignment.

Why this answer

Option D is correct because Azure Arc allows non-Azure servers to be managed with the same Azure Policy and Defender for Cloud policies as Azure VMs. Option A is wrong because Azure Automation State Configuration is for configuration management, not policy enforcement. Option B is wrong because Azure Policy guest configuration requires Azure Arc for non-Azure machines.

Option C is wrong because Microsoft Sentinel is a SIEM, not a policy enforcement tool.

140
MCQhard

A company uses Microsoft Sentinel for SIEM and SOAR. You need to design a solution to detect and automatically respond to ransomware attacks involving mass file encryption on Windows servers. The response must include isolating the compromised server from the network, creating a backup of affected files, and resetting the user account's password. Which automation approach minimizes manual intervention?

A.Use a Logic Apps playbook to create a VM snapshot and send an email to the security team.
B.Create an alert rule that triggers an Azure Automation runbook to isolate the VM.
C.Set up an automation rule that runs a playbook to isolate the VM, trigger a backup, and reset the user password.
D.Configure a manual incident response plan that includes password reset.
AnswerC

Automation rule with a multi-step playbook covers all required actions.

Why this answer

Option D is correct because Microsoft Sentinel's automation rules can trigger a playbook (Logic App) that performs all three actions: isolate VM via Azure Automation runbook, trigger backup via Azure Backup APIs, and reset password via Microsoft Graph. Option A is incorrect because it only isolates. Option B is incorrect because it only creates backups.

Option C is incorrect because it only resets the password.

141
MCQhard

A company is building a new SaaS application that will be used by external customers. The application uses Azure API Management (APIM) to expose APIs. The security requirements include: (1) Only authenticated and authorized customers can call the APIs, (2) The API keys must be rotated automatically every 90 days, (3) The APIs must be protected against common web vulnerabilities. What should you implement?

A.Use IP whitelisting in APIM to restrict access to known customer IPs and enable API key rotation manually every 90 days.
B.Require client certificates for authentication and configure APIM to automatically rotate the certificates.
C.Use OAuth 2.0 with Azure AD (Entra ID) for authentication, configure API key rotation in APIM policies, and enable Azure Web Application Firewall (WAF) in front of APIM.
D.Implement OAuth 2.0 with JWT tokens and use rate limiting to mitigate attacks.
AnswerC

OAuth 2.0 provides authentication, APIM policies enable automatic key rotation, and Azure WAF protects against web vulnerabilities.

Why this answer

Option D is correct because it combines OAuth 2.0 for authentication and authorization, automatic key rotation via APIM policies, and Azure WAF for vulnerability protection. Option A is wrong because IP whitelisting is not a strong authentication method. Option B is wrong because client certificates require certificate management and do not protect against web vulnerabilities.

Option C is wrong because rate limiting does not address authentication or vulnerability protection.

142
MCQeasy

Your organization has Microsoft Entra ID (Azure AD) and uses Privileged Identity Management (PIM). You need to ensure that when a user activates a privileged role, they must provide a reason and a ticket number. What should you configure?

A.PIM role settings requiring justification and approval on activation
B.Conditional Access policy requiring multi-factor authentication
C.An access review for the privileged role
D.Microsoft Entra Identity Protection user risk policy
AnswerA

PIM settings enforce justification and ticket number.

Why this answer

Option A is correct because PIM role settings allow you to configure activation requirements, including mandatory justification (reason) and ticket number. By editing the role settings in PIM, you can enforce that users provide both a reason and a ticket number when activating a privileged role, ensuring auditability and compliance.

Exam trap

The trap here is that candidates confuse PIM activation settings (which control what users must provide when activating a role) with Conditional Access policies (which control sign-in conditions) or Identity Protection policies (which handle risk-based responses), leading them to select a policy that does not enforce the specific activation-time inputs.

How to eliminate wrong answers

Option B is wrong because a Conditional Access policy requiring multi-factor authentication enforces MFA during sign-in, not during role activation, and does not capture a reason or ticket number. Option C is wrong because an access review for the privileged role periodically reviews membership or active assignments, but does not enforce input of justification or ticket number at activation time. Option D is wrong because Microsoft Entra Identity Protection user risk policy detects and responds to risky user behavior (e.g., leaked credentials), not role activation requirements like reason or ticket number.

143
MCQmedium

A company uses Microsoft Intune to manage devices. They want to ensure that only devices that have passed health attestation can access corporate email. Which method should they use?

A.Use Microsoft Defender for Endpoint to block devices that fail health attestation
B.Create a device compliance policy for health attestation and use Conditional Access to require compliant devices
C.Create an app protection policy to require device health attestation
D.Create a device configuration policy to enforce health attestation
AnswerB

Compliance policies define health requirements; Conditional Access enforces access based on compliance.

Why this answer

Option B is correct because it combines a device compliance policy that evaluates health attestation (e.g., BitLocker status, Secure Boot, code integrity) with a Conditional Access policy that grants access to corporate email only when the device is marked as compliant. This is the standard Microsoft approach for enforcing health attestation before granting access to cloud resources like Exchange Online.

Exam trap

The trap here is confusing device compliance policies (which evaluate and report health state) with device configuration policies (which only apply settings), leading candidates to pick Option D, which cannot enforce access control.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint can detect and alert on device health issues but cannot directly block access to corporate email; blocking requires integration with Conditional Access or a network enforcement point. Option C is wrong because app protection policies (MAM) manage data protection at the app level without evaluating device health attestation; they rely on app-level conditions like jailbreak detection, not hardware-attested health. Option D is wrong because device configuration policies set settings (e.g., BitLocker enablement) but do not enforce real-time attestation checks or block access; compliance is determined by a separate compliance policy, not a configuration profile.

144
Multi-Selectmedium

A company uses Microsoft Sentinel for threat detection. They want to use User and Entity Behavior Analytics (UEBA) to detect anomalies. Which THREE of the following are key components of UEBA in Sentinel?

Select 3 answers
A.UEBA analytics rules that baseline normal behavior.
B.Playbooks for automated response to anomalies.
C.Anomaly detection based on machine learning models.
D.Azure AD sign-in logs
E.Entity pages that provide a timeline of user activities.
AnswersA, C, E

Baselines are built from historical data to detect deviations.

Why this answer

Option A is correct because UEBA in Microsoft Sentinel relies on analytics rules that establish a baseline of normal behavior for users and entities. These rules use machine learning to detect deviations from the established baseline, enabling the identification of anomalous activities such as unusual sign-in locations or data exfiltration attempts.

Exam trap

The trap here is that candidates confuse supporting data sources (like Azure AD logs) or response mechanisms (like playbooks) with the core UEBA components, which are specifically the analytics rules, machine learning anomaly detection, and entity pages that provide behavioral context.

145
MCQeasy

You are designing a secure remote access solution for on-premises web applications using Microsoft Entra ID. The solution must support multifactor authentication (MFA) and conditional access. Which service should you use?

A.Microsoft Entra application proxy
B.Windows Server DirectAccess
C.VPN gateway with RADIUS authentication
D.Microsoft Entra ID (Azure AD)
AnswerA

Application proxy publishes on-premises apps with MFA and Conditional Access.

Why this answer

Microsoft Entra Application Proxy provides secure remote access to on-premises web apps with MFA and Conditional Access. Option A is correct. Option B is incorrect because VPN does not integrate with Entra ID MFA.

Option C is incorrect because Azure AD (Entra ID) alone doesn't provide proxying. Option D is incorrect because DirectAccess is Windows-only and doesn't support MFA natively.

146
MCQmedium

Your company has an Azure subscription that contains multiple virtual machines (VMs) running Windows Server. You need to ensure that all VMs are compliant with your organization's security baseline. The security baseline includes specific registry key settings, password policies, and service configurations. You want to continuously monitor and automatically remediate non-compliant VMs. What should you implement?

A.Deploy Azure Automation State Configuration to apply Desired State Configuration (DSC) to the VMs.
B.Use Azure Policy with Guest Configuration extension to audit and remediate the VM settings.
C.Use Azure Update Manager to ensure VMs are up to date.
D.Enable Microsoft Defender for Cloud and review the security recommendations.
AnswerB

Guest Configuration can audit and remediate OS settings.

Why this answer

Option A is correct because Azure Policy with Guest Configuration extension allows you to audit and remediate settings inside VMs, including registry keys and services. Option B is wrong because Azure Automation State Configuration is for DSC, but it requires more manual setup and does not integrate natively with Azure Policy for compliance. Option C is wrong because Microsoft Defender for Cloud provides security recommendations but not granular configuration remediation.

Option D is wrong because Azure Update Manager focuses on patching, not configuration.

147
MCQhard

A company is designing a security strategy for their AI-powered applications using Microsoft Azure OpenAI Service. They need to ensure that the AI models are not used to generate harmful content and that the data sent to the models is protected. Which Microsoft Purview feature should they use?

A.Microsoft Purview Endpoint DLP
B.Microsoft Purview Information Protection
C.Microsoft Purview Data Loss Prevention (DLP) for AI
D.Microsoft Purview Audit
AnswerC

DLP for AI can monitor and block sensitive data in AI interactions.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) for AI is the correct feature because it is specifically designed to monitor and control the data sent to and from AI applications, including Azure OpenAI Service, to prevent the generation of harmful content and protect sensitive data. It uses deep content analysis and policy-based controls to detect and block policy violations in real-time, directly addressing the dual requirements of content safety and data protection.

Exam trap

The trap here is that candidates often confuse general data protection features (like Information Protection or Endpoint DLP) with the specialized AI-focused DLP capability, assuming any DLP or protection feature can handle AI workloads, when only DLP for AI is purpose-built for Azure OpenAI Service interactions.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Endpoint DLP focuses on monitoring and controlling data on endpoints (e.g., Windows 10/11 devices) and does not natively integrate with Azure OpenAI Service to inspect AI model prompts or outputs. Option B is wrong because Microsoft Purview Information Protection is primarily for classifying, labeling, and protecting sensitive data at rest (e.g., files and emails) using encryption and rights management, not for real-time content filtering of AI interactions. Option D is wrong because Microsoft Purview Audit provides logging and investigation of user and admin activities (e.g., who accessed what) but does not enforce policies to prevent harmful content generation or protect data in transit to AI models.

148
MCQmedium

Refer to the exhibit. You are analyzing a Microsoft Sentinel analytics rule. What does this rule detect?

A.Multiple successful logons for the same account
B.Brute-force attack against a single account
C.Multiple failed logons from the same source IP address
D.Overall number of failed logons across all accounts
AnswerB

The rule alerts when an account has >10 failed logons in 5 minutes.

Why this answer

This rule detects a brute-force attack against a single account by triggering when the number of failed logons for a specific user exceeds a threshold within a given time window, followed by a successful logon. The condition `FailedLogons > 5` and `SuccessfulLogon > 0` for the same account indicates that the attacker has guessed the correct password after multiple failed attempts, which is a classic sign of a successful brute-force attack.

Exam trap

The trap here is that candidates often confuse a brute-force attack against a single account (detected by failed logons followed by a success for the same user) with a password spray attack (where many accounts are targeted with a few passwords), leading them to incorrectly select an option focused on source IP or overall failure counts.

How to eliminate wrong answers

Option A is wrong because the rule explicitly requires a high number of failed logons (FailedLogons > 5) before the successful logon, not just multiple successful logons for the same account. Option C is wrong because the rule aggregates failed logons by account (AccountName), not by source IP address, so it does not detect multiple failed logons from the same source IP. Option D is wrong because the rule filters on a specific account (AccountName) and requires a successful logon after failures, whereas an overall count of failed logons across all accounts would not identify a targeted brute-force attack on a single account.

149
MCQmedium

Your organization uses Microsoft Entra ID and plans to implement a custom line-of-business application that accesses Microsoft Graph APIs. The application will be used by employees and external partners. You need to ensure that the application can authenticate users and obtain appropriate permissions without exposing the client secret. What should you implement?

A.Use a system-assigned managed identity to authenticate to Microsoft Graph.
B.Implement OAuth 2.0 authorization code flow with PKCE.
C.Store the client secret in Azure Key Vault and retrieve it at runtime.
D.Register the application as a public client and use the implicit grant flow.
AnswerB

PKCE ensures the authorization code is exchanged securely without exposing the client secret.

Why this answer

Managed identities are not suitable for client applications that run outside Azure. Using certificates instead of client secrets enhances security but still requires secret management. OAuth 2.0 authorization code flow with PKCE is the recommended approach for mobile and desktop apps, but for a web app with a backend, the best practice is to use a system-assigned managed identity if hosted in Azure, or use certificates/Key Vault.

However, the question specifies a custom LOB app used by employees and external partners, likely hosted on-premises or in Azure. The most secure approach for a confidential client is to use a certificate stored in Azure Key Vault. But the correct answer here is to implement OAuth 2.0 authorization code flow with PKCE (Proof Key for Code Exchange) to avoid exposing the client secret in the browser.

For a web app with a backend, using the authorization code flow with PKCE is still recommended, and the client secret is not exposed. Option D is the most accurate.

150
MCQmedium

Your company uses Microsoft Defender for Cloud to manage security posture across hybrid workloads. You need to ensure that critical vulnerabilities found on Azure VMs are automatically remediated without manual intervention. Which feature should you enable?

A.Enable 'Remediate' for security recommendations in Defender for Cloud
B.File Integrity Monitoring (FIM)
C.Microsoft Defender for Cloud's Regulatory Compliance dashboard
D.Azure Automation Update Management
AnswerA

Defender for Cloud can automatically remediate recommendations via Azure Policy.

Why this answer

Option A is correct because Microsoft Defender for Cloud's 'Remediate' feature allows you to automatically apply the necessary configuration changes or deploy the required patches to fix critical vulnerabilities on Azure VMs without manual intervention. This is achieved by enabling the 'Remediate' option on specific security recommendations, which triggers an automated workflow (often using Azure Policy or a custom script) to resolve the identified issue. This directly addresses the requirement for automatic remediation of critical vulnerabilities.

Exam trap

The trap here is that candidates often confuse the 'Remediate' feature with Azure Automation Update Management, assuming that update management is the only way to automatically patch VMs, but Defender for Cloud's remediation is specifically designed to act on its own security recommendations, including non-patch vulnerabilities like misconfigurations.

How to eliminate wrong answers

Option B is wrong because File Integrity Monitoring (FIM) is a security feature that monitors changes to critical files, registries, and system configurations, but it does not automatically remediate vulnerabilities; it only alerts on changes. Option C is wrong because the Regulatory Compliance dashboard provides a view of your compliance posture against standards like CIS or NIST, but it does not perform any automated remediation actions. Option D is wrong because Azure Automation Update Management is used to manage and schedule OS updates and patches, but it is not integrated with Defender for Cloud's vulnerability assessment findings and does not automatically remediate critical vulnerabilities identified by Defender for Cloud's security recommendations.

Page 1

Page 2 of 13

Page 3