Microsoft Cybersecurity Architect (SC-100) — Questions 151225

969 questions total · 13pages · All types, answers revealed

Page 2

Page 3 of 13

Page 4
151
MCQeasy

A multinational corporation uses Microsoft Purview to classify and protect sensitive data. They need to ensure that any email containing a patient health record (PHI) is encrypted before delivery. Which capability should they use?

A.Data Loss Prevention (DLP) policy
B.Sensitivity label with encryption
C.Azure Information Protection
D.Microsoft Purview Message Encryption
AnswerD

Provides encryption for emails containing sensitive information.

Why this answer

Microsoft Purview Message Encryption allows sending encrypted email. Option B is correct. Option A is wrong because DLP policies trigger actions like blocking or encrypting, but the encryption itself is done by Message Encryption.

Option C is wrong because sensitivity labels can apply encryption, but for automatic encryption of emails, DLP with encryption action is typical. Option D is wrong because Azure Information Protection is the underlying technology, but the policy is configured via Purview.

152
MCQhard

Your organization uses Microsoft Intune to manage devices and wants to ensure that only compliant devices can access corporate email. Which conditional access policy setting should you configure?

A.Require device to be marked as compliant
B.Require approved client app
C.Require Multi-Factor Authentication
D.Require domain join
AnswerA

This grant control ensures only Intune compliant devices can access corporate resources.

Why this answer

Option A is correct because the 'Require device to be marked as compliant' setting in a Conditional Access policy enforces that only devices meeting your Intune compliance policies (e.g., encryption, OS version, threat level) can access corporate email. This setting checks the device's compliance status reported by Intune to Azure AD during authentication, blocking non-compliant devices before they reach Exchange Online.

Exam trap

The trap here is that candidates often confuse 'Require approved client app' (which controls app-level access) with device compliance, thinking that restricting the app is sufficient to secure email, but it does not enforce device health or configuration.

How to eliminate wrong answers

Option B is wrong because 'Require approved client app' controls which client applications (e.g., Outlook mobile, Teams) can access data, not the device's compliance state; it does not enforce device health or configuration. Option C is wrong because 'Require Multi-Factor Authentication' adds an authentication factor but does not evaluate device compliance; a compromised but MFA-enabled device could still access email. Option D is wrong because 'Require domain join' is for Windows devices joined to on-premises Active Directory, not for mobile or BYOD devices managed by Intune; it does not check Intune compliance policies.

153
Multi-Selecteasy

A company uses Microsoft Sentinel as its SIEM. They want to minimize storage costs for verbose logs that are rarely accessed but must be retained for one year for compliance. Which TWO actions should they take?

Select 2 answers
A.Archive the logs to Azure Storage after 30 days
B.Increase the retention period to one year
C.Configure the verbose logs to use Basic Logs tier
D.Remove the data sources that generate verbose logs
E.Set up continuous export to an event hub
AnswersA, C

Archiving reduces storage costs.

Why this answer

Option B is correct because basic logs are cheaper than analytics logs. Option C is correct because archiving long-term data to Azure Storage reduces costs. Option A is incorrect because removing data sources reduces visibility.

Option D is incorrect because continuous export does not reduce cost. Option E is incorrect because increasing retention increases cost.

154
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only devices with a TPM (Trusted Platform Module) version 2.0 can access corporate resources. What should you configure?

A.Create a device compliance policy that requires TPM 2.0 and use Conditional Access to block non-compliant devices
B.Use Windows Update for Business to ensure TPM firmware is updated
C.Configure device enrollment restrictions to require TPM 2.0
D.Deploy a device configuration profile that enables TPM 2.0
AnswerA

Compliance policy with Conditional Access enforces access.

Why this answer

A device compliance policy in Microsoft Intune can check for TPM 2.0 presence and version. When combined with a Conditional Access policy that blocks non-compliant devices, only devices meeting the TPM 2.0 requirement can access corporate resources. This is the correct approach because Conditional Access enforces the compliance check at the authentication and authorization layer.

Exam trap

The trap here is that candidates confuse enrollment restrictions (which only apply at enrollment time) with ongoing compliance enforcement, or they think a configuration profile can block access, when only Conditional Access can enforce the block based on compliance.

How to eliminate wrong answers

Option B is wrong because Windows Update for Business manages firmware updates but cannot enforce a TPM version requirement for resource access; it only ensures the TPM firmware is current. Option C is wrong because device enrollment restrictions control which devices can enroll in Intune, but they do not enforce ongoing compliance for resource access after enrollment. Option D is wrong because a device configuration profile can enable or configure TPM features but cannot block access to corporate resources based on TPM version; it lacks the enforcement mechanism provided by Conditional Access.

155
Multi-Selecthard

Which THREE capabilities does Microsoft Purview provide for compliance management?

Select 3 answers
A.Identity protection and risk detection
B.Information protection with sensitivity labels
C.Data classification and labeling
D.Endpoint detection and response
E.eDiscovery and audit
AnswersB, C, E

Purview provides sensitivity labels.

Why this answer

Microsoft Purview provides compliance management capabilities including information protection with sensitivity labels, which allow organizations to classify and protect sensitive data across Microsoft 365 services, endpoints, and third-party apps. Sensitivity labels enforce encryption, visual markings, and access restrictions based on policy, directly supporting data loss prevention and governance.

Exam trap

The trap here is that candidates confuse Microsoft Purview's compliance-focused capabilities (like eDiscovery, audit, and sensitivity labels) with security operations tools (like identity protection and endpoint detection), which belong to separate Microsoft 365 security solutions.

156
MCQmedium

A company is designing a secure API for a customer-facing application that will handle sensitive personal data. They need to ensure that only authorized client applications can call the API and that the identity of the end-user is verified. Which of the following should they implement?

A.HTTP Basic Authentication
B.OAuth 2.0 with client credentials and OpenID Connect
C.JWT bearer tokens
D.API keys
AnswerB

OAuth 2.0 client credentials grant authenticates the client, and OpenID Connect provides user authentication via ID tokens.

Why this answer

Option D is correct because OAuth 2.0 with client credentials and OpenID Connect provides both client authentication and user authentication. Option A is wrong because API keys only authenticate the client, not the user. Option B is wrong because Basic Auth transmits credentials in plaintext.

Option C is wrong because JWT tokens are a format, not an authentication protocol.

157
Multi-Selecteasy

A company wants to secure its Azure Kubernetes Service (AKS) cluster. They need to ensure that pods cannot communicate with each other unless explicitly allowed, and that secrets are encrypted at rest. Which TWO security controls should they implement?

Select 2 answers
A.Use Azure Key Vault with Secrets Store CSI driver for secret management.
B.Apply Azure Policy to restrict container image sources.
C.Define Kubernetes network policies to restrict pod-to-pod traffic.
D.Enable Container insights for monitoring.
E.Enable Azure AD integration for the AKS cluster.
AnswersA, C

Provides encryption and secure storage.

Why this answer

Correct answers: A and C. Network policies in Kubernetes can restrict pod-to-pod communication, and Azure Key Vault with CSI driver allows secrets to be encrypted and stored externally. Option B is incorrect: Azure AD integration is for authentication, not network or encryption.

Option D is incorrect: Azure Policy can enforce image source, not pod communication. Option E is incorrect: Container insights is for monitoring.

158
MCQmedium

A company is migrating on-premises applications to Azure. They need to ensure that applications can use their existing Active Directory credentials for authentication. Which Azure service should they use?

A.Azure AD Domain Services
B.Azure Active Directory
C.Azure AD Connect
D.Azure AD B2C
AnswerA

Provides LDAP, Kerberos, NTLM.

Why this answer

Azure AD Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, and Kerberos/NTLM authentication. This allows legacy on-premises applications that rely on Active Directory credentials to authenticate without needing to deploy and manage domain controllers in Azure. It bridges the gap by synchronizing identities from Azure AD and exposing traditional AD features over a virtual network.

Exam trap

The trap here is confusing Azure AD (a modern identity platform) with Azure AD DS (a managed domain service that provides legacy AD protocols), leading candidates to pick Azure Active Directory because they think it handles all authentication scenarios.

How to eliminate wrong answers

Option B (Azure Active Directory) is wrong because it is a cloud-based identity and access management service that uses modern protocols like OAuth 2.0 and OpenID Connect, not LDAP, Kerberos, or NTLM, so it cannot directly authenticate legacy applications expecting an on-premises AD domain controller. Option C (Azure AD Connect) is wrong because it is a synchronization tool that replicates on-premises AD objects to Azure AD; it does not provide authentication services itself. Option D (Azure AD B2C) is wrong because it is designed for customer-facing identity management with social logins and custom policies, not for enterprise applications needing existing AD credential validation.

159
MCQmedium

A company is implementing a Zero Trust network strategy using Azure Virtual Network Manager (AVNM). They need to ensure that all traffic between virtual networks is encrypted and inspected by a firewall. Which configuration should they use?

A.Enable VNet peering between all VNets and use network security groups
B.Use a mesh topology with direct connectivity between VNets
C.Use a hub-and-spoke topology with a firewall appliance in the hub
D.Configure service endpoints for each VNet
AnswerC

Hub-and-spoke with firewall ensures traffic is routed through the firewall for inspection.

Why this answer

In a Zero Trust network strategy, all traffic must be encrypted and inspected regardless of source. A hub-and-spoke topology with a firewall appliance in the hub forces all inter-VNet traffic through the firewall, enabling deep packet inspection and encryption enforcement. Azure Virtual Network Manager (AVNM) can deploy this topology and route traffic via the hub, ensuring no direct VNet-to-VNet communication bypasses inspection.

Exam trap

The trap here is that candidates often assume VNet peering with NSGs is sufficient for Zero Trust, but NSGs cannot inspect or encrypt traffic, and peering itself does not enforce inspection—only a hub-and-spoke topology with a firewall appliance can meet both encryption and inspection requirements.

How to eliminate wrong answers

Option A is wrong because VNet peering creates direct, unencrypted-by-default connectivity between VNets, and network security groups (NSGs) only provide stateful filtering at Layers 3-4, not encryption or deep packet inspection. Option B is wrong because a mesh topology with direct connectivity between VNets allows traffic to bypass any central inspection point, violating the Zero Trust requirement that all traffic must be inspected. Option D is wrong because service endpoints provide private connectivity to Azure PaaS services over the Microsoft backbone, but they do not encrypt or inspect traffic between VNets.

160
MCQmedium

Your organization uses Microsoft Entra ID for identity management and wants to implement a least-privilege access model for administrators. You need to reduce standing privileges and ensure that admin roles are activated only when needed with approval workflow. Requirements: (1) Require approval for activation of Global Administrator role, (2) Set activation duration to 4 hours maximum, (3) Require Azure MFA for activation, (4) Receive notifications when roles are activated, (5) Audit all activations for compliance. Which Microsoft Entra ID capability should you use?

A.Access Reviews
B.Privileged Identity Management (PIM)
C.Identity Protection
D.Conditional Access
AnswerB

PIM provides just-in-time activation with approval, MFA, and audit.

Why this answer

Option C is correct because Privileged Identity Management (PIM) in Microsoft Entra ID P2 provides just-in-time role activation with approval, MFA, time limits, notifications, and audit. Option A is wrong because Conditional Access does not manage role activation. Option B is wrong because Identity Protection is for risk detection.

Option D is wrong because Access Reviews are for periodic reviews, not activation workflows.

161
MCQhard

Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You are designing a solution to protect against password spray attacks. You need to implement a solution that can detect and block malicious authentication attempts in real-time. What should you use?

A.Microsoft Entra ID Protection with Conditional Access policies.
B.Microsoft Defender for Identity with a VPN integration.
C.Azure AD Multi-Factor Authentication (MFA) enforced for all users.
D.Password hash synchronization with Azure AD Connect.
AnswerA

Detects and blocks risky sign-ins in real-time.

Why this answer

Option A is correct because Entra ID Identity Protection provides real-time risk detection and conditional access policies to block risky sign-ins, including password spray. Option B is wrong because Microsoft Defender for Identity focuses on on-premises AD attacks, not cloud authentication. Option C is wrong because Azure AD MFA is a verification method, not a detection mechanism.

Option D is wrong because password hash sync is for synchronization, not detection.

162
MCQhard

You are designing a secure DevOps pipeline for a critical application using GitHub Actions and Microsoft Defender for Cloud. You need to ensure that container images are scanned for vulnerabilities before being deployed to Azure Kubernetes Service (AKS). What should you implement?

A.Integrate Microsoft Defender for Containers with the CI/CD pipeline to scan images in Azure Container Registry.
B.Enable GitHub Advanced Security for the repository.
C.Configure Azure Policy to require vulnerability assessment.
D.Use Azure Container Registry Tasks to build images.
AnswerA

Defender for Containers scans images for vulnerabilities.

Why this answer

Option C is correct because Defender for Cloud can scan container images in registries and integrate with CI/CD. Option A is wrong because GitHub Advanced Security scans code, not images. Option B is wrong because Azure Policy can enforce compliance but does not scan.

Option D is wrong because Azure Container Registry Tasks build images but do not scan.

163
Multi-Selecthard

Which TWO actions should you take to improve the security posture of an Azure subscription using Microsoft Defender for Cloud? (Select two.)

Select 2 answers
A.Assign Azure Policy to enforce resource compliance
B.Enable Azure Defender plans for all supported resource types
C.Implement the top security recommendations from the Secure Score
D.Create custom security policies
E.Deploy vulnerability assessment solution to all VMs
AnswersB, C

Enabling plans provides advanced threat protection.

Why this answer

Options A and B are correct because enabling Defender plans and implementing recommendations improve security. Option C is wrong because Defender for Cloud already provides recommendations. Option D is wrong because vulnerability assessment for VMs is a feature, not a specific action.

Option E is wrong because assigning Azure Policy is a method, but the most direct actions are enabling plans and implementing recommendations.

164
MCQeasy

Your company uses Azure DevOps to deploy infrastructure. You need to ensure that all deployed resources have specific tags for cost tracking. Which Azure policy effect should you use to prevent deployment of untagged resources?

A.Disabled
B.Deny
C.DeployIfNotExists
D.Audit
AnswerB

Deny prevents creation of non-compliant resources.

Why this answer

Option B is correct because the 'Deny' effect prevents creation of non-compliant resources. Option A is wrong because 'Audit' only logs compliance, does not block. Option C is wrong because 'DeployIfNotExists' can add tags after creation but does not prevent deployment.

Option D is wrong because 'Disabled' turns off the policy.

165
Multi-Selectmedium

Your company uses Microsoft Intune to manage Windows 10 devices. You need to design a security baseline that ensures devices meet the organization's security requirements, including BitLocker encryption, Windows Defender Firewall rules, and Microsoft Defender for Endpoint settings. Which TWO Intune features should you use to apply these configurations?

Select 2 answers
A.Device enrollment restrictions
B.Endpoint security policies for Antivirus, Firewall, and Disk Encryption
C.Compliance policies for Windows 10
D.Custom configuration profiles using OMA-URI
E.Security Baselines for Windows 10
AnswersB, E

Endpoint security policies provide dedicated sections for configuring Defender, firewall, and BitLocker.

Why this answer

Option A (Security Baselines) provides pre-configured settings for security features. Option D (Endpoint security policies) allows granular configuration for antivirus, firewall, and BitLocker. Option B (Compliance policies) enforce but not configure; Option C (Configuration profiles) can do settings but not as comprehensive; Option E (Device enrollment restrictions) are for enrollment control.

166
MCQmedium

You are designing a security solution for an Azure Kubernetes Service (AKS) cluster. You need to ensure that only authorized images from a specific container registry can be deployed. Which Azure Policy definition should you use?

A.Kubernetes cluster should be accessible only over HTTPS
B.Kubernetes cluster containers should only use allowed images
C.Kubernetes cluster should use internal load balancers
D.Kubernetes cluster should not allow privileged containers
AnswerB

This built-in policy restricts images to allowed registries.

Why this answer

Option B is correct because the Azure Policy built-in definition 'Kubernetes cluster containers should only use allowed images' enforces a constraint on the container images deployed in an AKS cluster. This policy uses an Open Policy Agent (OPA) constraint to validate that every container's image reference matches a specified list of allowed registries or image patterns, ensuring only authorized images from a specific container registry can be deployed.

Exam trap

The trap here is that candidates often confuse policies that restrict container behavior (like privileged containers) with policies that restrict image sources, leading them to select Option D instead of the correct image-based constraint.

How to eliminate wrong answers

Option A is wrong because the policy 'Kubernetes cluster should be accessible only over HTTPS' enforces TLS for the API server endpoint, not image source restrictions. Option C is wrong because 'Kubernetes cluster should use internal load balancers' mandates internal-facing load balancers for services, which addresses network exposure, not image authorization. Option D is wrong because 'Kubernetes cluster should not allow privileged containers' prevents containers from running with elevated privileges but does not restrict which images can be deployed.

167
MCQmedium

Your organization uses Microsoft Defender for Cloud to secure multi-cloud workloads. You need to ensure that Azure, AWS, and GCP resources are assessed against a common set of security standards. Which capability should you use?

A.Regulatory compliance standards
B.Vulnerability assessment solutions
C.Cloud Security Posture Management (CSPM)
D.Just-in-time (JIT) VM access
AnswerA

Applies to multi-cloud environments.

Why this answer

Option A is correct because regulatory compliance standards in Defender for Cloud can be applied across Azure, AWS, and GCP to enforce common benchmarks. Option B is wrong because JIT is only for Azure VMs. Option C is wrong because vulnerability assessments are per-resource type.

Option D is wrong because CNAPP is a broader framework, not a specific compliance standard.

168
Multi-Selectmedium

Your organization is developing a new application that will use Azure Cosmos DB. The security team requires that all data be encrypted at rest and in transit, and that access to the database is limited to specific Azure services and IP addresses. The application will run on Azure VMs. Which three actions should you take? (Choose three.)

Select 3 answers
A.Configure Cosmos DB to require TLS for all client connections.
B.Use Azure SQL Database instead of Cosmos DB for better security features.
C.Use a private endpoint for Cosmos DB and restrict access to the private endpoint.
D.Enable encryption at rest on the Cosmos DB account using customer-managed keys.
E.Configure the Cosmos DB firewall to allow access from all Azure services.
AnswersA, C, D

TLS encrypts data in transit between the client and Cosmos DB.

Why this answer

Option A, B, and D are correct. Option A: Enforce TLS for all requests to Cosmos DB for encryption in transit. Option B: Use a private endpoint for Cosmos DB to restrict network access.

Option D: Enable encryption at rest (which is on by default) and ensure customer-managed keys if required. Option C is wrong because firewall rules are needed, but they should be set to allow only the VM's public IP or the private endpoint; allowing all Azure services is too permissive. Option E is wrong because Azure SQL Database is not Cosmos DB.

169
Multi-Selecteasy

Your organization is designing a security strategy for Microsoft 365. You need to align with Microsoft's Zero Trust best practices. Which TWO principles should be included?

Select 2 answers
A.Verify explicitly
B.Trust but verify
C.Verify implicitly
D.Assume breach
E.Use least privilege
AnswersA, D

A key Zero Trust principle: always authenticate and authorize based on all available data points.

Why this answer

The Zero Trust model, as defined by Microsoft, is built on three foundational principles: verify explicitly, use least privilege, and assume breach. 'Verify explicitly' means always authenticating and authorizing based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies, before granting access. This aligns directly with Microsoft's implementation in Azure AD Conditional Access, which enforces real-time policy evaluation for every access request.

Exam trap

The trap here is that candidates often confuse 'use least privilege' as a separate principle when it is actually one of the three core Zero Trust pillars, but the question specifically requires selecting the two principles that are explicitly named in Microsoft's Zero Trust guidance, which are 'verify explicitly' and 'assume breach'.

170
MCQeasy

A company plans to deploy Azure Virtual Desktop (AVD) in a secure environment. They require that all user connections be established over a reverse connect protocol to avoid inbound firewall rules. Which component enables this?

A.Azure Bastion
B.Azure AD Application Proxy
C.AVD Gateway service
D.Session host configuration
AnswerC

The gateway uses reverse connect for outbound connections.

Why this answer

The AVD Gateway service is the correct component because it establishes a reverse connect transport, where the session host initiates an outbound connection to the gateway over HTTPS (port 443). This eliminates the need for any inbound firewall rules to the session hosts, as user connections are relayed through the gateway without directly exposing the session hosts to the internet.

Exam trap

The trap here is that candidates often confuse Azure Bastion's secure RDP access with AVD's reverse connect, but Bastion still requires inbound connectivity to the bastion host and does not provide the same outbound-only connection model that eliminates inbound firewall rules for session hosts.

How to eliminate wrong answers

Option A is wrong because Azure Bastion provides secure RDP/SSH access to VMs via the Azure portal using a bastion host, but it does not use a reverse connect protocol for AVD; it relies on inbound connections through a separate subnet. Option B is wrong because Azure AD Application Proxy is designed for publishing on-premises web apps with pre-authentication, not for brokering AVD connections; it lacks the specific reverse connect transport and session management capabilities required for AVD. Option D is wrong because the session host configuration (e.g., VM settings, RDP properties) controls local session behavior but does not handle the network-level reverse connect protocol; the gateway service is the infrastructure component that enables this.

171
MCQmedium

Your company uses Microsoft Purview to classify and label sensitive data. The data protection team needs to automatically apply a 'Confidential' label to documents that contain a custom sensitive info type for employee IDs. Which should you create?

A.A trainable classifier
B.A sensitivity label
C.A retention label
D.A custom sensitive information type and an auto-labeling policy
AnswerD

Custom SIT detects the employee ID pattern, and auto-labeling policy applies the label automatically.

Why this answer

To automatically apply a 'Confidential' label based on the presence of a custom sensitive info type (employee IDs), you need both a custom sensitive information type (SIT) to define the pattern and an auto-labeling policy to trigger the label application. The auto-labeling policy uses the SIT to scan documents and automatically applies the specified sensitivity label when a match is found. This is the only option that combines the detection mechanism with automated labeling.

Exam trap

The trap here is that candidates often confuse the role of a sensitivity label (which is just the label definition) with the auto-labeling policy (which provides the detection and automation), leading them to select only the sensitivity label without the necessary policy.

How to eliminate wrong answers

Option A is wrong because a trainable classifier uses machine learning to identify content based on examples, not a custom pattern like employee IDs, and it cannot directly apply labels without an auto-labeling policy. Option B is wrong because a sensitivity label alone defines the label and its protection settings but does not include the detection logic or automation to apply it automatically based on content. Option C is wrong because a retention label is used for data lifecycle management (retention and deletion), not for sensitivity classification or automatic application based on sensitive info types.

172
MCQmedium

Your organization is migrating on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can authenticate to on-premises resources using their Entra ID credentials. Which feature should you implement?

A.Active Directory Federation Services (AD FS)
B.Password Hash Sync with Microsoft Entra Connect
C.Microsoft Entra Connect Health
D.Pass-through Authentication
AnswerB

Synchronizes password hashes for authentication to on-premises.

Why this answer

Option A is correct because Microsoft Entra ID with Password Hash Sync allows users to use the same password for cloud and on-premises resources. Option B is wrong because Pass-through Authentication does not sync passwords. Option C is wrong because Federation requires an on-premises identity provider.

Option D is wrong because Microsoft Entra Connect Health monitors synchronization health.

173
MCQmedium

A company uses Microsoft Defender for Cloud to manage security across hybrid workloads. They need to ensure that all Azure VMs have guest-level threat detection enabled. Which security policy should they assign?

A.Azure Security Benchmark
B.Microsoft cloud security benchmark
C.Microsoft Defender for Cloud Apps
D.NIST SP 800-53
AnswerB

This initiative includes policies to deploy guest configuration extensions and enable threat detection.

Why this answer

The Azure Security Benchmark includes built-in policies for guest configuration. Option A is wrong because it's a general benchmark. Option B is wrong because it's not a policy initiative.

Option D is wrong because it's a different product.

174
MCQmedium

Your organization is deploying Microsoft Defender for Cloud to secure a hybrid environment with workloads in Azure and on-premises. You need to ensure that all servers are covered by Defender for Cloud's plans. Which two actions should you take?

A.Install the Azure Connected Machine agent (Azure Arc) on on-premises servers.
B.Enable only the foundational cloud security posture management (CSPM) on the subscription.
C.Enable the Defender for Cloud plans (e.g., Defender for Servers) on the Azure subscription.
D.Deploy the Azure Monitor Agent to all on-premises servers.
AnswerA, C

Brings on-premises servers under Defender for Cloud management.

Why this answer

Option A is correct because enabling the appropriate Defender plans (e.g., Servers) on the Azure subscription covers Azure VMs. Option C is correct because deploying the Azure Arc agent on on-premises servers allows them to be managed by Defender for Cloud. Option B is wrong because enabling just the foundational CSPM doesn't include the server-specific protections.

Option D is wrong because Defender for Cloud doesn't require Azure Monitor agents for basic coverage, though it's recommended for advanced features.

175
MCQmedium

Refer to the exhibit. You are reviewing an ARM template that deploys a storage account. The compliance team requires that all storage accounts use TLS 1.2 or higher. Does this template meet the requirement?

A.Yes, because Standard_GRS automatically enforces TLS 1.2.
B.Yes, because minimumTlsVersion is set to TLS1_2.
C.No, because supportsHttpsTrafficOnly only allows HTTPS but does not enforce TLS 1.2.
D.No, because the apiVersion is outdated and does not support TLS setting.
AnswerB

The property enforces TLS 1.2 as the minimum version.

Why this answer

Option A is correct because the template sets minimumTlsVersion to TLS1_2, which meets the requirement. Option B is wrong because the property is set correctly. Option C is wrong because the template uses a valid apiVersion.

Option D is wrong because Standard_GRS is not related to TLS version.

176
MCQmedium

A company uses Microsoft 365 Defender to protect their endpoints, email, and identities. They want to create a custom detection for a specific behavior that is not covered by built-in detections. Which tool should they use?

A.Microsoft Sentinel analytics rules
B.Azure AD Identity Protection user risk policies
C.Custom detection rules in Microsoft 365 Defender
D.Microsoft Defender for Cloud Apps policies
AnswerC

Allows creation of custom KQL queries across data sources within M365 Defender.

Why this answer

Microsoft 365 Defender provides a 'Custom detection' feature under the 'Advanced hunting' section that allows security teams to create custom detection rules based on Kusto Query Language (KQL) queries. This is the correct tool because the question specifies creating a detection for behavior not covered by built-in detections within the Microsoft 365 Defender ecosystem, and custom detection rules are designed exactly for that purpose—they run on a schedule and generate alerts when the custom query matches.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel analytics rules with Microsoft 365 Defender custom detection rules because both use KQL and create alerts, but Sentinel is a separate SIEM product, while the question explicitly asks for a tool within Microsoft 365 Defender.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel analytics rules are used within the Azure Sentinel SIEM platform, not within Microsoft 365 Defender; while they can ingest data from Microsoft 365 Defender, they are not a tool native to the Defender portal for creating detections. Option B is wrong because Azure AD Identity Protection user risk policies focus on user risk levels (e.g., low, medium, high) and are not designed for custom behavioral detection—they use pre-defined risk signals and machine learning models, not custom KQL queries. Option D is wrong because Microsoft Defender for Cloud Apps policies are used for cloud app discovery, session controls, and app permissions, not for creating custom endpoint, email, or identity detections within Microsoft 365 Defender.

177
MCQmedium

A company is designing a security operations center (SOC). They want to use Microsoft Sentinel as their SIEM. They need to ensure that all security events from on-premises servers are collected. Which data connector should they configure?

A.Windows Firewall via Legacy Agent
B.Syslog via AMA
C.Azure Activity Log
D.Windows Security Events via Azure Monitor Agent (AMA)
AnswerD

AMA can collect events from on-premises servers using Azure Arc.

Why this answer

Option D is correct because the Windows Security Events via Azure Monitor Agent (AMA) connector is the recommended method for collecting security events from on-premises Windows servers into Microsoft Sentinel. AMA is the current generation agent that supports data collection rules (DCRs) for granular filtering and is fully supported by Sentinel, replacing the legacy Log Analytics Agent. This ensures comprehensive collection of Windows security logs such as Event ID 4625 (failed logons) and 4688 (process creation) for SOC analysis.

Exam trap

The trap here is that candidates may confuse Syslog (used for Linux/network devices) with Windows Security Events, or mistakenly think the legacy Log Analytics Agent (now deprecated) is still the primary connector for Windows events, when AMA is the current best practice.

How to eliminate wrong answers

Option A is wrong because Windows Firewall via Legacy Agent collects only firewall logs, not the full range of Windows security events (e.g., logon, process creation, object access) required for a SOC. Option B is wrong because Syslog via AMA collects syslog messages from Linux or network devices, not Windows Security Events from on-premises servers. Option C is wrong because Azure Activity Log collects subscription-level control plane events from Azure, not on-premises server security events.

178
MCQmedium

Your company uses Microsoft Entra ID. You need to implement a policy that requires all guest users to complete a terms-of-use acceptance before accessing applications. Which two components must be configured?

A.Multifactor authentication registration policy
B.Conditional access policy
C.Entitlement Management access packages
D.Identity Protection policy
E.Terms-of-use document in Microsoft Entra ID
AnswerB, E

Conditional access policies can require terms-of-use acceptance.

Why this answer

Option A and D are correct. A conditional access policy can enforce terms-of-use acceptance, and the terms-of-use document must be configured in Microsoft Entra ID. Option B is incorrect because identity protection is for risk detection.

Option C is incorrect because Entitlement Management is for access packages. Option E is incorrect because MFA is separate.

179
MCQeasy

Your organization uses Microsoft Sentinel for security operations. You need to ensure that all incident investigations are automatically captured for compliance reporting. Which feature should you enable?

A.Use Microsoft Purview Compliance Manager
B.Configure Azure Policy for Sentinel
C.Enable Microsoft Sentinel audit logging
D.Enable Microsoft Defender for Cloud Apps
AnswerC

Audit logging captures investigation actions for compliance.

Why this answer

Microsoft Sentinel audit logging captures all actions performed within the Sentinel environment, including incident investigations, queries run, and configuration changes. Enabling this feature ensures that every investigation step is logged and can be used for compliance reporting, as it records user activities and system events in the Azure Activity Log or Log Analytics workspace.

Exam trap

The trap here is that candidates may confuse compliance features like Purview Compliance Manager or Azure Policy with the operational audit trail needed for incident investigation tracking, overlooking that Sentinel's own audit logging is the direct mechanism for capturing investigation activities.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Compliance Manager is a compliance management tool that assesses and manages compliance posture, but it does not automatically capture incident investigation activities within Sentinel. Option B is wrong because Azure Policy enforces organizational standards and assesses compliance at the Azure resource level, but it does not log or capture the detailed audit trail of Sentinel incident investigations. Option D is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that focuses on securing cloud applications, not on auditing Sentinel's internal investigation workflows.

180
MCQmedium

You are designing a secure hybrid network connectivity solution between an on-premises datacenter and Azure. The requirement is to have encrypted traffic and high availability. Which service should you use?

A.Azure Front Door
B.Azure ExpressRoute
C.Azure VPN Gateway
D.Azure Bastion
AnswerC

VPN Gateway provides IPsec encryption and supports active-active for HA.

Why this answer

Option C is correct because VPN Gateway provides encrypted site-to-site VPN with active-active configuration for high availability. Option A is wrong because ExpressRoute offers private connectivity but encryption is optional. Option B is wrong because Azure Bastion is for RDP/SSH access.

Option D is wrong because Azure Front Door is a global load balancer.

181
Multi-Selecthard

Which TWO are best practices for designing a Microsoft 365 Defender (XDR) deployment to ensure optimal detection and response?

Select 2 answers
A.Deploy Defender for Endpoint on unsupported operating systems with limited functionality
B.Configure automated investigation and response for common incident types
C.Rely solely on manual alert triage to avoid missing complex attacks
D.Enable all supported data sources and ensure proper licensing
E.Configure each workload (Endpoint, Identity, etc.) in SILO mode to avoid false positives
AnswersB, D

Automation speeds up response and reduces workload.

Why this answer

B is correct because configuring automated investigation and response (AIR) for common incident types is a core best practice in Microsoft 365 Defender. AIR leverages built-in playbooks to automatically triage, investigate, and remediate alerts, reducing mean time to respond (MTTR) and allowing security teams to focus on complex threats. This aligns with the XDR principle of using automation to handle high-volume, predictable incidents efficiently.

Exam trap

The trap here is that candidates may think enabling all data sources (option D) is unnecessary or could cause noise, but in XDR, comprehensive data ingestion is essential for accurate correlation and detection, while proper tuning and automation handle false positives.

182
MCQmedium

A multinational corporation uses Microsoft Entra ID with hybrid identities. They need to design a solution that automatically remediates risky sign-ins without user intervention. Which feature should you enable?

A.Entra ID Governance (Access Reviews)
B.Privileged Identity Management (PIM)
C.Microsoft Defender for Identity
D.Identity Protection with Conditional Access policies
AnswerD

Identity Protection detects risk and Conditional Access can enforce automated actions like blocking or requiring MFA.

Why this answer

Option B is correct because Entra ID Identity Protection with conditional access policies can block or require MFA automatically based on risk. Option A is wrong because PIM is for privileged identity management, not risk-based remediation. Option C is wrong because Entra ID Governance is for access reviews and entitlement management.

Option D is wrong because Microsoft Defender for Identity is for on-premises identity protection, not automatic remediation.

183
MCQeasy

A company uses Microsoft Entra ID for identity management. They want to ensure that only approved users can access a custom web application. The solution must support single sign-on (SSO) and require multi-factor authentication (MFA) for external users. Which approach should they use?

A.Register the application in Microsoft Entra ID and configure SAML-based sign-on
B.Use Azure AD Application Proxy to publish the app
C.Configure Microsoft Entra B2B collaboration and set MFA trust settings
D.Register the application in Microsoft Entra ID and assign app roles
AnswerC

B2B collaboration invites external users, and Conditional Access policies can require MFA for those users, providing SSO and MFA

Why this answer

Registering the application in Microsoft Entra ID and configuring Conditional Access policies to require MFA for external users provides SSO and MFA enforcement. Option A is wrong because SAML sign-on alone does not enforce MFA. Option B is wrong because app roles manage authorization, not authentication requirements.

Option C is wrong because B2B collaboration handles identity, but MFA is enforced through Conditional Access, not solely through B2B settings.

184
Multi-Selectmedium

Your organization uses Microsoft Purview to classify sensitive data. You need to automatically apply a sensitivity label to documents that contain personally identifiable information (PII). Which TWO components should you configure?

Select 2 answers
A.Auto-labeling policy
B.Retention label
C.Data Loss Prevention (DLP) policy
D.Sensitivity label
E.Trainable classifier
AnswersA, D

Auto-labeling policies automatically apply sensitivity labels based on conditions.

Why this answer

Auto-labeling policy (A) is correct because it automatically applies sensitivity labels to documents based on conditions such as the presence of sensitive data types (e.g., PII). Sensitivity label (D) is correct because it defines the classification and protection settings (e.g., encryption, markings) that are applied to the content. Together, they enable automatic classification of PII documents without manual user intervention.

Exam trap

The trap here is that candidates often confuse DLP policies (which detect and block data exfiltration) with auto-labeling policies (which apply classification labels), leading them to incorrectly select DLP policy as a component for automatic labeling.

185
Multi-Selecteasy

Your organization is adopting a Zero Trust security model. You need to design a solution for secure remote access to on-premises applications that eliminates VPNs. Which TWO Microsoft technologies should you use?

Select 2 answers
A.Azure Bastion
B.Microsoft Intune
C.Microsoft Entra Application Proxy
D.Microsoft Defender for Cloud Apps
E.Azure VPN Gateway
AnswersC, D

Application Proxy publishes on-premises apps securely without VPN, using conditional access.

Why this answer

Option C (Microsoft Entra Application Proxy) provides secure remote access to on-premises apps without VPN. Option E (Microsoft Defender for Cloud Apps) provides conditional access and session control. Option A (Azure VPN Gateway) is VPN; Option B (Azure Bastion) is for RDP/SSH to VMs; Option D (Microsoft Intune) is for device management.

186
MCQmedium

An organization uses Microsoft Intune to manage devices. They need to ensure that only devices compliant with security baselines can access corporate email via Microsoft Outlook. The solution should use existing Microsoft 365 security features. What should they implement?

A.Configure an app protection policy in Microsoft Intune.
B.Create a Conditional Access policy in Microsoft Entra ID that requires compliant device.
C.Create a device compliance policy in Microsoft Intune.
D.Configure a device configuration profile in Microsoft Intune.
AnswerB

Integrates with Intune compliance to block non-compliant devices.

Why this answer

Option B is correct because Conditional Access policies in Microsoft Entra ID evaluate device compliance status before granting access to cloud apps like Exchange Online. By requiring a compliant device, the policy enforces that only devices meeting security baselines can access corporate email via Outlook, leveraging existing Microsoft 365 identity and access management capabilities.

Exam trap

The trap here is that candidates confuse device compliance policies (which only define rules) with Conditional Access policies (which enforce access decisions), leading them to pick Option C without realizing a separate policy is needed to block access.

How to eliminate wrong answers

Option A is wrong because app protection policies manage data within apps (e.g., preventing copy/paste) but do not enforce device-level compliance requirements like security baselines. Option C is wrong because a device compliance policy defines the compliance rules (e.g., requiring encryption) but does not itself block access; it must be paired with a Conditional Access policy to enforce the block. Option D is wrong because device configuration profiles apply settings (e.g., Wi-Fi, VPN) but do not evaluate or enforce compliance for access control.

187
Multi-Selecteasy

Your organization is implementing Microsoft Entra ID governance. Which TWO features are part of Microsoft Entra ID Governance? (Select two.)

Select 2 answers
A.Privileged Identity Management
B.Authentication methods policy
C.Conditional Access
D.Entitlement management
E.Access reviews
AnswersD, E

Manages access packages and resource access.

Why this answer

Entitlement management and access reviews are core features of Entra ID Governance. Conditional Access is an identity protection feature, Privileged Identity Management (PIM) is part of Identity Governance, but the question asks for two of the governance features. Entitlement management and access reviews are correct.

PIM is also governance, but the question limits to two. Authentication methods policy is not governance.

188
Multi-Selecthard

Which TWO actions should you take to secure Azure Functions with HTTP triggers?

Select 2 answers
A.Enable App Service Authentication (EasyAuth)
B.Configure network restrictions to allow only specific IP ranges
C.Set authorization level to anonymous
D.Enable Application Insights
E.Use function keys only
AnswersA, B

EasyAuth integrates with identity providers to authenticate requests.

Why this answer

Options A and D are correct. Using easy auth (App Service Authentication) and restricting network access reduce attack surface. Option B is wrong because anonymous access is insecure.

Option C is wrong because function keys only provide basic auth, not comprehensive security. Option E is wrong because Application Insights is for monitoring, not security.

189
MCQeasy

A company wants to implement a secure web application gateway to protect their public-facing web apps from common exploits like SQL injection and cross-site scripting. Which Azure service should they use?

A.Azure Front Door with WAF
B.Azure Firewall
C.Azure DDoS Protection
D.Azure Application Gateway with WAF
AnswerD

Application Gateway with WAF protects web apps from common exploits.

Why this answer

Azure Application Gateway with WAF is the correct choice because it is a regional, layer-7 load balancer that includes a built-in Web Application Firewall (WAF) specifically designed to protect web applications from common exploits such as SQL injection and cross-site scripting (XSS). The WAF uses OWASP Core Rule Sets (CRS) to inspect HTTP/HTTPS traffic and block malicious payloads at the application layer, making it the ideal service for securing public-facing web apps.

Exam trap

The trap here is that candidates often confuse Azure Front Door with WAF as a direct alternative to Application Gateway with WAF, but Front Door is a global service for multi-region distribution, while Application Gateway is the regional, layer-7 load balancer with WAF that is the correct choice for protecting a single-region web application gateway.

How to eliminate wrong answers

Option A is wrong because Azure Front Door with WAF is a global, multi-region load balancer and CDN service that also includes WAF capabilities, but it is optimized for global distribution and edge caching, not for protecting a single regional web application gateway; the question implies a single gateway deployment, and Application Gateway is the standard regional choice. Option B is wrong because Azure Firewall is a stateful, network-layer firewall that filters traffic based on IP addresses, ports, and protocols (layers 3-4), and it does not inspect application-layer payloads like SQL injection or XSS; it lacks the WAF functionality required for web application exploits. Option C is wrong because Azure DDoS Protection provides mitigation against volumetric distributed denial-of-service attacks at layers 3 and 4, but it does not inspect or block application-layer attacks such as SQL injection or XSS, which require a WAF.

190
MCQhard

You are designing a secure access solution for an on-premises application that uses legacy authentication protocols. The organization plans to migrate to Microsoft Entra ID but the application vendor has not yet provided a modern authentication update. The solution must enable single sign-on (SSO) and support multifactor authentication (MFA) for this application without modifying the application code. Which approach should you recommend?

A.Integrate the application with the Microsoft Authentication Library (MSAL)
B.Federate the on-premises Active Directory with Microsoft Entra ID
C.Use Microsoft Entra Conditional Access policies to require MFA
D.Deploy Microsoft Entra Application Proxy with pre-authentication
AnswerD

Application Proxy acts as a reverse proxy, handling modern auth with Entra ID and relaying to the legacy app.

Why this answer

Option C is correct because Microsoft Entra Application Proxy allows publishing on-premises apps with legacy authentication, and it can integrate with Entra ID for pre-authentication, enabling SSO and MFA without code changes. Option A is wrong because Entra ID Conditional Access policies require modern authentication to enforce MFA. Option B is wrong because the Microsoft Authentication Library (MSAL) requires app code changes.

Option D is wrong because federation with ADFS still requires modern auth at the app level.

191
MCQeasy

An organization wants to ensure that all Windows 10 devices are compliant with security policies before they can access corporate email. Microsoft Intune is used for device management. Which component should be used to enforce compliance and block non-compliant devices?

A.Intune device compliance policy alone
B.Microsoft Entra ID Conditional Access policy integrated with Intune compliance
C.Microsoft 365 Defender portal
D.Microsoft Defender for Endpoint device risk score
AnswerB

Conditional Access uses compliance data to enforce access.

Why this answer

Option B is correct because Microsoft Entra ID Conditional Access policies can evaluate Intune device compliance status in real time. When a device is marked non-compliant by an Intune compliance policy, the Conditional Access policy blocks access to corporate email (e.g., Exchange Online) until the device is remediated. This integration enforces a 'compliant device required' gate that cannot be achieved by Intune compliance alone, which only reports status without blocking access.

Exam trap

The trap here is that candidates assume Intune compliance policies alone can block access, but they forget that enforcement requires a separate Conditional Access policy to act on the compliance state—Intune only reports, it does not gate authentication.

How to eliminate wrong answers

Option A is wrong because Intune device compliance policy alone only marks devices as compliant or non-compliant; it does not enforce access control or block email access—that requires a Conditional Access policy to act on the compliance state. Option C is wrong because the Microsoft 365 Defender portal provides threat detection, investigation, and response capabilities, but it does not directly enforce device compliance-based access control for email. Option D is wrong because Microsoft Defender for Endpoint device risk score is a signal that can be used within Conditional Access (via risk-based policies), but it is not the primary component for enforcing compliance policies; the question specifically asks for enforcing compliance, not risk-based access.

192
MCQeasy

Your organization uses Microsoft Purview to manage data governance. The compliance team needs to be able to search for and investigate whether any sensitive data (e.g., credit card numbers) is stored in Microsoft Teams messages. They also need to place a legal hold on specific user's Teams messages for eDiscovery. You need to design the solution. What should you configure?

A.Configure a sensitivity label for credit card numbers and apply it to Teams messages.
B.Create a Data Loss Prevention policy that monitors Teams messages for credit card numbers.
C.Use Microsoft Purview eDiscovery (Premium) to create a case, search for credit card numbers in Teams messages, and place a hold on the user's mailbox and Teams data.
D.Enable Microsoft Purview Audit to search the audit log for Teams messages containing credit card numbers.
AnswerC

eDiscovery supports content search and legal hold across Microsoft 365 services.

Why this answer

Option A is correct because Microsoft Purview eDiscovery (Premium) can search across Teams messages and place legal holds. Option B (audit) logs activities but does not allow content search. Option C (DLP) prevents sharing but does not search.

Option D (Information Protection) applies labels but does not provide eDiscovery capabilities.

193
MCQmedium

A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They want to ensure that critical recommendations are automatically remediated. They create a workflow automation that triggers a Logic App for specific recommendations. However, the Logic App fails to run. What is the most likely cause?

A.The managed identity of the Logic App lacks permissions on the target resources.
B.The subscription is not onboarded to Defender for Cloud.
C.Defender for Cloud is disabled for the resource group.
D.The recommendation is disabled in the security policy.
AnswerA

Logic App needs permissions to perform remediation actions.

Why this answer

The most likely cause is that the Logic App's managed identity lacks the necessary permissions on the target Azure resources. Workflow automations in Defender for Cloud use a Logic App that executes remediation actions; if the Logic App's identity (either system-assigned or user-assigned) does not have the required RBAC role (e.g., Contributor or a custom role with specific actions) on the resource scope, the remediation run will fail with an authorization error. This is a common misconfiguration because the automation trigger itself succeeds, but the downstream action fails due to insufficient permissions.

Exam trap

The trap here is that candidates often assume the trigger itself is failing due to a misconfiguration in Defender for Cloud, when in fact the trigger succeeds and the failure is in the Logic App's downstream action due to missing RBAC permissions on the managed identity.

How to eliminate wrong answers

Option B is wrong because if the subscription were not onboarded to Defender for Cloud, the workflow automation trigger would not be available at all, and the Logic App would not even be invoked. Option C is wrong because Defender for Cloud operates at the subscription level, not the resource group level; disabling it for a resource group is not a valid configuration, and the automation trigger is subscription-wide. Option D is wrong because disabling a recommendation in the security policy would prevent the recommendation from appearing and thus prevent the trigger from firing, but the Logic App would not fail to run; it simply would not be triggered.

194
MCQhard

You are designing a secure DevOps pipeline in GitHub that deploys to Azure Kubernetes Service (AKS). The security team requires that no secrets are stored in the pipeline variables and that all container images are scanned for vulnerabilities before deployment. Which approach aligns with security best practices?

A.Use Azure DevOps with a service principal that has a client secret stored in Azure Key Vault. Use Trivy to scan images.
B.Use GitHub Actions with OpenID Connect to authenticate to Azure without storing any secrets. Integrate Microsoft Defender for Containers to scan images in Azure Container Registry.
C.Use GitHub Actions with a managed identity for the GitHub runner. Disable image scanning to speed up deployments.
D.Use GitHub Actions with environment secrets for Azure service principal credentials. Use Docker Hub's vulnerability scanning.
AnswerB

OpenID Connect eliminates secrets; Defender for Containers provides integrated scanning.

Why this answer

Option B is correct because it uses OpenID Connect (OIDC) to authenticate GitHub Actions to Azure without storing any long-lived secrets, which aligns with the requirement that no secrets be stored in pipeline variables. Additionally, integrating Microsoft Defender for Containers provides vulnerability scanning for container images in Azure Container Registry (ACR), meeting the image scanning requirement before deployment to AKS.

Exam trap

The trap here is that candidates may assume Azure DevOps is the only secure option or that storing secrets in Azure Key Vault is acceptable, but the question explicitly requires 'no secrets stored in the pipeline variables,' and OIDC eliminates secrets entirely, while Key Vault still requires a secret retrieval step that counts as a stored secret in the pipeline context.

How to eliminate wrong answers

Option A is wrong because it uses Azure DevOps instead of GitHub Actions as specified in the question, and it stores a client secret in Azure Key Vault, which still requires a secret to be retrieved and used in the pipeline, violating the 'no secrets stored in pipeline variables' requirement. Option C is wrong because it disables image scanning, which directly contradicts the requirement that all container images be scanned for vulnerabilities before deployment. Option D is wrong because it uses environment secrets for Azure service principal credentials, which stores secrets in the pipeline environment, and Docker Hub's vulnerability scanning does not integrate with ACR or AKS for pre-deployment scanning in the Azure context.

195
MCQhard

You are the lead security architect for a multinational corporation that recently completed a merger. The new entity, Contoso Ltd., has a complex Azure environment with over 200 subscriptions spread across multiple management groups. The company's security team has identified several critical issues: (1) many subscriptions have Azure Security Center's Secure Score below 30%, (2) there are numerous unmanaged VMs with public IP addresses, (3) there is no centralized logging for security events, and (4) identity management is fragmented with multiple Azure AD tenants. The CEO mandates a 'zero-trust' security posture within 12 months. You have a limited budget and must prioritize the most impactful actions. Which course of action should you take first?

A.Implement Azure Sentinel to centralize logs and create automated response playbooks
B.Deploy Azure Firewall and enforce forced tunneling for all VNets
C.Consolidate all Azure AD tenants into a single tenant and establish a common identity baseline
D.Deploy Azure Policy to deny creation of VMs with public IPs and enforce NSGs
AnswerC

Zero-trust requires a unified identity to enforce consistent access policies.

Why this answer

Option C is correct because identity is the foundational control plane for zero-trust architecture. Without a unified identity baseline across a single Azure AD tenant, you cannot enforce consistent conditional access policies, least-privilege access, or authentication strength—making all other security controls ineffective. Consolidating tenants first directly addresses the fragmented identity management issue and enables centralized policy enforcement, which is the highest-impact, lowest-cost action to improve the security posture within 12 months.

Exam trap

The trap here is that candidates often prioritize network controls (Azure Firewall, forced tunneling) or monitoring tools (Azure Sentinel) because they seem more directly related to 'security' or 'visibility,' but the SC-100 exam emphasizes that identity is the new perimeter in zero-trust, and without a unified identity plane, all other controls are undermined.

How to eliminate wrong answers

Option A is wrong because implementing Azure Sentinel for centralized logging and automated response is a detection and response capability, not a preventive control; it does not address the root cause of unmanaged VMs, low Secure Score, or fragmented identity, and it requires significant budget and time to deploy effectively. Option B is wrong because deploying Azure Firewall and forced tunneling is a network-centric control that only mitigates lateral movement and data exfiltration risks; it does not solve the identity fragmentation or low Secure Score issues, and it incurs high operational overhead without addressing the foundational identity problem. Option D is wrong because deploying Azure Policy to deny public IPs and enforce NSGs is a compliance enforcement mechanism that only addresses one symptom (unmanaged VMs with public IPs) but does not fix the underlying identity fragmentation or enable centralized security event logging; without a unified identity, policy assignments cannot be consistently applied across multiple tenants.

196
MCQhard

Your organization uses Microsoft Sentinel to monitor security events. You need to design a solution that alerts when a user account is created and then used to log in from a different country within 1 hour. Which KQL query structure should you use?

A.Use a single table filter with where clause
B.Use summarize with timechart
C.Use a join operation on AccountName with a time window
D.Use union to combine events
AnswerC

Join allows correlating account creation and login events within a time window.

Why this answer

Option C is correct because a join operation on AccountName and a time window can correlate account creation and login events. Option A is wrong because a simple filter cannot correlate two events. Option B is wrong because a union just combines tables, no correlation.

Option D is wrong because a summarize with timechart shows aggregation, not specific account correlation.

197
MCQmedium

Refer to the exhibit. You are reviewing an Azure Policy definition. What will this policy do when assigned to a subscription?

A.Deny creation of all virtual machines.
B.Audit existing virtual machines for compliance.
C.Enforce Premium SSD on data disks.
D.Prevent creation of virtual machines with OS disks that are not Premium SSD.
AnswerD

The policy denies VMs where the OS disk storage type is not Premium_LRS.

Why this answer

Option A is correct because the policy denies creation of VMs whose OS disk is not Premium_LRS. Option B is wrong because it only denies if the OS disk type is not Premium_LRS, not all VMs. Option C is wrong because it checks OS disk, not data disks.

Option D is wrong because it evaluates at creation time.

198
MCQeasy

Your company needs to automatically classify and label sensitive documents in Microsoft 365 based on their content. Which Microsoft Purview solution should you implement?

A.Microsoft Purview Audit
B.Microsoft Purview Information Protection
C.Microsoft Purview Data Lifecycle Management
D.Microsoft Purview Insider Risk Management
AnswerB

This includes auto-labeling based on content.

Why this answer

Microsoft Purview Information Protection (formerly Azure Information Protection) enables automatic classification and labeling of sensitive documents based on content, using trainable classifiers, exact data match (EDM), and sensitive information types. This solution applies sensitivity labels to documents in Microsoft 365 (e.g., SharePoint, Exchange, OneDrive) via client-side labeling or auto-labeling policies, meeting the requirement to classify and label by content.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Information Protection with Data Lifecycle Management, because both involve labels, but Data Lifecycle Management handles retention and deletion, not content-based classification and sensitivity labeling.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Audit focuses on logging and investigating user and admin activities, not on classifying or labeling content. Option C is wrong because Microsoft Purview Data Lifecycle Management (formerly Records Management) handles retention and deletion policies, not content-based classification and labeling. Option D is wrong because Microsoft Purview Insider Risk Management detects risky user behaviors (e.g., data exfiltration) using analytics, but does not automatically classify or label documents based on content.

199
Multi-Selecthard

Your organization is designing a Microsoft Sentinel solution to detect and respond to threats across multi-cloud environments (Azure, AWS, GCP). Which TWO components are essential for this design?

Select 2 answers
A.Azure Policy assignments
B.Data connectors for AWS and GCP
C.Microsoft Defender for Cloud
D.Azure Automation accounts
E.Analytics rules for multi-cloud detection
AnswersB, E

Data connectors ingest logs from AWS (S3) and GCP (Cloud Logging).

Why this answer

Data connectors are the foundational component for ingesting logs from external cloud providers into Microsoft Sentinel. For AWS, you typically use the AWS CloudTrail connector via S3 and SQS; for GCP, you use the GCP Security Command Center connector or a custom log ingestion pipeline. Without these connectors, Sentinel cannot receive telemetry from those environments, making multi-cloud detection impossible.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud (a CSPM tool) with a data ingestion mechanism, or assume Azure Policy can enforce log collection across non-Azure clouds, when in fact only purpose-built data connectors can bring external logs into Sentinel.

200
MCQhard

A multinational corporation uses Microsoft Entra ID for identity and Microsoft Defender for Cloud Apps for SaaS app governance. The security team wants to deploy a conditional access policy that blocks access from untrusted locations for all cloud apps except Microsoft 365, which should only be blocked if the device is not compliant. How should you configure the policy?

A.Use a session policy in Defender for Cloud Apps to monitor non-compliant devices.
B.Create two conditional access policies: one for all cloud apps except Microsoft 365 blocking untrusted locations, and one for Microsoft 365 requiring compliant device.
C.Create one conditional access policy that includes all cloud apps and requires compliant device for Microsoft 365 only.
D.Configure a conditional access policy that blocks access from untrusted locations for all apps.
AnswerB

Two policies achieve the desired granularity.

Why this answer

Option D is correct because you can use two policies: one targeting 'All cloud apps' blocking untrusted locations (excluding Microsoft 365), and another targeting 'Office 365' requiring compliant device. Option A is incorrect because a single policy cannot have different conditions for different apps. Option B is incorrect because session controls are for monitoring, not blocking.

Option C is incorrect because blocking access would be too restrictive.

201
MCQeasy

Your company develops an API that will be consumed by external partners. You need to secure the API using Azure API Management (APIM). Which authentication mechanism should you recommend for partner applications?

A.Client certificates
B.Subscription keys
C.OAuth 2.0 with Microsoft Entra ID
D.IP address whitelisting
AnswerC

OAuth 2.0 provides secure delegated access for partner applications.

Why this answer

Option C is correct because OAuth 2.0 is the standard for delegated access and is suitable for partner applications. Option A is wrong because subscription keys are for identification, not authentication. Option B is wrong because client certificates are for server-to-server, not typical for partner apps.

Option D is wrong because IP whitelisting is network-level and not secure for authentication.

202
Multi-Selecteasy

Which TWO are recommended practices for securing Microsoft 365 workloads? (Select two.)

Select 2 answers
A.Allow external sharing for all SharePoint sites
B.Disable multifactor authentication for users who access from trusted IPs
C.Allow all third-party apps to access Microsoft 365 data
D.Enable unified audit logging in Microsoft Purview
E.Use Microsoft Defender for Office 365 Safe Attachments policy
AnswersD, E

Audit logging is critical for detecting and investigating incidents.

Why this answer

Unified audit logging in Microsoft Purview is a recommended practice because it provides a centralized, searchable record of user and admin activities across Microsoft 365 workloads, which is essential for security investigations, compliance, and threat detection. Enabling this logging ensures that events such as mailbox access, file downloads, and admin role changes are captured and retained, supporting incident response and forensic analysis.

Exam trap

The trap here is that candidates often confuse 'enabling audit logging' with 'enabling mailbox auditing only' or assume that audit logging is enabled by default, but Microsoft Purview unified audit logging must be explicitly enabled per tenant and is not automatically turned on for all workloads.

203
Multi-Selectmedium

You are designing a secure access solution for on-premises applications using Microsoft Entra ID. The solution must support modern authentication, single sign-on (SSO), and Conditional Access. Which TWO technologies should you implement?

Select 2 answers
A.Azure AD B2C
B.Microsoft Entra Domain Services
C.Microsoft Entra application proxy
D.Microsoft Entra ID as the identity provider
E.Site-to-Site VPN
AnswersC, D

Publishes on-premises apps with modern authentication and SSO.

Why this answer

Option A and C are correct. Microsoft Entra application proxy publishes on-premises apps with modern authentication and SSO. Microsoft Entra application gallery provides pre-integrated SSO for SaaS apps, but for on-premises apps, the proxy is used.

Option B is wrong because VPN does not provide modern authentication or Conditional Access. Option D is wrong because Microsoft Entra Domain Services is for domain join, not app access. Option E is wrong because Azure AD B2C is for customer-facing apps.

204
MCQeasy

You need to design a solution to synchronize on-premises Active Directory users to Microsoft Entra ID for hybrid identity. Which tool should you use?

A.Microsoft Identity Manager (MIM)
B.Microsoft Entra Connect
C.Microsoft Entra Connect Cloud Sync
D.Active Directory Federation Services (AD FS)
AnswerB

Microsoft Entra Connect is the primary tool for synchronizing on-premises AD to Entra ID.

Why this answer

Microsoft Entra Connect is the correct tool for synchronizing on-premises Active Directory users to Microsoft Entra ID for hybrid identity because it provides a comprehensive, full-featured synchronization engine that supports password hash synchronization, pass-through authentication, and federation integration. It is the primary tool for hybrid identity scenarios where you need to synchronize a single on-premises AD forest to a single Entra ID tenant, handling attributes, password writeback, and device synchronization.

Exam trap

The trap here is that candidates often confuse Microsoft Entra Connect Cloud Sync with the full Entra Connect tool, assuming the 'Cloud Sync' name implies it is the primary or newer replacement, but in reality, Entra Connect Cloud Sync is a lighter agent for specific multi-forest or limited scenarios, while Entra Connect remains the standard for full hybrid identity synchronization.

How to eliminate wrong answers

Option A is wrong because Microsoft Identity Manager (MIM) is an identity management and governance tool for managing on-premises identities and synchronization between multiple identity stores, not the primary tool for synchronizing a single on-premises AD to Entra ID for hybrid identity; it is more complex and typically used for advanced scenarios like cross-forest synchronization or identity lifecycle management. Option C is wrong because Microsoft Entra Connect Cloud Sync is a lightweight agent designed for synchronizing users from multiple on-premises AD forests to Entra ID, but it lacks full feature parity with Entra Connect (e.g., no device writeback, no pass-through authentication with seamless SSO, and limited attribute filtering) and is intended for specific scenarios like merging multiple forests or replacing older sync tools, not as the default for standard hybrid identity. Option D is wrong because Active Directory Federation Services (AD FS) is a federation service that provides single sign-on and claims-based authentication, not a synchronization tool; it does not synchronize user objects or attributes from on-premises AD to Entra ID.

205
Multi-Selecteasy

A software company, Northwind, is developing a mobile app that uses Microsoft Entra ID for authentication. The app accesses an Azure Function App backend that stores data in Azure Cosmos DB. The company wants to implement a defense-in-depth security strategy. Which TWO of the following should you implement?

Select 2 answers
A.Use OAuth 2.0 with Microsoft Entra ID to secure the Azure Functions.
B.Restrict access to the Azure Functions by IP whitelisting.
C.Configure Azure Cosmos DB with a private endpoint.
D.Use function-level authorization keys for the Azure Functions.
E.Enforce TLS 1.0 for all API calls.
AnswersA, C

OAuth 2.0 with Entra ID provides secure user authentication and authorization.

Why this answer

Option B is correct because OAuth 2.0 with Entra ID provides user authentication and authorization. Option E is correct because Cosmos DB should be configured with a private endpoint to prevent public internet access. Option A is wrong because function keys are not user-specific.

Option C is wrong because IP whitelisting is not sufficient for user authentication. Option D is wrong because TLS 1.0 is deprecated.

206
MCQhard

Your organization uses Microsoft Sentinel for security operations. The SOC team wants to automatically disable a compromised user account in Microsoft Entra ID when a high-severity alert is generated. Which automation method should you use?

A.An automation rule with a playbook
B.A workbook
C.A KQL query in a hunting rule
D.An analytics rule
AnswerA

Automation rules trigger playbooks that can execute actions like disabling a user account.

Why this answer

Automation rules in Microsoft Sentinel can trigger a playbook (an Azure Logic Apps workflow) when a high-severity alert fires. The playbook can then execute an action to disable the user account in Microsoft Entra ID via the Microsoft Graph API. This is the correct method because it provides the necessary integration between Sentinel alerts and Entra ID identity remediation.

Exam trap

The trap here is that candidates often confuse analytics rules (which detect and alert) with automation rules (which respond), leading them to select an analytics rule thinking it can directly perform remediation actions.

How to eliminate wrong answers

Option B is wrong because a workbook is a visualization and reporting tool, not an automation mechanism; it cannot execute actions like disabling a user account. Option C is wrong because a KQL query in a hunting rule is used for proactive threat hunting and manual investigation, not for automated response to alerts. Option D is wrong because an analytics rule generates alerts based on detection logic but does not itself perform remediation actions; it requires an automation rule or playbook to act on the alert.

207
Multi-Selectmedium

You are designing a security solution for Azure resources using Azure Policy. You need to ensure that all storage accounts enforce HTTPS traffic and that only certain virtual networks can access them. Which THREE policy effects can you use to achieve this?

Select 3 answers
A.DeployIfNotExists
B.Append
C.Modify
D.Deny
E.Audit
AnswersA, D, E

DeployIfNotExists can deploy network rules to storage accounts.

Why this answer

Option A, D, and E are correct. Deny prevents creation of non-compliant resources, Audit logs non-compliant resources, and DeployIfNotExists can deploy network rules. Option B is wrong because Append adds to existing resources but not for network rules.

Option C is wrong because Modify changes properties, but not suitable for enforcing HTTPS.

208
Drag & Dropmedium

Order the steps to deploy Azure Firewall with forced tunneling in a hub virtual network.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Forced tunneling requires a route table directing traffic, then firewall deployment and rule configuration.

209
Multi-Selecthard

A company has a Microsoft Sentinel workspace that ingests data from multiple sources. The SOC team wants to improve the efficiency of investigating incidents by using UEBA capabilities. Which two actions should the team take to enable and configure UEBA in Sentinel?

Select 2 answers
A.Install the UEBA data connector from the Sentinel content hub.
B.Create an analytics rule that uses the UEBA template.
C.Define a time range for entity behavior baselines.
D.Set the entity behavior analytics to 'Active' in the Sentinel configuration.
E.Navigate to Sentinel Settings, select Entity behavior analytics, and enable the feature per workspace.
AnswersD, E

Setting it to 'Active' enables UEBA for the workspace.

Why this answer

Options B and D are correct. Enabling UEBA is done per workspace (B). Setting the entity behavior analytics to 'Active' enables the feature (D).

Option A is incorrect because UEBA is not a data connector; it's a feature enabled in the workspace settings. Option C is incorrect because the analytics rule for UEBA is not a separate rule; UEBA is enabled at the workspace level. Option E is incorrect because time range selection is not part of enabling UEBA; it's part of analytics rule configuration.

210
MCQmedium

A company uses Microsoft Intune to manage devices. They want to ensure that all devices accessing corporate email are compliant with security policies before they can connect. Which feature should they enable?

A.Microsoft Entra Conditional Access
B.Microsoft Defender for Endpoint
C.Microsoft Intune App Protection Policies
D.Mobile Device Management (MDM) enrollment
AnswerA

Conditional Access can require device compliance from Intune.

Why this answer

Microsoft Entra Conditional Access is the correct feature because it enforces compliance-based access control at the authentication layer. By integrating with Intune compliance policies, Conditional Access can block or allow device access to corporate email (e.g., Exchange Online) based on real-time compliance status, ensuring only compliant devices can connect.

Exam trap

The trap here is that candidates often confuse Intune compliance policies themselves with the enforcement mechanism, not realizing that compliance policies only mark a device as compliant or non-compliant—they do not block access; Conditional Access is the gate that enforces the block.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint is a threat protection and response solution, not an access control mechanism; it does not enforce pre-connection compliance checks for email. Option C is wrong because Intune App Protection Policies (MAM) manage data protection within apps without requiring device enrollment, but they do not block device-level access to email based on device compliance. Option D is wrong because MDM enrollment alone only registers the device; it does not enforce conditional access—compliance policies must be combined with Conditional Access to gate access.

211
MCQmedium

Your company is developing a mobile application that uses Microsoft Authenticator to sign in users. The app needs to call a web API that is protected by Microsoft Entra ID. You need to ensure that the app uses the OAuth 2.0 authorization code flow with PKCE. Which Microsoft authentication library should you recommend?

A.Microsoft Graph API
B.Microsoft Authentication Library (MSAL)
C.Active Directory Authentication Library (ADAL)
D.Azure AD Graph API
AnswerB

MSAL supports the OAuth 2.0 authorization code flow with PKCE for mobile apps.

Why this answer

Option D is correct: Microsoft Authentication Library (MSAL) supports the authorization code flow with PKCE for mobile apps. Option A is wrong: Active Directory Authentication Library (ADAL) is deprecated. Option B is wrong: Azure AD Graph API is not an authentication library.

Option C is wrong: Microsoft Graph API is for accessing resources, not authentication.

212
MCQmedium

A company plans to implement a Zero Trust architecture using Microsoft security solutions. They want to ensure that all access to corporate resources is verified explicitly, uses least privilege, and assumes breach. Which Microsoft service should be the central policy engine for enforcing conditional access decisions?

A.Microsoft Entra ID Conditional Access
B.Microsoft Defender for Cloud
C.Microsoft Sentinel
D.Microsoft Intune
AnswerA

Conditional Access is the core policy engine for Zero Trust.

Why this answer

Microsoft Entra ID Conditional Access is the correct central policy engine because it directly enforces Zero Trust principles by evaluating signals (user, device, location, risk) in real time to grant or block access. It acts as the policy decision point (PDP) that enforces explicit verification, least privilege, and assumes breach by requiring continuous authentication and authorization for every access request.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud's security policy (which governs cloud resource configurations) with Entra ID's conditional access policy (which governs user access decisions), leading them to select Defender for Cloud as the central policy engine.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform, not a policy engine for conditional access decisions. Option C is wrong because Microsoft Sentinel is a SIEM/SOAR solution for threat detection and response, not a real-time access policy enforcer. Option D is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service that manages devices and apps but does not make conditional access policy decisions.

213
MCQhard

Your organization has a multi-region Azure deployment with ExpressRoute connections to on-premises. You need to design a solution that ensures all traffic between on-premises and Azure is inspected by a firewall for both inbound and outbound connections. The solution must minimize latency and avoid a single point of failure. What design should you recommend?

A.Deploy Azure Firewall in each region with forced tunneling enabled
B.Deploy Azure Firewall in one central hub region and route all traffic through it
C.Use Network Security Groups (NSGs) on subnets to filter traffic
D.Deploy a third-party NVA in a hub-and-spoke topology with a single hub
AnswerA

Regional firewalls avoid single point of failure and minimize latency with forced tunneling for inspection.

Why this answer

Option D is correct because deploying Azure Firewall in each region in an active-active configuration with forced tunneling provides inspection for all traffic without a single point of failure. Option A is wrong because a single firewall is a single point of failure and adds latency for all traffic. Option B is wrong because NSGs do not inspect traffic, they filter based on rules.

Option C is wrong because a third-party NVA in a single hub introduces a single point of failure and potential licensing complexity.

214
MCQhard

Refer to the exhibit. You run the PowerShell script to check compliance of the 'RequireSQLEncryption' policy assignment. The script returns no output. What is the most likely reason?

A.The Get-AzPolicyState cmdlet is not a valid Azure PowerShell cmdlet; it should be Get-AzPolicyStateSummary.
B.The policy assignment is scoped to a management group, not a resource group.
C.All resources are compliant, so the Where-Object filter returns empty.
D.There are no resources in the resource group InfrastructureRG.
AnswerA

The correct cmdlet is Get-AzPolicyStateSummary for compliance summary. Get-AzPolicyState does not exist.

Why this answer

Option A is correct because Get-AzPolicyState requires the PolicyState parameter to be specified, or the result will be empty if no non-compliant resources exist. However, the script uses the Scope property from the policy assignment, which may not be correct. But more importantly, the cmdlet Get-AzPolicyState is not a standard Azure PowerShell cmdlet; the correct cmdlet is Get-AzPolicyStateSummary or Get-AzPolicyState with the -PolicyAssignmentName parameter.

Since the cmdlet name is wrong, it will fail or return nothing. Option B is wrong because the script does not check if resources exist. Option C is wrong because compliance state is not 'Compliant' but the cmdlet is wrong.

Option D is wrong because resource group scope is valid.

215
MCQmedium

Your company has a Microsoft 365 E5 subscription and uses Microsoft Defender for Office 365. You need to protect users from phishing attacks that use malicious links in email messages. The solution should allow users to report suspicious emails to the security team for analysis. You also want to automatically block repeated phishing attempts from the same sender. What should you configure?

A.Configure anti-spam policies and enable the Report Message add-in.
B.Configure Safe Links policies and enable the Report Message add-in for user reporting.
C.Configure Safe Attachments policies and enable the Report Message add-in.
D.Enable the Report Message add-in for Outlook and configure a mailbox for submissions.
AnswerB

Safe Links protects against malicious links, and reporting allows analysis.

Why this answer

Option B is correct because Safe Links protects users from clicking malicious links in real time, and the user reporting add-in allows reporting. Attack simulation training helps educate users but is not the primary protection mechanism. Option A is wrong because only the reporting add-in does not protect against links.

Option C is wrong because Safe Attachments protects attachments, not links. Option D is wrong because anti-spam policies are for spam, not phishing links.

216
MCQmedium

A company uses Azure Front Door to publish a web application globally. They need to protect against DDoS attacks and web application attacks (SQL injection, XSS). Which two services should they enable in combination?

A.Azure DDoS Protection Standard and Azure Firewall
B.Azure WAF on Application Gateway and Network Security Groups
C.Azure Firewall and Azure DDoS Protection Basic
D.Azure DDoS Protection Standard and Azure WAF policy on Front Door
AnswerD

Correct: DDoS Protection handles volumetric attacks; WAF handles application attacks.

Why this answer

Azure DDoS Protection protects against volumetric DDoS attacks. Azure Web Application Firewall (WAF) in Front Door protects against application-layer attacks. Azure Firewall is for network-layer filtering.

Network Security Groups (NSGs) are for subnet-level filtering. Azure DDoS Protection Standard is the correct tier.

217
MCQhard

Your organization uses Microsoft Sentinel for SIEM. You need to ensure that security incidents are automatically responded to without human intervention for known false positives. What should you implement?

A.An analytics rule with alert suppression
B.A playbook that runs on incident creation
C.An entity behavior analytics rule
D.An automation rule with incident closure action
AnswerD

Automation rules can auto-close incidents based on conditions.

Why this answer

Option D is correct because automation rules in Microsoft Sentinel can be configured to automatically close incidents when specific conditions are met, such as when an incident is identified as a known false positive. This eliminates the need for human intervention by triggering an incident closure action based on predefined criteria, directly addressing the requirement for automated response to false positives.

Exam trap

The trap here is that candidates often confuse alert suppression (which prevents duplicate alerts) with incident closure automation, or they assume a playbook is always required for automation, when in fact a simple automation rule with a closure action is the direct and correct solution for automatically handling known false positives.

How to eliminate wrong answers

Option A is wrong because analytics rules with alert suppression only prevent the creation of duplicate alerts for the same event within a specified time window; they do not automatically respond to or close incidents that have already been created. Option B is wrong because a playbook that runs on incident creation can automate responses, but it requires a separate automation rule to trigger it and is typically used for complex orchestration, not simply for closing known false positives without human intervention. Option C is wrong because entity behavior analytics rules are designed to detect anomalous behavior based on historical patterns, not to automatically respond to or close incidents identified as false positives.

218
MCQmedium

Your organization uses Microsoft Purview to manage data governance. You need to design a solution that allows data owners to classify sensitive data in their Microsoft SharePoint Online sites and generate a data catalog. Which Purview tool should you use?

A.Microsoft Purview Information Protection
B.Microsoft Purview Audit
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview Data Map
AnswerD

Data Map scans and catalogs data, enabling classification and discovery.

Why this answer

Option A is correct because Microsoft Purview Data Map is used to scan data sources, classify sensitive information, and build a data catalog. Option B (Data Loss Prevention) is for policy enforcement, not cataloging. Option C (Information Protection) is for labeling and protection.

Option D (Audit) is for logging activities.

219
MCQmedium

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure resources. The security team wants to prioritize remediation of high-severity findings based on the greatest potential business impact. Which security policy or framework should you configure to align remediation with business priorities?

A.Use the Azure Security Benchmark initiative
B.Enable the Regulatory Compliance dashboard
C.Set up workflow automation for high-severity findings
D.Configure the Secure Score dashboard
AnswerB

Regulatory Compliance maps findings to compliance standards that reflect business priorities.

Why this answer

The Regulatory Compliance dashboard in Microsoft Defender for Cloud allows you to map security controls to specific regulatory standards (e.g., SOC 2, ISO 27001, PCI DSS) and track compliance posture. By selecting a framework that aligns with your organization's business obligations (e.g., a standard required by customers or regulators), you can prioritize remediation of high-severity findings based on the greatest potential business impact, such as fines or loss of certification.

Exam trap

The trap here is that candidates often confuse the Secure Score dashboard (which measures overall security posture) with the Regulatory Compliance dashboard (which aligns remediation to specific business-impacting standards), leading them to select D instead of B.

How to eliminate wrong answers

Option A is wrong because the Azure Security Benchmark initiative is a Microsoft-defined set of best practices for Azure security, but it does not inherently map to business-specific regulatory or compliance priorities; it focuses on technical security posture rather than business impact. Option C is wrong because workflow automation (e.g., sending emails or creating tickets) is a response mechanism for findings, not a framework for prioritizing which findings to remediate based on business impact. Option D is wrong because the Secure Score dashboard provides a numerical score based on security recommendations, but it does not allow you to configure or align remediation with specific business or regulatory frameworks; it is a general health indicator, not a prioritization tool.

220
MCQhard

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

A.To summarize Mimikatz alerts by account.
B.To create an automation rule based on the query.
C.To enrich Mimikatz alerts with user account names.
D.To detect lateral movement after a Mimikatz alert.
AnswerC

Joins alert with identity to get account name.

Why this answer

Option B is correct because the query joins security alerts with identity info to get the account name for alerts about Mimikatz detection. Option A is wrong because it does not investigate lateral movement. Option C is wrong because it does not trigger an automation rule.

Option D is wrong because it does not summarize data.

221
MCQeasy

A company wants to implement a governance strategy for their Azure environment. They need to enforce tagging standards and restrict deployment to approved regions. Which combination of Azure services should they use?

A.Azure Management Groups and subscriptions
B.Azure RBAC and Azure AD
C.Azure Resource Graph and Azure Monitor
D.Azure Policy and Azure Blueprints
AnswerD

Policy enforces rules; Blueprints package policies, RBAC, and resources.

Why this answer

Azure Policy is the correct service for enforcing tagging standards and restricting deployments to approved regions because it applies rules and effects to resources during creation and existing resources. Azure Blueprints complements this by orchestrating the deployment of policy definitions, role assignments, and resource groups into a single, repeatable package, ensuring consistent governance across subscriptions.

Exam trap

The trap here is that candidates confuse Azure Policy (which enforces rules) with Azure RBAC (which controls permissions), or they assume Management Groups alone can enforce compliance, when in fact Policy is the only service that can block non-compliant resource creation at the API level.

How to eliminate wrong answers

Option A is wrong because Azure Management Groups and subscriptions provide hierarchical organization and management boundaries but do not enforce tagging or region restrictions themselves. Option B is wrong because Azure RBAC controls who can perform actions on resources (authorization) and Azure AD manages identities, neither of which enforces resource-level compliance rules like tags or allowed regions. Option C is wrong because Azure Resource Graph is a query service for exploring resources and Azure Monitor collects telemetry and alerts; neither can enforce or prevent deployment of non-compliant resources.

222
Multi-Selectmedium

Your company uses Microsoft Defender for Cloud Apps to protect its SaaS environment. You need to configure settings to detect and block risky user activities. Which TWO actions should you take? (Choose TWO.)

Select 2 answers
A.Block all third-party app access.
B.Define IP address ranges for trusted locations.
C.Configure anomaly detection policies.
D.Configure app discovery policies.
E.Enable session monitoring for critical applications.
AnswersC, E

Detects risky behaviors.

Why this answer

Option B and Option D are correct. Enabling session monitoring allows real-time activity monitoring, and configuring anomaly detection policies helps detect risky behaviors. Option A is incorrect because blocking all third-party apps is too restrictive.

Option C is incorrect because app discovery policies discover shadow IT, not detect risky user activities. Option E is incorrect because IP address ranges are for location-based policies, not core detection.

223
MCQeasy

Your organization is planning to migrate from on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can use the same passwords for both on-premises and cloud resources without having to change them. What should you implement?

A.Microsoft Entra Cloud Sync.
B.Federation with on-premises AD FS.
C.Microsoft Entra Connect password hash synchronization.
D.Microsoft Entra Connect pass-through authentication.
AnswerC

PHS syncs password hashes, enabling same password use.

Why this answer

Option B is correct because password hash synchronization (PHS) syncs password hashes to Entra ID, allowing users to use the same passwords. Option A is wrong because pass-through authentication does not sync passwords. Option C is wrong because federation does not sync passwords.

Option D is wrong because AD FS is for federation, not password sync.

224
MCQhard

Your organization uses Microsoft Sentinel as a SIEM. You need to reduce the cost of data ingestion while ensuring that security-relevant events are retained. You have identified that Windows Event ID 4624 (successful logon) produces a high volume of logs. What should you do?

A.Reduce the retention period for all logs to 30 days
B.Ingest the events into a separate Log Analytics workspace with a shorter retention
C.Filter out Event ID 4624 at the source using Windows Event Forwarding
D.Configure the analytics connector to ingest these events as basic logs
AnswerD

Basic logs cost less than analytics logs.

Why this answer

Option D is correct because Microsoft Sentinel supports 'basic logs' ingestion, which is a lower-cost tier designed for high-volume, verbose logs like Windows Event ID 4624. Basic logs are stored in a separate table with a reduced retention period (default 30 days) but still retain security-relevant metadata, enabling cost savings while preserving the ability to query for security incidents. This approach avoids the need to filter or drop events entirely, ensuring compliance with security monitoring requirements.

Exam trap

The trap here is that candidates often confuse 'reducing retention' with 'reducing ingestion cost,' not realizing that ingestion cost is based on data volume, not retention length, and that basic logs provide a separate, cheaper ingestion tier specifically for high-volume, low-value logs.

How to eliminate wrong answers

Option A is wrong because reducing the retention period for all logs to 30 days would indiscriminately delete security-critical logs (e.g., Event ID 4625 for failed logons) that may be needed for longer investigations or compliance. Option B is wrong because ingesting events into a separate Log Analytics workspace with a shorter retention does not reduce ingestion costs; it only shifts storage costs and still incurs the same per-GB ingestion charges for the high-volume Event ID 4624 data. Option C is wrong because filtering out Event ID 4624 at the source using Windows Event Forwarding would permanently discard the events, preventing any future analysis of successful logon patterns, which are essential for detecting lateral movement or brute-force attacks.

225
MCQeasy

A startup, Alpine Ski House, is developing a mobile app that allows users to book ski lessons. The app communicates with an Azure Function App backend via REST APIs. The function app stores data in Azure Cosmos DB. The company wants to secure the API endpoints using OAuth 2.0 with Microsoft Entra ID and ensure that only authenticated users can invoke the functions. The function app should also use a managed identity to access Cosmos DB. Which of the following configurations should you implement?

A.Configure the function app to require authentication with Microsoft Entra ID, enforce HTTPS only, and use a system-assigned managed identity to access Cosmos DB.
B.Configure the function app to use function-level authorization keys, enforce HTTPS only, and use a connection string with a read-write key to access Cosmos DB.
C.Configure the function app to require client certificates, enforce HTTPS only, and use a managed identity to access Cosmos DB.
D.Configure the function app to use IP whitelisting, enforce HTTPS only, and use a managed identity to access Cosmos DB.
AnswerA

Entra ID provides OAuth 2.0, managed identity provides secure database access, and HTTPS ensures encryption in transit.

Why this answer

Option A is correct because it uses OAuth 2.0 with Entra ID for authentication, managed identity for database access, and enforces HTTPS. Option B is wrong because function keys are not secure for user authentication. Option C is wrong because client certificates do not provide user-level authentication.

Option D is wrong because IP whitelisting is not a substitute for authentication.

Page 2

Page 3 of 13

Page 4