Microsoft Cybersecurity Architect (SC-100) — Questions 226300

969 questions total · 13pages · All types, answers revealed

Page 3

Page 4 of 13

Page 5
226
MCQeasy

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. What is the purpose of this query?

A.Count the number of 'Suspicious process execution' alerts in the last hour
B.Retrieve details of security alerts named 'Suspicious process execution' from the last hour
C.Join the SecurityAlert table with another table to enrich the results
D.Create an analytics rule to detect 'Suspicious process execution'
AnswerB

The query filters by alert name and time, then projects columns.

Why this answer

Option A is correct because the query filters alerts with a specific name and time range, then projects selected fields. Option B is wrong because it does not aggregate. Option C is wrong because it does not join tables.

Option D is wrong because it does not create a new rule.

227
MCQhard

You are designing a zero-trust network architecture for a hybrid environment using Azure Virtual WAN. You need to secure all traffic between on-premises sites and Azure virtual networks using Microsoft's security services. The solution should include next-generation firewall capabilities and TLS inspection. What should you deploy?

A.Deploy a third-party NVA in a spoke virtual network and route traffic through it.
B.Deploy Azure Firewall Standard as the secured hub in Virtual WAN.
C.Deploy Azure Application Gateway with WAF in each virtual network.
D.Deploy Azure Firewall Premium as the secured hub in Virtual WAN.
AnswerD

Azure Firewall Premium offers TLS inspection, IDPS, and integrates natively with Virtual WAN.

Why this answer

Option D is correct because Azure Firewall Premium provides next-generation firewall features including TLS inspection and IDPS, and it can be integrated with Azure Virtual WAN as a secured hub. Option A is wrong because Azure Firewall Standard lacks TLS inspection. Option B is wrong because NVAs in a hub require manual routing and do not integrate natively.

Option C is wrong because Application Gateway is for web traffic, not for general network traffic inspection.

228
MCQmedium

Refer to the exhibit. You are reviewing a conditional access policy JSON in Microsoft Entra ID. What does this policy accomplish?

A.Requires MFA for high-risk sign-ins.
B.Blocks external users from high-risk sign-ins.
C.Blocks all users when sign-in risk is high.
D.Blocks sign-ins from specific applications.
AnswerC

Correct interpretation.

Why this answer

Option C is correct because the policy blocks all users when sign-in risk is high. Option A is wrong because it does not require MFA. Option B is wrong because it does not target specific apps.

Option D is wrong because it blocks all users, not just external.

229
MCQeasy

Your organization is adopting a Zero Trust security model. You need to design a solution that ensures continuous verification of user identity and device health before granting access to resources. Which Microsoft Entra ID feature should you prioritize?

A.Microsoft Entra ID Domain Services
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID Conditional Access
D.Microsoft Entra ID Privileged Identity Management (PIM)
AnswerC

Conditional Access enforces access policies based on real-time signals, aligning with Zero Trust.

Why this answer

Option C is correct because Conditional Access is the primary Microsoft Entra ID feature that enforces continuous verification by evaluating user identity, device health (via compliance policies or Microsoft Defender for Endpoint signals), location, and risk in real-time before granting access. It directly supports the Zero Trust principle of 'never trust, always verify' by requiring authentication and authorization at every access attempt, not just at the perimeter.

Exam trap

The trap here is that candidates confuse Identity Protection's risk detection capabilities with the enforcement mechanism, but Identity Protection alone cannot block access based on device health or enforce conditional policies—it only provides signals that must be consumed by Conditional Access to make a decision.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Domain Services provides managed domain services like LDAP, Kerberos, and NTLM for legacy applications, not continuous identity or device health verification. Option B is wrong because Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, anomalous sign-ins) but does not enforce access decisions based on device health or real-time verification; it feeds risk signals into Conditional Access. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not continuous verification of all user identities or device health for general resource access.

230
Multi-Selecthard

Your organization is implementing Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. You need to design a policy that prevents users from sharing credit card numbers via email. Which THREE components are required to build this DLP policy?

Select 3 answers
A.A policy tip to warn users before sending
B.A rule that includes a sensitive info type for credit card numbers
C.A trainable classifier for financial data
D.A policy scope that includes Exchange Online
E.An action to block the email and send a notification
AnswersB, D, E

Sensitive info types detect credit card patterns.

Why this answer

Option B is correct because a DLP policy must include a rule that defines the sensitive data to detect. For credit card numbers, Microsoft Purview provides a built-in sensitive info type (SIT) that uses pattern matching, checksum validation, and keyword proximity to accurately identify credit card numbers. Without this rule, the policy would have no criteria to trigger actions.

Exam trap

The trap here is that candidates often confuse optional enhancements (like policy tips or trainable classifiers) with mandatory components, but the core requirement is a rule with a sensitive info type, a scope (Exchange Online), and an action to block and notify.

231
MCQhard

Refer to the exhibit. You are reviewing an Azure Policy definition in JSON. What does this policy do?

A.Denies SQL servers from using Azure AD authentication
B.Allows SQL servers to use Azure AD authentication
C.Denies SQL servers that do not have a firewall rule
D.Enforces that all SQL servers must have an Azure AD admin
AnswerA

The policy denies if the administrator type is ActiveDirectory.

Why this answer

The policy checks if the SQL server administrator type is 'ActiveDirectory' and denies (deny) if true. This means it blocks the use of Azure AD authentication for SQL servers. Option B is correct.

Option A is incorrect because it denies, not allows. Option C is incorrect because it checks the administrator type, not firewall. Option D is incorrect because it does not enforce AD admin; it denies if AD admin is set.

232
MCQmedium

Your organization uses Microsoft Defender for Cloud to assess security posture. You need to design a solution that automatically applies a security baseline to new Azure VMs. Which feature should you use?

A.Microsoft Defender for Cloud regulatory compliance dashboard
B.Azure Update Management
C.Azure Automation State Configuration (DSC)
D.Azure Policy with Guest Configuration
AnswerD

Azure Policy can enforce guest configuration baselines automatically on VMs.

Why this answer

Option D is correct because Azure Policy with Guest Configuration can apply security baselines to VMs at scale. Option A is wrong because Defender for Cloud provides recommendations but does not automatically apply baselines. Option B is wrong because Azure Automation State Configuration (DSC) can apply configurations but Azure Policy is more integrated.

Option C is wrong because Azure Update Management handles patching, not baselines.

233
MCQeasy

Your company uses Microsoft 365 Defender (XDR) for endpoint detection and response. You need to design a solution to automatically remediate malware infections on Windows 10 devices. The solution should isolate the device from the network, run a full antivirus scan, and reset the device if the infection cannot be cleaned. What should you configure?

A.Create a manual incident response process where analysts remotely connect and run scripts.
B.Enable automated investigation and remediation in Microsoft Defender for Endpoint with action settings: isolate, run AV, and reset.
C.Deploy a third-party EDR tool that integrates with Microsoft Sentinel.
D.Configure Intune compliance policies to mark infected devices as non-compliant and require user action.
AnswerB

Automated investigation can isolate, run scan, and reset devices automatically.

Why this answer

Option C uses automated investigation and remediation in Defender for Endpoint. Option A is manual; Option B uses Intune for compliance, not remediation; Option D uses third-party tool.

234
Multi-Selecthard

Which TWO Azure services can you use to implement a zero-trust network architecture that verifies identity and device compliance before granting access to on-premises applications? (Choose two.)

Select 2 answers
A.Microsoft Entra Application Proxy
B.Microsoft Entra Conditional Access
C.Azure VPN Gateway
D.Azure Firewall
E.Azure Bastion
AnswersA, B

It provides pre-authentication and conditional access for on-premises applications.

Why this answer

Option A is correct because Microsoft Entra Application Proxy provides pre-authentication and conditional access for on-premises apps. Option C is correct because Microsoft Entra ID Conditional Access evaluates user identity and device compliance before granting access. Option B is wrong because Azure Bastion provides secure RDP/SSH access to VMs, not to applications.

Option D is wrong because Azure Firewall is a network firewall, not an identity-aware access control. Option E is wrong because VPN Gateway provides network-level connectivity without identity verification.

235
MCQeasy

A company uses Microsoft Defender for Identity (MDI) to monitor on-premises Active Directory. They want to integrate MDI alerts into Microsoft Sentinel. Which data connector should they use?

A.Syslog connector
B.Azure Active Directory connector
C.Microsoft Defender for Identity connector
D.Windows Security Events via AMA
AnswerC

This connector specifically ingests MDI alerts.

Why this answer

Option C is correct because the Microsoft Defender for Identity connector ingests MDI alerts into Sentinel. Option A is incorrect because Windows Security Events connector ingests raw events, not MDI alerts. Option B is incorrect because Azure AD connector is for cloud identity logs.

Option D is incorrect because Syslog is for non-Microsoft devices.

236
MCQhard

You are designing a microservices application running on Azure Kubernetes Service (AKS). You need to ensure that secrets (e.g., API keys, connection strings) are securely stored and automatically rotated without application downtime. What is the recommended approach?

A.Store secrets in Azure App Configuration with key vault references.
B.Store secrets as Kubernetes Secrets and use a controller to rotate them.
C.Use Azure Key Vault with the Secrets Store CSI driver to mount secrets as volumes and enable rotation.
D.Inject secrets as environment variables from Azure Key Vault using a pod identity.
AnswerC

CSI driver mounts secrets and supports rotation without downtime.

Why this answer

Option C is correct because using Azure Key Vault with the Secrets Store CSI driver allows pods to mount secrets as volumes, and rotation is handled by the driver. Option A is wrong because Kubernetes Secrets are base64-encoded, not encrypted by default. Option B is wrong because storing secrets in environment variables is less secure and harder to rotate.

Option D is wrong because Azure App Configuration is for configuration, not secrets management.

237
Multi-Selectmedium

Your company is deploying Microsoft Sentinel in a government agency that requires strict data residency. You need to ensure that all Sentinel data is stored within the United States. Which THREE actions must you take to meet this requirement?

Select 3 answers
A.Disable cross-region replication in the Log Analytics workspace settings.
B.Create the Log Analytics workspace in an Azure region in the United States (e.g., East US).
C.Configure data export to a storage account in a different region for redundancy.
D.Enable customer-managed keys (CMK) using Azure Key Vault in the same region.
E.Use Azure Policy to audit workspace region for compliance.
AnswersA, B, D

By default, workspaces do not replicate across regions, but disabling any built-in replication ensures data stays in the US.

Why this answer

Option A (Select workspace region) is critical because data is stored in the region where the Log Analytics workspace is created. Option B (Enable customer-managed keys) is required for compliance in many government scenarios. Option D (Disable cross-region data replication) ensures data does not replicate outside the US.

Option C (Enable data export) would send data elsewhere. Option E (Use Azure Policy) can enforce, but it's not a direct data residency action.

238
Drag & Dropmedium

Order the steps to configure Azure DDoS Protection Standard for a virtual network.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DDoS Protection requires a plan, association, enablement, then monitoring setup.

239
MCQmedium

Refer to the exhibit. You are investigating a security incident in Microsoft Sentinel. The KQL query above is used to identify potential brute-force attacks. What does the query return?

A.A list of computers with more than 5 failed logins from any account.
B.A list of user accounts with more than 5 failed logins across all computers.
C.A list of user accounts and computers where the account has more than 5 failed logins in the last 24 hours.
D.A list of user accounts with more than 5 successful logins in the last 24 hours.
AnswerC

Returns Account and Computer with FailedLogins > 5.

Why this answer

Option C is correct. The query filters SecurityEvent for user accounts (AccountType == 'User') in the last 24 hours, groups by Account and Computer, counts the number of events (FailedLogins), and then filters to only those accounts with more than 5 failed logins. Option A is wrong because it returns both Account and Computer.

Option B is wrong because it does not return successful logins. Option D is wrong because it counts per account and computer, not just per computer.

240
MCQmedium

Your organization wants to implement a zero-trust security model for on-premises and cloud resources. As part of this strategy, you need to ensure that all access requests are authenticated and authorized based on dynamic risk signals. Which Microsoft security solution should you use to enforce conditional access policies based on real-time risk?

A.Microsoft Entra ID Conditional Access
B.Microsoft Intune
C.Microsoft Sentinel
D.Microsoft Defender for Cloud
AnswerA

Entra ID Conditional Access enforces access policies based on user, device, location, and risk signals, supporting zero-trust.

Why this answer

Microsoft Entra ID Conditional Access enables you to enforce access controls based on conditions such as user risk, sign-in risk, device compliance, and location. This aligns with zero-trust principles of verifying explicitly and using least privilege. Microsoft Defender for Cloud is for cloud security posture management, not conditional access.

Microsoft Intune manages devices, and Microsoft Sentinel is a SIEM.

241
MCQmedium

You are designing a security solution for containers in Azure Kubernetes Service (AKS). The solution must scan container images for vulnerabilities before deployment and enforce runtime security. Which combination of Microsoft Defender for Cloud features should you enable?

A.Microsoft Defender for Containers
B.Microsoft Defender for App Service
C.Microsoft Defender for Cloud regulatory compliance dashboard
D.Microsoft Defender for Servers
AnswerA

Defender for Containers provides image scanning and runtime protection for AKS.

Why this answer

Option B is correct because Defender for Containers provides vulnerability assessment for images and runtime threat detection for AKS clusters. Option A is wrong because Defender for Servers is for VMs, not containers. Option C is wrong because Defender for App Service protects web apps, not containers.

Option D is wrong because Defender for Cloud's regulatory compliance does not provide vulnerability scanning or runtime protection.

242
MCQeasy

Your organization uses Microsoft Sentinel and wants to automatically respond to high-severity incidents without human intervention. Which feature should you configure?

A.Automation rule
B.Analytics rule
C.Workbook
D.Watchlist
AnswerA

Automation rules can automatically respond to incidents by triggering playbooks or other actions.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically respond to incidents based on criteria such as severity. Option C is correct because automation rules can trigger playbooks. Option A is wrong because analytics rules create alerts, not automated responses.

Option B is wrong because workbooks are for visualization. Option D is wrong because watchlists are for correlation.

243
MCQhard

Your organization plans to use Microsoft Purview to protect sensitive data in Microsoft 365. The compliance team needs to detect when users share credit card numbers via email and automatically apply encryption. Which solution should you implement?

A.Microsoft Purview Audit
B.Microsoft Purview eDiscovery
C.Microsoft Purview Information Protection
D.Microsoft Purview Data Loss Prevention (DLP)
AnswerD

DLP policies can detect sensitive information and automatically apply encryption via transport rules.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) is the correct solution because it is specifically designed to detect sensitive data types—such as credit card numbers—in email messages and automatically apply protective actions like encryption. DLP policies can inspect email content in transit via Exchange Online, match patterns against predefined sensitive info types (e.g., credit card number regex), and trigger actions such as 'Encrypt the message' using Azure Rights Management. This directly meets the requirement to detect sharing of credit card numbers and enforce encryption automatically.

Exam trap

Microsoft often tests the distinction between Information Protection (labeling/classification) and Data Loss Prevention (content inspection and automated enforcement), leading candidates to pick Information Protection because they confuse 'protecting data' with 'detecting and acting on sensitive content.'

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Audit only logs user and admin activities for forensic review; it cannot inspect email content for sensitive data or apply encryption. Option B is wrong because Microsoft Purview eDiscovery is used for searching and exporting content in legal or compliance investigations, not for real-time detection and automated protection of sensitive data in transit. Option C is wrong because Microsoft Purview Information Protection focuses on classifying and labeling documents and emails (e.g., sensitivity labels), but it does not natively scan for specific sensitive data patterns like credit card numbers or enforce automatic encryption based on content detection—that requires DLP policies to trigger the label or encryption action.

244
MCQhard

Refer to the exhibit. Your organization is required to comply with PCI DSS. You need to prioritize remediation efforts to meet PCI DSS requirements. Based on the exhibit, which recommendation should you address first?

A.Enable MFA on accounts with owner permissions
B.Migrate VMs from classic to ARM
C.Enable vulnerability assessment on SQL databases
D.Enable diagnostic logs in Key Vault
AnswerA

PCI DSS requirement 8.3.1 requires multi-factor authentication for all administrative access.

Why this answer

PCI DSS requires strong access control, including multi-factor authentication for remote access and for all accounts with administrative access. The recommendation 'MFA should be enabled on accounts with owner permissions' directly impacts PCI DSS requirements for authentication. While vulnerability assessment is important, MFA is a key control for PCI DSS.

The other recommendations are less directly related to PCI DSS.

245
MCQeasy

Your company uses Microsoft Sentinel for security operations. You need to detect brute-force attacks against Azure VMs by correlating failed sign-in events from multiple sources. Which data connector should you enable?

A.Azure Active Directory (now Microsoft Entra ID) sign-in logs connector.
B.Syslog connector.
C.Windows Security Events via AMA (Azure Monitor Agent) connector.
D.Azure Activity log connector.
AnswerC

This connector collects Windows security events including failed logins from VMs.

Why this answer

Option C is correct because Windows Security Events via AMA can collect failed sign-in events (Event ID 4625) from Azure VMs. Option A is wrong because Azure Activity logs do not contain VM sign-in events. Option B is wrong because Azure AD sign-in logs are for cloud applications, not VM sign-ins.

Option D is wrong because Syslog is for Linux VMs but the question does not specify OS.

246
MCQhard

Refer to the exhibit. You run this KQL query in Microsoft Sentinel. What is the primary purpose?

A.Correlate alerts across different data sources
B.Identify new high-severity alerts in the last 7 days
C.Detect entities that have been repeatedly targeted by high-severity alerts
D.Find entities with fewer than 5 high-severity alerts
AnswerC

The query groups by CompromisedEntity and counts alerts, then filters for more than 5, indicating repeated targeting.

Why this answer

The KQL query uses the `make_set` function to aggregate distinct alert names per entity (e.g., host or user) and then filters for entities that have been hit by more than 5 distinct high-severity alerts. This directly identifies entities repeatedly targeted by high-severity alerts, which is the primary purpose.

Exam trap

Microsoft often tests the distinction between counting total alerts versus counting distinct alert types, so candidates may mistakenly think the query counts all alerts (including duplicates) and pick option D, when in fact `make_set` deduplicates by alert name.

How to eliminate wrong answers

Option A is wrong because the query does not join or correlate alerts from different data sources; it only filters alerts by severity and aggregates by entity. Option B is wrong because the query does not identify new alerts; it counts distinct alert names over the last 7 days, not the recency of individual alerts. Option D is wrong because the query uses `array_length(make_set(...)) > 5`, which finds entities with more than 5 distinct high-severity alerts, not fewer than 5.

247
MCQhard

You are a cybersecurity architect for a multinational corporation that is migrating its on-premises workloads to Azure. The environment includes 500 virtual machines across multiple subscriptions, managed through Azure Policy and Azure Blueprints. The security team has reported that some VMs are not receiving the latest security updates despite being configured for automatic updates via the Azure Update Management solution. Additionally, you have noticed that some VMs are missing the Azure Monitor agent, which is required for security monitoring. The company uses Azure Security Center (now Defender for Cloud) with the standard tier enabled. You need to ensure that all VMs are compliant with the company's security baseline, which requires: (1) all VMs must have the Azure Monitor agent installed, (2) all VMs must be enrolled in the Update Management solution, and (3) all VMs must be protected by Microsoft Defender for Cloud. What should you do to enforce compliance and remediate non-compliant VMs?

A.Use Azure Policy with built-in initiatives such as 'Enable Azure Monitor for VMs' and 'Configure machines to automatically install updates' and assign them to all subscriptions
B.Create a new Azure Blueprint that includes the required configurations and assign it to all subscriptions
C.Use Azure Automation to run scripts that install the agent and enable updates on all VMs
D.Configure Microsoft Defender for Cloud to automatically install the Azure Monitor agent and enable updates
AnswerA

Azure Policy can audit and automatically remediate non-compliant VMs using DeployIfNotExists effects.

Why this answer

Option A is correct because Azure Policy with built-in initiatives like 'Enable Azure Monitor for VMs' and 'Configure machines to automatically install updates' provides a declarative, scalable, and continuous compliance enforcement mechanism. These initiatives automatically remediate non-compliant VMs by deploying the required agents and configurations across all subscriptions, ensuring all three security baseline requirements are met without manual intervention.

Exam trap

The trap here is that candidates confuse Azure Blueprints (which only apply at deployment) with Azure Policy (which provides continuous compliance enforcement and auto-remediation), leading them to choose Blueprints as a one-time fix instead of the ongoing policy-based solution.

How to eliminate wrong answers

Option B is wrong because Azure Blueprints are used for creating a repeatable set of Azure resources and policies at deployment time, but they do not continuously remediate existing non-compliant VMs; once assigned, they lack the ongoing compliance enforcement and auto-remediation capabilities of Azure Policy. Option C is wrong because using Azure Automation to run scripts is a reactive, manual approach that does not provide continuous compliance monitoring or automatic remediation for new or existing VMs, and it cannot enforce the security baseline at scale across multiple subscriptions. Option D is wrong because Microsoft Defender for Cloud can detect missing agents and updates but does not automatically install the Azure Monitor agent or enable Update Management; it relies on Azure Policy for deployment and remediation of these configurations.

248
MCQhard

Your company uses Microsoft Purview Compliance Manager to track compliance with regulatory standards. You need to generate a report that shows the percentage of controls that are not yet implemented for the PCI DSS standard. What should you do?

A.In Compliance Manager, open the PCI DSS assessment and view the control status.
B.Create a Data Lifecycle Management policy for PCI DSS.
C.Create a custom risk assessment in Compliance Manager for PCI DSS.
D.Configure a Communication Compliance policy to monitor PCI DSS compliance.
AnswerA

Compliance Manager includes pre-built assessments with control status tracking.

Why this answer

Option C is correct because Compliance Manager provides pre-built assessments for standards like PCI DSS, and you can view the control status. Option A is incorrect because Data Lifecycle Management is for retention policies. Option B is incorrect because Communication Compliance is for internal risk detection.

Option D is incorrect because risk assessments in Compliance Manager are built-in, not created manually for this purpose.

249
MCQmedium

You are designing a secure access solution for a manufacturing company's IoT devices that send telemetry to Azure IoT Hub. The devices run on a private network with no internet access except through a firewall. You need to ensure that device-to-cloud communication is authenticated and encrypted, and that device credentials are rotated regularly. What should you include in the design?

A.Configure Azure Firewall to authenticate and encrypt device traffic.
B.Use X.509 certificates with Azure Device Provisioning Service (DPS) for automatic enrollment and certificate rotation.
C.Use shared access signature (SAS) tokens with a central key management system.
D.Assign managed identities to each IoT device.
AnswerB

X.509 certificates meet authentication, encryption, and rotation requirements.

Why this answer

Option A is correct because X.509 certificates with auto-enrollment via DPS provide strong authentication, encryption (TLS), and automated certificate rotation. Option B is incorrect because SAS tokens require manual rotation and are less secure. Option C is incorrect because managed identities are for Azure resources, not IoT devices.

Option D is incorrect because Azure Firewall is a network security component, not an authentication mechanism.

250
MCQeasy

Your organization uses Microsoft Intune for mobile device management. Employees report they cannot access corporate email on their personal iOS devices. The helpdesk confirms devices are enrolled and compliant. What should you check first?

A.Confirm the device configuration profile includes email settings.
B.Verify the conditional access policy for Exchange Online includes iOS devices.
C.Review the app protection policy for Outlook.
D.Ensure the compliance policy allows iOS devices.
AnswerB

Conditional access policies control access to cloud apps based on device state.

Why this answer

Option A is correct because conditional access policies in Entra ID enforce access rules for cloud apps like Exchange Online. Option B is wrong because compliance policies define device requirements, not access. Option C is wrong because app protection policies manage data within apps.

Option D is wrong because device configuration profiles set device settings but not access.

251
MCQeasy

Your company is deploying Microsoft Sentinel to centralize security logs from Azure, on-premises, and other clouds. You need to ensure logs are ingested cost-effectively while maintaining search performance for the last 30 days. What should you configure?

A.Store logs in Azure Blob Storage and use Azure Data Explorer for queries.
B.Use Log Analytics workspace with 30-day interactive retention and set long-term retention for older data.
C.Use Sentinel's free tier for 30 days and then move to paid tier.
D.Ingest logs into Azure Event Hubs and then into Sentinel.
AnswerB

This provides fast query for recent data and cheaper storage for older data.

Why this answer

Option D is correct because Sentinel uses Log Analytics workspaces; you can set interactive retention to 30 days and long-term retention to lower-cost archival. Option A is wrong because Azure Storage is not optimized for log analytics queries. Option B is wrong because Sentinel cost is based on data ingestion, not separate tiers.

Option C is wrong because Azure Event Hubs is for real-time streaming, not cost-effective storage.

252
MCQmedium

Refer to the exhibit. You are reviewing a PowerShell script that configures network security. What is the effect of the NSG rule created in this script?

A.It blocks all outbound traffic to the internet from the subnet.
B.It blocks inbound traffic only from specific IP ranges.
C.It blocks all inbound traffic from the internet to the subnet.
D.It allows inbound traffic from the internet, then denies it.
AnswerC

The rule denies inbound from the Internet service tag to the entire subnet.

Why this answer

The rule denies all inbound traffic from the 'Internet' service tag to all ports and protocols. 'Internet' includes traffic from outside Azure. The rule is applied at the subnet level. It does not affect outbound traffic, nor traffic from other Azure services unless they originate from the internet.

253
MCQhard

Refer to the exhibit. You are reviewing an ARM template for an Azure App Service configuration. What is the effect of the ipSecurityRestrictions array?

A.It allows all traffic because the deny rule has a higher priority number.
B.It denies traffic from 192.168.0.0/24 and allows all other traffic.
C.It denies all traffic because the deny rule covers any IP.
D.It allows traffic from 192.168.0.0/24 and denies all other traffic.
AnswerD

The first rule allows the corporate subnet, the second denies everything else.

Why this answer

The rules are evaluated in priority order. The first rule allows traffic from 192.168.0.0/24. The second rule denies all other traffic (Any).

This effectively restricts access to only the specified corporate IP range. The order matters because if the deny rule had lower priority, it would block the allowed range.

254
MCQhard

Your organization uses Microsoft Sentinel. You need to design a solution to detect and automatically respond to a potential brute-force attack against an on-premises application that is published via Azure AD Application Proxy. The solution should block the attacker's IP address in Azure AD Conditional Access for one hour after detecting more than 10 failed login attempts within 5 minutes. What should you implement?

A.Create a Microsoft Purview Data Loss Prevention policy to block the IP address based on the login pattern.
B.Create a Microsoft Sentinel analytics rule that triggers on a KQL query detecting the failed logins, then use a playbook to add the IP to a Conditional Access block list via the Azure AD API.
C.Deploy a web application firewall (WAF) in front of the application and configure rate limiting to block the IP.
D.Configure a Microsoft Entra ID Protection sign-in risk policy to automatically block the user's sign-in after detecting anomalous activity.
AnswerB

This custom approach allows specific thresholds and automated blocking via Conditional Access.

Why this answer

Option C is correct because you can create a Microsoft Sentinel analytics rule to detect the suspicious activity, and then use a playbook that invokes the Azure AD Conditional Access custom control (block action) to block the IP. Option A is incorrect because Microsoft Entra ID Protection does not cover on-premises apps published via App Proxy with custom logic. Option B is incorrect because a DLP policy is not for authentication.

Option D is incorrect because a WAF operates at the network layer and does not integrate directly with Conditional Access.

255
MCQmedium

Your company plans to use Microsoft Sentinel to detect threats across multiple Azure subscriptions. You need to design a cost-effective solution that ingests logs from all subscriptions. What should you use?

A.Use Azure Lighthouse to manage cross-subscription connectivity
B.Deploy a single Sentinel workspace and configure data collection rules to collect logs from all subscriptions
C.Create a separate Sentinel workspace for each subscription
D.Use Azure Policy to assign a Log Analytics workspace to each subscription
AnswerB

Centralized workspace with DCRs is cost-effective.

Why this answer

Option C is correct because a workspace-centric design with data collection rules sends logs from multiple subscriptions to a single workspace, reducing costs. Option A is incorrect because multiple workspaces increase cost. Option B is incorrect because Azure Policy does not centralize ingestion.

Option D is incorrect because a hub-spoke network does not solve log ingestion.

256
Multi-Selecthard

A hospital, Contoso Health, is deploying an Azure API Management (APIM) instance to expose healthcare APIs that comply with HIPAA. The APIs are hosted on Azure Functions and Azure Logic Apps. You need to design a security solution that includes: (1) authentication and authorization using Microsoft Entra ID, (2) protection against OWASP top 10 threats, (3) encryption of sensitive data in transit and at rest, and (4) logging and monitoring of all API calls. Which THREE of the following should you implement?

Select 3 answers
A.Configure IP whitelisting on APIM to restrict access to known IP addresses.
B.Configure OAuth 2.0 authorization with Microsoft Entra ID in APIM.
C.Configure mutual TLS (mTLS) authentication with client certificates.
D.Deploy Azure Web Application Firewall (WAF) policy on Azure Front Door or Application Gateway in front of APIM.
E.Enable Azure Monitor and Log Analytics to collect and analyze APIM logs.
AnswersB, D, E

OAuth 2.0 with Entra ID provides secure authentication and fine-grained authorization.

Why this answer

Option A is correct because OAuth 2.0 with Entra ID provides authentication and authorization. Option C is correct because WAF in front of APIM protects against OWASP threats. Option E is correct because Azure Monitor with Log Analytics provides logging and monitoring.

Option B is wrong because client certificates do not provide user-level authentication. Option D is wrong because IP whitelisting is not a substitute for authentication.

257
MCQmedium

Your organization uses Microsoft Purview. You need to design a solution that automatically detects and classifies sensitive data such as passport numbers stored in Microsoft OneDrive. The solution should apply a 'Highly Confidential' sensitivity label without user intervention. What should you configure?

A.Create an auto-labeling policy in Microsoft Purview that targets OneDrive and includes the 'Passport Number' sensitive info type.
B.Create a Data Loss Prevention (DLP) policy that blocks sharing of files with passport numbers.
C.Enable auditing in Microsoft Purview to track where passport numbers are stored.
D.Configure a manual sensitivity label and train users to apply it.
AnswerA

Auto-labeling policies automatically apply labels based on content inspection.

Why this answer

Option B is correct because auto-labeling policies in Microsoft Purview can scan content for sensitive info types and automatically apply labels. Option A (manual labeling) requires user action. Option C (DLP) blocks sharing but does not label.

Option D (audit) only logs.

258
MCQhard

Refer to the exhibit. You are analyzing an Azure PowerShell script that checks a blob property. The output of the last command returns 'False'. What does this indicate about the blob storage configuration?

A.Diagnostic logging is not configured for the container.
B.Access time tracking is disabled for the storage account.
C.The blob has an immutability policy applied.
D.Server-side encryption is disabled for the blob.
AnswerB

The property being false indicates access time tracking is not enabled.

Why this answer

The property 'IsAccessTimeTrackingEnabled' is a blob storage setting that, when enabled, tracks the last access time of blobs for lifecycle management. A value of 'False' means access time tracking is disabled. Option A is wrong because access time tracking is not related to encryption.

Option B is wrong because it is not about immutability. Option D is wrong because it is not about logging.

259
Drag & Dropmedium

Order the steps to respond to a Microsoft Defender for Cloud security alert.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Alert response involves reviewing, assessing, remediating, and then closing the alert.

260
MCQhard

Your organization uses Microsoft Sentinel as its SIEM. You need to design a solution to automatically respond to detected threats in Azure resources. The response must include isolating the affected virtual machine and creating a support ticket. Which approach should you use?

A.Create a Microsoft Sentinel automation rule that triggers a playbook when an incident is generated. The playbook uses Azure Logic Apps to isolate the VM and create a ticket in your IT service management tool.
B.Create an Azure Policy initiative that automatically remediates non-compliant resources
C.Create a Microsoft Sentinel analytics rule that runs a KQL query and automatically sends an email to the security team
D.Create an Azure Automation runbook that runs on a schedule to check for threats and isolate VMs
AnswerA

Automation rules and playbooks provide event-driven, orchestrated response.

Why this answer

Option C is correct because automation rules in Microsoft Sentinel can trigger playbooks (Logic Apps) to isolate VMs and create tickets. Option A is wrong because Azure Policy is for compliance, not incident response. Option B is wrong because Azure Automation runbooks lack the integration to create tickets directly.

Option D is wrong because custom KQL queries only surface alerts, not automated response.

261
MCQhard

A company is planning to use Azure Logic Apps to integrate multiple SaaS applications. The workflow will process sensitive customer data and must comply with data residency requirements, ensuring that data does not leave a specific Azure region. The solution must minimize latency. What is the recommended deployment strategy?

A.Use Azure API Management to route traffic to Logic Apps in the required region.
B.Deploy Logic Apps using the Standard plan in the required region.
C.Deploy Logic Apps using the Consumption plan in the required region.
D.Provision an Integration Service Environment (ISE) in the required region and deploy Logic Apps into it.
AnswerD

ISE provides dedicated storage and compute, ensuring data stays within the region.

Why this answer

Option D is correct because an Integration Service Environment (ISE) is a dedicated, isolated instance of the Azure Logic Apps runtime that runs in your own virtual network, ensuring data never leaves the specified Azure region. This meets strict data residency requirements while minimizing latency by keeping all processing within the same regional boundary. The ISE also provides dedicated compute resources, avoiding multi-tenant contention and reducing network hops.

Exam trap

Microsoft often tests the misconception that any Logic Apps plan deployed in a region automatically guarantees data residency, but only the ISE provides the isolated, single-tenant runtime required to prevent data from leaving the region.

How to eliminate wrong answers

Option A is wrong because Azure API Management is a gateway for API routing and does not enforce data residency or provide isolated compute for Logic Apps; it would add an extra hop, increasing latency. Option B is wrong because the Standard plan for Logic Apps runs in a multi-tenant environment, meaning data may traverse regional boundaries or shared infrastructure, violating strict data residency requirements. Option C is wrong because the Consumption plan is also multi-tenant and serverless, with no guarantee that data processing stays within a single region, and it introduces higher latency due to cold starts and shared resources.

262
Matchingmedium

Match each security operations tool to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Security information and event management

Extended detection and response (XDR)

Cloud security posture management

Identity risk detection and remediation

Data governance and compliance

Why these pairings

These tools form the Microsoft security operations stack.

263
MCQmedium

A global organization uses Microsoft Entra ID with Conditional Access policies. They want to enforce multifactor authentication (MFA) for all users accessing sensitive apps from outside the corporate network, but allow access without MFA from trusted IPs. What should they configure?

A.Create a Conditional Access policy that grants access, requiring MFA for all locations.
B.Create a Conditional Access policy that requires MFA for all users and all locations.
C.Create a Conditional Access policy that blocks access from all locations except trusted IPs.
D.Create a Conditional Access policy that includes 'All users' and 'All cloud apps', with conditions for locations: include 'All trusted' and exclude 'All trusted'? Wait, correct approach: include 'All locations' and exclude 'Trusted IPs', and require MFA.
AnswerD

Correct: Include 'Any location' and exclude 'Trusted IPs', then require MFA.

Why this answer

Option D is correct because it configures a Conditional Access policy that includes 'All locations' as a condition and excludes 'Trusted IPs' (defined as named locations in Entra ID), then requires MFA as a grant control. This enforces MFA for all access attempts from outside the corporate network while allowing access without MFA from trusted IPs, precisely matching the requirement.

Exam trap

The trap here is that candidates often confuse 'include all locations and exclude trusted IPs' with 'include only trusted IPs' or 'block untrusted locations', leading them to pick options that either block all untrusted access or fail to exclude trusted IPs from the MFA requirement.

How to eliminate wrong answers

Option A is wrong because it requires MFA for all locations, including trusted IPs, which does not allow access without MFA from trusted IPs. Option B is wrong because it applies to all users and all locations without any location-based exclusion, forcing MFA even from trusted IPs. Option C is wrong because it blocks access from all locations except trusted IPs, which would prevent any access from untrusted locations entirely rather than allowing it with MFA.

264
MCQhard

Refer to the exhibit. A company creates this Azure Policy definition and assigns it to a subscription. A developer attempts to create a storage account with blob encryption enabled. The creation fails. What is the most likely reason?

A.The policy effect is set to 'deny' but should be 'audit'
B.The field path for blob encryption is case-sensitive and may not match the actual property
C.The policy uses 'allOf' incorrectly; it should use 'anyOf'
D.The field path is not a valid Azure Resource Manager path
AnswerB

Azure Policy field paths are case-sensitive; the correct path is 'Microsoft.Storage/storageAccounts/encryption.services.blob.enabled' with proper casing.

Why this answer

The policy definition uses the field path `Microsoft.Storage/storageAccounts/encryption.services.blob.enabled` to check for blob encryption. Azure Resource Manager property paths are case-sensitive, and the actual property for blob encryption is `Microsoft.Storage/storageAccounts/encryption.services.blob.enabled` with lowercase 'b' in 'blob'. If the path in the policy uses incorrect casing (e.g., 'Blob' with capital B), the policy engine cannot match the property, causing the deny effect to trigger incorrectly or fail to evaluate properly, leading to creation failure.

Exam trap

Microsoft often tests the nuance that Azure Policy field paths are case-sensitive, tricking candidates who assume ARM properties are case-insensitive or who focus on the effect type rather than the path syntax.

How to eliminate wrong answers

Option A is wrong because changing the effect from 'deny' to 'audit' would only log non-compliance without blocking creation, but the question states the creation fails due to a policy mismatch, not the effect type. Option C is wrong because 'allOf' is used correctly to require all conditions to be true (e.g., type matches and encryption disabled), which is appropriate for denying unencrypted storage; 'anyOf' would allow creation if any single condition is met, which is not the intended logic. Option D is wrong because the field path `Microsoft.Storage/storageAccounts/encryption.services.blob.enabled` is a valid Azure Resource Manager path; the issue is case sensitivity, not path validity.

265
MCQeasy

Your company uses Azure Virtual Machines (VMs) running Windows Server. You need to ensure that only approved applications can run on the VMs. Which Azure security feature should you use?

A.Azure Firewall
B.Azure Policy with application control
C.Microsoft Defender for Cloud
D.Just-in-Time VM access
AnswerB

Enforces allowed applications on VMs.

Why this answer

Option C is correct because Azure Policy with application control can enforce allowed applications. Option A is wrong because Microsoft Defender for Cloud provides threat detection but not application whitelisting. Option B is wrong because Azure Firewall is a network firewall.

Option D is wrong because Just-in-Time VM access controls remote access, not applications.

266
MCQhard

You are designing a security solution for an Azure Kubernetes Service (AKS) cluster that runs containerized workloads. The cluster must be integrated with Microsoft Defender for Cloud for threat detection, and you need to ensure that container images are scanned for vulnerabilities before deployment. What should you configure?

A.Enable Microsoft Defender for Cloud Apps to discover and assess container vulnerabilities.
B.Deploy Azure Policy for Kubernetes with built-in policies to enforce image scanning.
C.Enable Azure Defender for Containers in Microsoft Defender for Cloud and integrate with Azure Container Registry for image scanning.
D.Configure Microsoft Sentinel to collect container logs and detect vulnerabilities.
AnswerC

Azure Defender for Containers includes vulnerability assessment for images in ACR.

Why this answer

Option A is correct because Azure Defender for Containers provides vulnerability scanning for images in Azure Container Registry and threat detection for AKS. Option B is wrong because Azure Policy only enforces admission controls, not scanning. Option C is wrong because Microsoft Sentinel is for log analysis.

Option D is wrong because Microsoft Defender for Cloud Apps is for cloud app security, not container scanning.

267
Matchingmedium

Match each Azure network security feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stateful packet filtering at subnet or NIC

Managed, cloud-native firewall with threat intelligence

Protects web apps from common exploits

Always-on traffic monitoring and mitigation

Access PaaS services over private endpoint

Why these pairings

These are key network security controls in Azure.

268
Multi-Selecteasy

Your company is using Microsoft Entra ID and wants to implement passwordless authentication to improve security. Which THREE authentication methods should you consider?

Select 3 answers
A.Microsoft Authenticator app with phone sign-in
B.Windows Hello for Business
C.FIDO2 security keys
D.SMS one-time passcode
E.App passwords
AnswersA, B, C

Phone sign-in is a passwordless authentication method.

Why this answer

Microsoft Authenticator app with phone sign-in is a passwordless authentication method because it uses a cryptographic key pair stored on the user's device to sign authentication requests, eliminating the need for a password. When the user approves a notification on their phone, the app signs a challenge from Microsoft Entra ID using the private key, and the service verifies it with the public key. This aligns with the passwordless goal by replacing the password with a possession-based factor (the phone) and a biometric or PIN gesture.

Exam trap

The trap here is that candidates confuse 'something you have' (like a phone or SMS) with passwordless, but SMS OTP still requires a password as the first factor in most Entra ID configurations, making it a multi-factor method, not a passwordless one.

269
MCQeasy

Refer to the exhibit. You are configuring a Microsoft Purview sensitivity label. When a user applies this label to an email, what happens?

A.The email is encrypted and cannot be forwarded, printed, or copied
B.The email is encrypted but can be forwarded
C.The email is not encrypted but cannot be forwarded
D.The email is encrypted and the recipient cannot reply
AnswerA

Do Not Forward restricts these actions.

Why this answer

Option A is correct because the sensitivity label is configured with encryption that includes the 'Do Not Forward' option. This applies Azure Rights Management (Azure RMS) protection, which encrypts the email and restricts the recipient from forwarding, printing, or copying the content. The label enforces these restrictions at the message level, regardless of the email client used.

Exam trap

The trap here is that candidates often assume encryption alone prevents forwarding, but encryption only protects confidentiality; the 'Do Not Forward' template is a separate usage restriction that must be explicitly configured in the sensitivity label.

How to eliminate wrong answers

Option B is wrong because a label with encryption and 'Do Not Forward' explicitly prevents forwarding, not just encryption. Option C is wrong because the label applies encryption, so the email is encrypted, and the 'Do Not Forward' restriction also blocks forwarding. Option D is wrong because the 'Do Not Forward' option does not prevent the recipient from replying; it only blocks forwarding, printing, and copying.

270
Multi-Selectmedium

Which TWO actions should you take to meet a compliance requirement that all emails containing credit card numbers must be encrypted before delivery?

Select 2 answers
A.Create a sensitivity label with encryption and apply it via auto-labeling.
B.Create a Microsoft Purview Data Loss Prevention (DLP) policy that detects credit card numbers and applies encryption.
C.Enable Microsoft Purview Information Protection auto-labeling for credit card data.
D.Create a mail flow rule in Exchange Online to encrypt emails with credit card numbers.
E.Configure Microsoft Purview Message Encryption as part of the DLP policy.
AnswersB, E

DLP can automatically protect sensitive data in transit.

Why this answer

Option B is correct because a Microsoft Purview Data Loss Prevention (DLP) policy can detect sensitive data types like credit card numbers and automatically apply encryption via Information Rights Management (IRM) as an action. This ensures that any email containing credit card data is encrypted before delivery, meeting the compliance requirement directly through policy enforcement.

Exam trap

The trap here is that candidates often confuse auto-labeling with DLP actions, thinking that applying a sensitivity label automatically encrypts the email, when in fact DLP policies are required to enforce encryption as a protective action on outbound messages.

271
Multi-Selecthard

A company wants to automate incident response in Microsoft 365 Defender. Which THREE actions can be automated using automated investigation and response (AIR) capabilities? (Choose three.)

Select 3 answers
A.Block a file hash across the organization.
B.Reset a user's password.
C.Isolate a device from the network.
D.Create a new user account.
E.Delete a malicious email from all mailboxes.
AnswersA, C, E

AIR can block indicators of compromise.

Why this answer

Option A is correct because AIR can isolate devices automatically. Option B is correct because AIR can delete malicious emails. Option C is correct because AIR can block file hashes.

Option D is wrong because resetting passwords is not an AIR action; it requires a playbook. Option E is wrong because creating users is not a security response action.

272
MCQhard

Your organization is designing a secure network infrastructure for a multi-cloud environment that includes Azure, AWS, and on-premises datacenters. The security team requires that all traffic between these environments be inspected for threats and that any malicious traffic be automatically blocked. The solution must minimize complexity and use a single pane of glass for policy management. Which Azure service should you use as the central hub?

A.Azure Front Door
B.Network Security Groups (NSGs)
C.Azure DDoS Protection
D.Azure Firewall
AnswerD

Azure Firewall provides centralized network traffic inspection, threat intelligence, and policy management across hybrid and multi-cloud environments.

Why this answer

Option B is correct because Azure Firewall can be deployed as a central hub in a hub-and-spoke topology, providing network-level traffic inspection for Azure, on-premises (via ExpressRoute or VPN), and even AWS (via VPN or Azure Virtual WAN). It offers integrated threat intelligence and supports routing policies. Option A is wrong because Azure DDoS Protection only mitigates volumetric attacks, not traffic inspection.

Option C is wrong because Network Security Groups (NSGs) provide basic filtering but lack advanced inspection and multi-cloud support. Option D is wrong because Azure Front Door is a global load balancer and web application firewall, not a network firewall for multi-cloud traffic.

273
Multi-Selecteasy

Which TWO of the following are features of Microsoft Defender for Cloud that help secure infrastructure? (Choose two.)

Select 2 answers
A.Secure Score
B.Incident investigation
C.Just-in-time VM access
D.Privileged Identity Management
E.User and Entity Behavior Analytics (UEBA)
AnswersA, C

Secure Score is a core feature of Defender for Cloud.

Why this answer

Secure Score (A) is a feature of Microsoft Defender for Cloud that aggregates security findings across your Azure subscriptions and provides a numerical score based on the implementation of security controls. It helps prioritize remediation actions by showing the potential score improvement for each recommendation, directly enabling infrastructure hardening.

Exam trap

The trap here is that candidates confuse Defender for Cloud's posture management features (Secure Score, JIT) with Microsoft Sentinel's investigation and analytics capabilities (Incident investigation, UEBA), or with Azure AD's identity governance features (PIM), because all are part of the Microsoft security portfolio but serve distinct roles.

274
Multi-Selecthard

You are designing a solution to protect sensitive data in Azure Blob Storage. The data must be encrypted at rest using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, you need to ensure that only specific virtual networks can access the storage account, and all access must be logged. Which three configurations should you implement? (Choose three.)

Select 3 answers
A.Enable Azure Storage logging for read and write requests
B.Enable Azure Storage encryption with customer-managed keys in Key Vault
C.Configure a firewall and virtual network service endpoint for the storage account
D.Enable Azure Files encryption at rest
E.Enable soft delete for blobs
AnswersA, B, C

Logging captures all access requests.

Why this answer

Options A, C, and D are correct. Option A provides CMK encryption. Option C restricts network access.

Option D enables logging. Option B is wrong: Azure Files is different; Blob Storage encryption is configured at the account level. Option E is wrong: Soft delete is for data recovery, not encryption or access control.

275
MCQhard

An organization is implementing a Zero Trust identity strategy. They have a mix of on-premises Active Directory and Azure AD. They want to enforce conditional access policies that require device compliance for accessing sensitive apps. However, some users report that their devices are not being evaluated for compliance even though they are enrolled in Microsoft Intune. What should the organization check first?

A.Ensure Intune compliance policies are assigned to the correct user groups
B.Confirm that devices are Azure AD Joined
C.Check if users have enabled multi-factor authentication
D.Verify that devices are registered in Azure AD
AnswerD

Device registration in Azure AD is required for conditional access to evaluate device compliance.

Why this answer

Device compliance evaluation in a hybrid identity environment requires that devices are registered in Azure AD (Azure AD Registration) so that Azure AD can associate the device identity with Intune compliance data. Even if a device is enrolled in Intune, without Azure AD registration, Conditional Access policies cannot evaluate its compliance status because the device identity is not recognized by Azure AD during authentication.

Exam trap

The trap here is that candidates assume Intune enrollment alone is sufficient for device compliance evaluation, but Azure AD registration is the prerequisite that links the device identity to Azure AD for Conditional Access to enforce compliance policies.

How to eliminate wrong answers

Option A is wrong because Intune compliance policies must be assigned to the correct user groups, but this does not affect whether a device is evaluated for compliance; it only determines which users' devices receive the policy. Option B is wrong because devices do not need to be Azure AD Joined; they can be Azure AD Registered (workplace-joined) or Hybrid Azure AD Joined, and Azure AD Joined is not a prerequisite for compliance evaluation. Option C is wrong because multi-factor authentication is an authentication requirement, not a device compliance requirement; enabling MFA does not cause a device to be evaluated for compliance.

276
MCQeasy

Your organization is implementing a Zero Trust security model. Which Microsoft security solution should you use to enforce conditional access policies based on user, device, location, and real-time risk signals?

A.Microsoft Entra ID Conditional Access
B.Microsoft Defender for Cloud Apps
C.Microsoft Intune
D.Microsoft Purview
AnswerA

Microsoft Entra ID Conditional Access enforces access control decisions based on conditions and signals.

Why this answer

Microsoft Entra ID Conditional Access is the correct solution because it is the native policy engine in Azure AD that evaluates signals from user identity, device compliance, location (IP ranges or countries), and real-time risk from Microsoft Entra ID Protection to enforce access decisions. It directly implements the 'explicit verification' and 'assume breach' principles of Zero Trust by blocking or requiring step-up authentication based on these dynamic conditions.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps as the primary policy enforcement point because of its session monitoring capabilities, but it is actually a downstream consumer of Conditional Access decisions, not the engine that evaluates user, device, location, and risk signals in real time.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides shadow IT discovery, session controls, and data protection, but it does not natively enforce conditional access policies based on user, device, location, and risk signals—it integrates with Conditional Access for those decisions. Option C is wrong because Microsoft Intune is a Mobile Device Management (MDM) and Mobile Application Management (MAM) solution that manages device compliance and app protection policies, but it does not evaluate real-time risk signals or enforce access policies at the authentication layer. Option D is wrong because Microsoft Purview is a data governance, compliance, and information protection solution focused on data classification, labeling, and eDiscovery, not on enforcing authentication-time conditional access based on user, device, location, or risk.

277
MCQeasy

A company is developing a web API that will be consumed by partner applications. They need to secure the API using OAuth 2.0 and issue access tokens that expire after 1 hour. Which Microsoft Entra ID feature should they use?

A.Managed Identity
B.App registration
C.Conditional Access
D.Azure AD B2C
AnswerB

App registration in Entra ID enables OAuth 2.0 token issuance for APIs and applications.

Why this answer

Microsoft Entra ID (formerly Azure AD) provides OAuth 2.0 token issuance through app registrations. Option B is correct. Option A is wrong because Conditional Access is for access policies, not token issuance.

Option C is wrong because Managed Identity is for Azure resources, not partner apps. Option D is wrong because Azure AD B2C is for customer identities.

278
MCQhard

Your organization uses Azure SQL Database for a sensitive financial application. You need to implement a defense-in-depth strategy to protect the database. The requirements are: (1) All connections to the database must be encrypted in transit. (2) Only specific Azure services and on-premises IP ranges should be allowed to connect. (3) Database administrators should be able to view the database schema but not the actual data. (4) Auditing must be enabled for all data access. What combination of features should you implement?

A.Enable VNet service endpoints and firewall rules, and require Azure AD authentication.
B.Enforce TLS 1.2, configure firewall rules, enable Dynamic Data Masking, and enable auditing.
C.Configure firewall rules, enable Azure AD authentication, and enable auditing.
D.Enable Always Encrypted, configure firewall rules, and enable auditing.
AnswerB

All requirements are met.

Why this answer

Option D is correct because: (1) Enforce TLS 1.2 ensures encryption in transit. (2) Firewall rules restrict access by IP. (3) Dynamic Data Masking hides sensitive data from admins. (4) Auditing logs data access. Option A is wrong because Always Encrypted encrypts data at rest and in use but does not restrict network access. Option B is wrong because VNet service endpoints provide network isolation but do not enforce TLS.

Option C is wrong because Azure AD authentication does not restrict network access or mask data.

279
MCQhard

Your organization uses Microsoft Entra ID with external identities. You need to design a solution that allows partners to self-service sign up using their existing Azure AD or Microsoft account credentials, while preventing them from accessing other resources. What should you use?

A.Microsoft Entra B2C
B.Microsoft Entra Identity Protection
C.Microsoft Entra B2B collaboration
D.Direct federation with partner's IdP
AnswerC

B2B allows self-service sign-up with existing credentials.

Why this answer

Option A is correct because Entra ID B2B collaboration allows external users to use their own credentials and you can control access via conditional access or directory roles. Option B is wrong because B2C is for customer-facing apps. Option C is wrong because guest users are already part of B2B.

Option D is wrong because identity protection is for risk detection.

280
Multi-Selecthard

Which THREE components are required to implement a zero-trust network architecture in Azure using Microsoft security solutions?

Select 3 answers
A.Microsoft Sentinel
B.Azure Bastion
C.Microsoft Defender for Cloud Apps
D.Microsoft Entra ID Conditional Access
E.Azure Policy
AnswersC, D, E

Correct: Provides visibility and control over cloud apps as a CASB.

Why this answer

Azure AD Conditional Access enforces access policies. Microsoft Defender for Cloud Apps provides cloud access security broker (CASB) functionality. Azure Policy ensures compliance.

Azure Bastion is for secure connectivity. Microsoft Sentinel is for SIEM, not a core zero-trust component.

281
MCQmedium

A company is deploying Microsoft Defender for Cloud to protect a multi-cloud environment that includes Azure and AWS. The security team wants to prioritize the highest-risk recommendations. Which feature should they use to identify and focus on the most critical security issues?

A.Use Secure Score and its recommendations
B.Regulatory Compliance dashboard
C.Enable Defender for Cloud's enhanced security features
D.Review attack path analysis
AnswerA

Secure Score quantifies risk and prioritizes recommendations.

Why this answer

Secure Score in Microsoft Defender for Cloud aggregates all security recommendations and assigns a score based on their relative risk and impact. By focusing on recommendations that most improve the Secure Score, the security team can systematically prioritize the highest-risk issues across both Azure and AWS resources. This directly aligns with the goal of identifying and focusing on the most critical security issues.

Exam trap

The trap here is that candidates often confuse 'enhanced security features' (which enable advanced detections) with 'prioritization features' (which rank recommendations by risk), leading them to select Option C instead of recognizing that Secure Score is the dedicated prioritization mechanism.

How to eliminate wrong answers

Option B is wrong because the Regulatory Compliance dashboard is designed to track adherence to specific compliance standards (e.g., SOC 2, ISO 27001) and does not inherently prioritize recommendations by risk; it focuses on compliance gaps rather than overall security risk. Option C is wrong because enabling enhanced security features (e.g., Defender for Servers, Defender for SQL) expands the scope of monitoring and threat detection but does not itself provide a prioritization mechanism; it is a prerequisite for advanced protections, not a prioritization tool. Option D is wrong because attack path analysis is a visual tool that maps potential attack vectors but is used for deep investigation of specific threats, not for broad prioritization of all recommendations; it is reactive and scenario-specific, not a holistic risk-ranking feature.

282
MCQeasy

Your company uses Microsoft Purview to classify and protect sensitive data. You need to automatically detect and protect credit card numbers in documents stored in SharePoint Online. Which solution should you implement?

A.Configure Azure Information Protection to automatically apply protection.
B.Apply a sensitivity label that encrypts documents with credit card numbers.
C.Create a Data Loss Prevention (DLP) policy to detect credit card numbers and block sharing.
D.Use Microsoft Defender for Cloud Apps to scan documents for credit card numbers.
AnswerC

DLP policies detect sensitive data and enforce actions.

Why this answer

Option B is correct because Microsoft Purview Data Loss Prevention (DLP) policies can automatically detect sensitive info types like credit card numbers and apply protection actions. Option A is wrong because Sensitivity labels require manual application or can be auto-labeled but DLP is more direct for detection. Option C is wrong because Microsoft Defender for Cloud Apps focuses on cloud app security, not document classification.

Option D is wrong because Azure Information Protection (now part of Purview) is for labeling, not automatic detection of specific data patterns.

283
Drag & Dropmedium

Order the steps to implement Azure AD Privileged Identity Management (PIM) for a role.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

PIM setup involves selecting role, assigning with eligibility, and activation process.

284
Multi-Selectmedium

Your organization is implementing a privileged access strategy using Microsoft Entra ID. You need to provide just-in-time (JIT) access to Azure resources for administrators. Which TWO features should you use?

Select 2 answers
A.Identity Protection user risk policy
B.Privileged Identity Management (PIM) for Azure AD roles
C.Azure RBAC roles
D.Access reviews
E.Privileged Access Groups (PAG)
AnswersB, E

PIM provides JIT and time-bound access for Azure AD roles.

Why this answer

Privileged Identity Management (PIM) for Azure AD roles enables just-in-time (JIT) activation of Azure AD roles, providing time-bound approval-based elevated access to Azure resources. Privileged Access Groups (PAG) extend JIT capabilities by allowing Azure AD roles and Azure RBAC roles to be assigned to groups, enabling JIT membership activation for granular resource access.

Exam trap

The trap here is that candidates often confuse Azure RBAC roles (which are static permission definitions) with the JIT activation mechanism provided by PIM, or they overlook that Privileged Access Groups can bridge Azure AD roles and Azure RBAC roles for JIT access.

285
MCQhard

Refer to the exhibit. You run the PowerShell command shown in the exhibit. The command returns the secret value in plain text. The Key Vault has soft-delete and purge protection enabled. What is the most likely reason that the command succeeded?

A.The Key Vault access policy allows the user to list secrets
B.The user has the 'Key Vault Secrets User' role assigned via RBAC
C.The user has the 'Key Vault Secret Management' role in Azure RBAC
D.The command was executed using the Key Vault managed identity
AnswerB

This role grants read access to secrets.

Why this answer

Option B is correct because the user running the command has the 'Key Vault Secrets User' role assigned, which includes the 'Microsoft.KeyVault/vaults/secrets/read' permission, allowing retrieval of secret values. Option A is wrong because the 'Secret Management' role in IAM does not exist. Option C is wrong because access policies are still used; the command uses the caller's identity.

Option D is wrong because managed identity is not mentioned.

286
MCQeasy

Your organization is adopting a Zero Trust network strategy. Which Microsoft solution should you use to implement micro-segmentation and enforce identity-based access controls for on-premises and cloud resources?

A.Microsoft Entra ID Conditional Access
B.Microsoft Defender for Cloud Apps
C.Microsoft Intune
D.Microsoft Sentinel
AnswerA

Conditional Access enforces access policies based on identity and context, supporting Zero Trust.

Why this answer

Microsoft Entra ID Conditional Access enforces identity-based access policies, which is a core component of Zero Trust. Option B is wrong because Microsoft Defender for Cloud Apps is a CASB. Option C is wrong because Microsoft Intune manages devices.

Option D is wrong because Microsoft Sentinel is a SIEM.

287
MCQhard

A company deploys Azure Bastion in a VNet. They want to allow a security engineer to connect to a Windows VM in a peered VNet using Azure Bastion. The engineer can see the VM in the portal but cannot connect. Which configuration is most likely missing?

A.The Azure Bastion subnet size is /28.
B.The peered VNet does not have 'Allow Azure Bastion Communication' enabled on the peering connection.
C.The VM's subnet does not have an inbound NSG rule allowing RDP (3389) from the Azure Bastion subnet.
D.The VM does not have Azure AD authentication enabled.
AnswerB

This setting must be enabled on both sides of the peering for Bastion to connect to VMs in the peered VNet.

Why this answer

Azure Bastion requires the 'Allow Azure Bastion Communication' setting to be enabled on the peering connection for the peered VNet. Without this, the Bastion service cannot route traffic to the target VM in the peered VNet, even though the VM is visible in the portal. This setting allows the Bastion's control plane and data plane to communicate across the peering link.

Exam trap

The trap here is that candidates assume NSG rules on the VM subnet are the primary blocker, but Azure Bastion's peering requirement is a distinct, often-missed setting that controls cross-VNet connectivity.

How to eliminate wrong answers

Option A is wrong because a /28 subnet size is the minimum required for Azure Bastion and is not a connectivity issue; the engineer can see the VM, indicating the Bastion is deployed correctly. Option C is wrong because Azure Bastion uses its own private IPs (from the AzureBastionSubnet) to connect to VMs, and NSG rules on the VM's subnet are not required—Bastion bypasses them via the service's built-in network hardening. Option D is wrong because Azure AD authentication is optional for RDP connections via Bastion; the default username/password or certificate-based authentication works without Azure AD.

288
MCQmedium

Your organization uses Microsoft Intune for mobile device management. You need to ensure that users can access corporate email on their personal iOS devices only if the device is enrolled in Intune and compliant with security policies. What should you configure?

A.Configure a device configuration policy to enforce passcode and encryption.
B.Create an app protection policy for iOS requiring managed apps to be enrolled and compliant.
C.Configure a conditional access policy in Microsoft Entra ID requiring compliant device.
D.Create a device compliance policy for iOS and assign it to all users.
AnswerB

App protection policies can require device enrollment and compliance.

Why this answer

Option A is correct because an app protection policy with conditional launch settings can require device enrollment and compliance before allowing access. Option B is wrong because conditional access policies in Entra ID require device compliance, but they do not enforce app-level protection. Option C is wrong because a compliance policy alone does not block access.

Option D is wrong because a device configuration policy sets settings but does not enforce access.

289
MCQmedium

You are a security architect for a healthcare organization that is deploying a new application on Azure. The application consists of a web frontend (Azure App Service), an API layer (Azure Functions), and a database (Azure SQL Database). The organization requires that all data be encrypted at rest and in transit. Additionally, they need to ensure that only authenticated and authorized users can access the API, and that the database is accessible only from the API layer. The organization also wants to use managed identities to avoid storing credentials. You have deployed the resources. Now you need to configure the security settings. What should you do to meet the requirements?

A.Enable App Service Authentication with Azure AD, configure the API to use API keys, and enable Always Encrypted on SQL
B.Enable HTTPS-only on App Service, enable Azure SQL Database transparent data encryption, configure Azure AD authentication for SQL, and set the SQL firewall to allow Azure services
C.Enable HTTPS-only on App Service, enable Azure SQL Database firewall to allow the API's public IP, and use SQL authentication
D.Use Azure Front Door with WAF, store connection strings in Azure Key Vault, and enable Azure SQL Database auditing
AnswerB

HTTPS encrypts in transit, TDE encrypts at rest, Azure AD auth provides authorization, and firewall restricts access.

Why this answer

Option B is correct because it meets all requirements: HTTPS-only ensures encryption in transit for the web frontend; Azure SQL Database TDE provides encryption at rest by default; configuring Azure AD authentication for SQL eliminates stored credentials and supports managed identities; and setting the SQL firewall to 'Allow Azure services' restricts database access to Azure resources, including the API layer, without exposing a public IP.

Exam trap

The trap here is that candidates often confuse 'Allow Azure services' with allowing all traffic from the internet, when in fact it only permits connections originating from Azure datacenters, and they may overlook that Azure AD authentication with managed identities eliminates the need for stored credentials.

How to eliminate wrong answers

Option A is wrong because API keys are not a secure authentication method for APIs (they can be easily compromised and lack identity binding), and Always Encrypted on SQL is not necessary when TDE meets the encryption-at-rest requirement and adds complexity. Option C is wrong because allowing the API's public IP in the SQL firewall exposes the database to potential external attacks, and using SQL authentication with stored credentials violates the requirement to avoid storing credentials. Option D is wrong because Azure Front Door with WAF is a web application firewall and does not directly address encryption at rest or in transit for the database, and SQL auditing is a logging feature, not a security control for access or encryption.

290
MCQeasy

You are designing a secure access solution for an Azure Kubernetes Service (AKS) cluster that hosts a critical application. You need to ensure that only authorized users can access the Kubernetes API server. Which authentication method should you use?

A.Use Kubernetes service account tokens.
B.Use AKS managed identities for each user.
C.Use Azure RBAC for Kubernetes authorization.
D.Integrate AKS with Microsoft Entra ID for authentication.
AnswerD

Provides secure, managed authentication.

Why this answer

Option B is correct because Microsoft Entra ID integration provides robust authentication and authorization for the AKS API server. Option A is wrong because local accounts (service principal or client certificate) are less secure and do not integrate with identity management. Option C is wrong because Azure RBAC for Kubernetes is authorization, not authentication.

Option D is wrong because managed identities are for pod authentication, not for users.

291
MCQhard

Refer to the exhibit. You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy is enabled but users who are detected as high risk are still able to sign in. What is the most likely reason?

A.No users or groups are assigned to the policy
B.The policy state is set to 'enabled' but not 'enforced'
C.The user risk level is set to 'high' but sign-in risk is 'medium'
D.The grant control is set to 'block' but should be 'require MFA'
AnswerA

The exhibit does not show user assignment; if none, the policy won't apply.

Why this answer

Option C is correct because the exhibit does not show a session control or require MFA; a common reason is that the policy may require user assignment, but if no users are assigned, it won't apply. Option A is incorrect because the policy is enabled. Option B is incorrect because the risk levels are set.

Option D is incorrect because the block control is set.

292
Multi-Selecteasy

Which TWO Microsoft Purview features can be used to classify and label data in Microsoft 365?

Select 2 answers
A.Retention policies
B.eDiscovery
C.Auto-labeling policies
D.Audit logs
E.Sensitive info types
AnswersC, E

Auto-labeling policies automatically apply sensitivity labels based on classification.

Why this answer

Options B and C are correct. Sensitive info types define patterns to classify data, and auto-labeling policies apply labels automatically. Option A is wrong because eDiscovery is for discovery in legal cases.

Option D is wrong because audit logs track activities. Option E is wrong because retention policies manage data retention.

293
MCQmedium

Refer to the exhibit. You run the PowerShell cmdlet and see that EnabledForDiskEncryption is false. You need to ensure that this key vault can be used for Azure Disk Encryption. What should you do?

A.Re-create the key vault with -EnabledForDiskEncryption parameter
B.Run Set-AzKeyVaultAccessPolicy with the -EnabledForDiskEncryption parameter
C.Run Set-AzKeyVaultAccessPolicy with the -EnabledForDeployment parameter
D.Run Set-AzKeyVaultAccessPolicy with the -EnabledForTemplateDeployment parameter
AnswerB

Set-AzKeyVaultAccessPolicy -EnabledForDiskEncryption enables the vault for disk encryption.

Why this answer

Azure Disk Encryption requires the key vault to have EnabledForDiskEncryption set to true. Option A is correct. Option B is incorrect because the parameter is for deployment.

Option C is incorrect because the parameter is for template deployment. Option D is incorrect because the cmdlet sets the property for an existing vault.

294
MCQmedium

Your company uses Microsoft Sentinel as its SIEM. You need to design a solution that automatically responds to high-severity incidents by creating a ticket in ServiceNow and notifying the security team via Teams. Which Sentinel feature should you configure?

A.Workbooks
B.Automation rules
C.Analytics rules
D.Hunting queries
AnswerB

Automation rules trigger playbooks for response actions.

Why this answer

Automation rules in Microsoft Sentinel are designed to trigger automated responses to incidents based on conditions like severity. They can integrate with external systems via playbooks (Azure Logic Apps) to create ServiceNow tickets and send Teams notifications, making them the correct choice for this requirement.

Exam trap

The trap here is that candidates often confuse Analytics rules (which generate alerts) with Automation rules (which respond to incidents), failing to recognize that incident response orchestration requires the latter's trigger-and-action pipeline.

How to eliminate wrong answers

Option A is wrong because Workbooks are visualization tools for querying and displaying data, not for automated response actions. Option C is wrong because Analytics rules generate alerts from log data but do not directly orchestrate multi-step responses like ticket creation or Teams notifications. Option D is wrong because Hunting queries are proactive, ad-hoc searches for threats and do not provide automated incident response capabilities.

295
Multi-Selecthard

Which THREE Microsoft security solutions can be used to detect and respond to threats across hybrid cloud environments? (Choose three.)

Select 3 answers
A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Office 365
D.Microsoft Intune
E.Microsoft Defender for Identity
AnswersA, B, E

Provides threat detection for workloads across clouds and on-premises.

Why this answer

Microsoft Defender for Cloud is correct because it provides unified security management and threat protection across hybrid cloud workloads, including Azure, on-premises, and other cloud platforms like AWS and GCP. It uses integrated vulnerability assessment, just-in-time access, and adaptive application controls to detect and respond to threats in real time, leveraging Microsoft Defender plans for servers, SQL, storage, and containers.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365 with a broader hybrid cloud security solution, but it is limited to the Microsoft 365 suite and does not cover compute, network, or identity threats across hybrid cloud workloads.

296
MCQhard

A financial services company is designing a secure infrastructure for their Azure SQL Database. They need to encrypt data at rest using customer-managed keys (CMK) stored in a key vault with soft-delete and purge protection enabled. The encryption must be transparent to applications. What should they configure?

A.Azure Information Protection
B.Dynamic Data Masking
C.Always Encrypted
D.Transparent Data Encryption (TDE) with Azure Key Vault
AnswerD

Correct: TDE with CMK provides transparent encryption at rest.

Why this answer

Azure SQL Database supports Transparent Data Encryption (TDE) with CMK in Azure Key Vault. Always Encrypted is for column-level encryption. Dynamic Data Masking is for masking, not encryption.

Azure Information Protection is for classification.

297
Multi-Selecthard

Your organization uses Azure Cosmos DB with SQL API. You need to implement data encryption at rest and control access to the encryption keys. Which two actions should you take? (Choose two.)

Select 2 answers
A.Implement client-side encryption using the .NET SDK.
B.Enable Azure Disk Encryption on the VMs that access Cosmos DB.
C.Configure a customer-managed key in Azure Key Vault for encryption.
D.Turn off automatic encryption and use a custom encryption algorithm.
E.Enable server-side encryption (SSE) on the Cosmos DB account.
AnswersC, E

CMK provides key control for at-rest encryption.

Why this answer

Options A and B are correct. Option A: Enable server-side encryption (SSE) which is enabled by default but explicitly ensuring it's on is good. Option B: Use customer-managed keys (CMK) stored in Azure Key Vault for key control.

Option C is wrong because client-side encryption is not the same as at-rest encryption and adds complexity. Option D is wrong because Azure Disk Encryption is for VMs. Option E is wrong because Data Encryption at rest is not turned off by default in Cosmos DB; it's always on.

298
MCQhard

Your company is deploying a new AI-powered customer service chatbot using Azure OpenAI Service. The chatbot will access customer data stored in Azure Cosmos DB. The security team requires that all data in transit is encrypted, and that the chatbot only accesses data necessary for its function. Additionally, the chatbot must use managed identities to authenticate to Cosmos DB. You need to design the security architecture. Which combination of controls should you implement?

A.Restrict network access to the chatbot's IP address. Use a system-assigned managed identity and assign the Cosmos DB Account Reader role.
B.Use a connection string with the Cosmos DB account key and enforce TLS 1.2. Grant the chatbot's managed identity contributor role.
C.Enable TLS enforcement on Cosmos DB. Use a managed identity for the chatbot and assign the Cosmos DB Built-in Data Reader role. Configure the chatbot to authenticate using the managed identity.
D.Use Azure AD authentication with a service principal and assign the Cosmos DB Built-in Data Contributor role. Enforce TLS 1.2.
AnswerC

This meets all requirements: TLS encryption, managed identity, and least privilege with Data Reader role.

Why this answer

Option B is correct because it includes all required controls: enforce TLS for data in transit, use managed identity for authentication, and implement least privilege access by granting only read access to the chatbot's identity. Option A is wrong because connection strings expose secrets. Option C is wrong because IP restrictions are not sufficient for authentication.

Option D is wrong because it uses key-based authentication instead of managed identity.

299
MCQmedium

Your company uses Microsoft Defender XDR to protect endpoints. The security team wants to implement automated response actions when a malicious file is detected on a device. Which Microsoft security feature should you configure to automatically isolate the affected device from the network?

A.Automated investigation and response (AIR) capabilities
B.Microsoft Sentinel automation rules
C.Attack surface reduction rules
D.Microsoft Intune compliance policies
AnswerA

AIR in Microsoft Defender XDR can automatically isolate devices upon detection of malicious activity.

Why this answer

Automated investigation and response (AIR) in Microsoft Defender XDR is the correct feature because it includes built-in playbooks that can automatically isolate a device from the network when a malicious file is detected. AIR leverages the Microsoft 365 Defender portal's automation capabilities to run investigation steps and execute response actions, such as device isolation, without manual intervention. This directly meets the requirement for automated response upon file detection.

Exam trap

The trap here is that candidates often confuse the proactive prevention capabilities of Attack surface reduction rules with the automated response capabilities of AIR, or they overestimate the real-time response abilities of Intune compliance policies, which are designed for configuration enforcement rather than incident response actions like network isolation.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel automation rules are designed for cloud-scale SIEM and SOAR across multiple data sources, not for endpoint-specific automated isolation triggered by Defender XDR detections; they require custom analytics and playbooks to achieve similar behavior, making them less direct for this use case. Option C is wrong because Attack surface reduction rules are proactive policies that block or audit specific behaviors (e.g., Office apps creating child processes) to prevent infection, but they do not perform automated response actions like device isolation after a file is already detected as malicious. Option D is wrong because Microsoft Intune compliance policies enforce device configuration and health requirements (e.g., requiring encryption or a minimum OS version) and can trigger conditional access blocks, but they cannot automatically isolate a device from the network in real time based on a malicious file detection; that action is outside Intune's scope.

300
MCQhard

A company needs to design a secure DevOps pipeline using GitHub Actions and Microsoft Defender for Cloud. They want to scan infrastructure-as-code (IaC) templates for misconfigurations before deployment. What should they integrate?

A.Microsoft Defender for Cloud Infrastructure as Code scanning
B.Microsoft Purview Compliance Manager
C.Microsoft Sentinel
D.Microsoft Defender for Cloud Apps
AnswerA

Defender for Cloud can scan IaC templates for misconfigurations.

Why this answer

Microsoft Defender for Cloud includes a native Infrastructure as Code (IaC) scanning capability that integrates directly with GitHub Actions. This feature automatically analyzes IaC templates (such as ARM, Bicep, Terraform, and CloudFormation) for security misconfigurations during the CI/CD pipeline, providing pre-deployment guardrails. By failing the pipeline on critical findings, it ensures only compliant infrastructure is deployed, aligning with the secure DevOps principle of shifting security left.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud's IaC scanning with Microsoft Sentinel's threat detection capabilities, mistakenly thinking Sentinel can scan code before deployment, when in fact Sentinel only analyzes logs and alerts from already-deployed resources.

How to eliminate wrong answers

Option B (Microsoft Purview Compliance Manager) is wrong because it focuses on regulatory compliance posture management and risk assessments, not on scanning IaC templates for misconfigurations in a DevOps pipeline. Option C (Microsoft Sentinel) is wrong because it is a SIEM and SOAR solution for threat detection and incident response after deployment, not a pre-deployment IaC scanning tool. Option D (Microsoft Defender for Cloud Apps) is wrong because it is a CASB (Cloud Access Security Broker) for controlling user access and data protection in SaaS applications, not for scanning infrastructure code.

Page 3

Page 4 of 13

Page 5