Microsoft Cybersecurity Architect (SC-100) — Questions 301375

969 questions total · 13pages · All types, answers revealed

Page 4

Page 5 of 13

Page 6
301
Multi-Selectmedium

Which TWO of the following are valid methods to secure Azure Kubernetes Service (AKS) workloads?

Select 2 answers
A.Integrate Azure AD for cluster authentication
B.Apply Network Security Groups to pod subnets
C.Deploy Azure Firewall in front of the AKS cluster
D.Use Azure Front Door to protect API endpoints
E.Use Azure Policy with Azure Policy for AKS (Gatekeeper)
AnswersA, E

Enables identity-based access control.

Why this answer

Option A is correct because Azure AD integration enables authentication for AKS clusters. Option C is correct because Azure Policy with Gatekeeper can enforce security policies on AKS. Option B is wrong because Network Security Groups apply to VMs, not AKS pods.

Option D is wrong because Azure Firewall is for network-level filtering, not workload security. Option E is wrong because Azure Front Door is for global load balancing, not AKS workload security.

302
Multi-Selecteasy

A company wants to implement a Zero Trust security model. Which TWO principles are fundamental to Zero Trust? (Choose two.)

Select 2 answers
A.Verify explicitly.
B.Use perimeter-based security.
C.Trust internal network.
D.Trust but verify.
E.Assume breach.
AnswersA, E

Core Zero Trust principle.

Why this answer

Option A is correct because Zero Trust mandates that every access request must be authenticated and authorized based on all available data points, including user identity, location, device health, and data sensitivity, regardless of the network location. This 'verify explicitly' principle eliminates implicit trust and enforces continuous validation for every transaction, aligning with Microsoft's Zero Trust deployment guidance for identity and access management.

Exam trap

The trap here is that candidates often confuse 'trust but verify' (Option D) with Zero Trust, but Microsoft explicitly defines Zero Trust as 'never trust, always verify,' making 'trust but verify' a legacy approach that still assumes initial trust.

303
MCQhard

Your organization uses Microsoft Defender for Cloud to protect Azure SQL databases. You notice that a particular database is flagged with a high-severity recommendation to enable 'Advanced Data Security'. What does enabling Advanced Data Security provide?

A.It restricts access to the database to specific IP addresses.
B.It encrypts the database at rest using TDE.
C.It provides vulnerability assessments and threat detection.
D.It enables automatic backup encryption.
AnswerC

ADS includes these security capabilities.

Why this answer

Option C is correct because Advanced Data Security (ADS) includes vulnerability assessments, threat detection, and data discovery/classification. Option A is wrong because transparent data encryption (TDE) is a separate feature. Option B is wrong because ADS does not restrict network access; that is firewall or VNet rules.

Option D is wrong because backup encryption is handled by Azure Storage encryption.

304
MCQmedium

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to create an analytics rule that detects when a user account is created outside of business hours from an unusual IP address. Which type of rule should you use?

A.Anomaly rule
B.Scheduled query rule
C.ML Behavior Analytics rule
D.Fusion rule
AnswerB

Scheduled rules run KQL queries at defined intervals to detect specific patterns.

Why this answer

Option C is correct: Scheduled query rules run at regular intervals to detect suspicious activity based on KQL queries. Option A is wrong: Fusion is for multistage attacks. Option B is wrong: ML Behavior Analytics uses machine learning, not custom queries.

Option D is wrong: Anomaly rules are for detecting anomalies, not specific conditions.

305
Multi-Selectmedium

Which TWO Azure services can be used to protect a virtual network from inbound DDoS attacks at the network layer?

Select 2 answers
A.Azure DDoS Protection Standard
B.Azure Web Application Firewall (WAF)
C.Azure Traffic Manager
D.Network Security Groups (NSGs)
E.Azure Firewall
AnswersA, E

Correct: Specifically designed for DDoS mitigation at network layer.

Why this answer

Azure DDoS Protection Standard provides defense against volumetric DDoS attacks. Azure Firewall can filter traffic at the network layer, but its DDoS capabilities are limited; Azure DDoS Protection is the primary service. WAF is for application layer.

NSGs can filter traffic but not mitigate DDoS. Traffic Manager is for load balancing.

306
MCQeasy

A company is planning to deploy a multi-tier application in Azure. The web tier must be accessible from the internet, while the database tier must be accessible only from the web tier and management jump boxes. The solution should minimize exposure to the internet. Which Azure architecture should you recommend?

A.Use Azure Bastion for management and VNet peering between web and database subnets.
B.Place web and database tiers in the same virtual network and use Network Security Groups (NSGs) to restrict access.
C.Use Azure Application Gateway to expose the web tier and place the database tier in a separate subnet with a deny-all NSG.
D.Deploy Azure Firewall in a hub virtual network and peer spoke virtual networks for each tier, routing traffic through the firewall.
AnswerD

Hub-spoke with Azure Firewall provides centralized security and forced tunneling.

Why this answer

Azure Firewall in a hub virtual network with forced tunneling through a firewall provides centralized control and minimizes exposure. NSGs cannot inspect traffic, and Application Gateway alone does not restrict database access. VNet peering without firewall does not enforce inspection.

307
Drag & Dropmedium

Order the steps to configure Azure Key Vault firewall and virtual network service endpoints.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Key Vault network restrictions require adding allowed networks and saving.

308
MCQeasy

A company plans to migrate their on-premises Active Directory to Microsoft Entra ID. They need to ensure that legacy applications using NTLM authentication continue to work during the transition. What should they configure?

A.Microsoft Entra Connect with PTA and enable NTLM support for on-premises applications
B.Microsoft Entra Connect with password hash synchronization (PHS) and seamless single sign-on (SSO)
C.Microsoft Entra Connect with Active Directory Federation Services (AD FS)
D.Microsoft Entra Connect with pass-through authentication (PTA)
AnswerA

Correct: PTA can be configured to allow NTLM authentication for hybrid users.

Why this answer

Microsoft Entra Connect syncs identities and can be configured to allow NTLM authentication for hybrid identities. PTA or ADFS are for authentication, but not specifically for NTLM support. PHS alone doesn't handle NTLM.

Cloud Kerberos trust is for Kerberos, not NTLM.

309
Multi-Selectmedium

Your organization uses Microsoft Entra ID and Microsoft Intune. You need to design a solution that allows only hybrid Azure AD joined devices to access a sensitive application. The solution must also require that the device is compliant with company policies. Which two components should you configure? (Choose TWO.)

Select 2 answers
A.Intune app protection policy
B.Conditional Access policy with 'Require multifactor authentication'
C.Conditional Access policy with 'Require hybrid Azure AD joined device'
D.Intune device enrollment
E.Intune device compliance policy
AnswersC, E

This ensures only hybrid Azure AD joined devices can access the application.

Why this answer

Options A and C are correct because Conditional Access policies can require hybrid Azure AD join as a grant control, and Intune compliance policies define the compliance rules. Option B (MFA) is not required by the scenario. Option D (app protection) is for app-level protection.

Option E (device enrollment) is a prerequisite but not an access control.

310
MCQhard

Your company is migrating to a cloud-native security operations center (SOC) using Microsoft Sentinel. You need to design a solution that automatically investigates and remediates common incidents like brute-force attacks on Azure VMs. The solution should use playbooks triggered by analytics rules. Which Microsoft service should you use to create the playbooks, and what is the recommended authentication method?

A.Power Automate with user account
B.Azure Automation with service principal
C.Azure Logic Apps with managed identity
D.Azure Functions with API key
AnswerC

Logic Apps supports managed identity for secure, credential-free authentication to Azure resources.

Why this answer

Azure Logic Apps is the recommended platform for Sentinel playbooks. Managed identity is the preferred authentication method because it avoids credential management and supports automation. Azure Automation is for runbooks, not playbooks.

Service principal is possible but not recommended due to credential management.

311
MCQmedium

Wide World Importers uses Azure Active Directory (now Microsoft Entra ID) and Microsoft 365. They have a hybrid identity with password hash sync. They want to implement a passwordless authentication strategy to improve security and user experience. They have a mix of Windows 10/11 devices and mobile devices (iOS/Android). They also have some shared computers in kiosk mode. The solution must support all user scenarios and align with Microsoft's authentication best practices. What should you recommend?

A.Use SMS-based authentication for all users. Deploy OATH tokens for shared computers. Implement Azure AD Conditional Access to require passwordless for admins only.
B.Implement Windows Hello for Business for all Windows devices. Use smart cards for mobile devices. Use FIDO2 keys for shared computers.
C.Implement Windows Hello for Business for Windows 10/11 devices. Deploy Microsoft Authenticator for mobile devices for passwordless sign-in. Use FIDO2 security keys for shared computers and kiosk scenarios. Enable combined registration for self-service password reset and Microsoft Authenticator.
D.Use the Microsoft Authenticator app for all users. Configure passwordless sign-in with the app. Use QR codes for kiosk computers.
AnswerC

Comprehensive passwordless approach covering all device types.

Why this answer

Option A is correct because it covers all user scenarios: Windows Hello for Business for Windows devices, Microsoft Authenticator for mobile, and FIDO2 security keys for shared computers. Option B is wrong because SMS and OATH tokens are not passwordless (SMS is not truly passwordless). Option C is wrong because it relies on Microsoft Authenticator only, missing Windows devices.

Option D is wrong because it excludes mobile devices.

312
Multi-Selectmedium

Your organization is designing a privileged access strategy using Microsoft Entra ID. Which TWO configurations should be part of the design to protect privileged accounts?

Select 2 answers
A.Require multi-factor authentication for all administrative roles via Conditional Access
B.Enable security defaults
C.Implement Privileged Identity Management (PIM) for just-in-time access
D.Enable self-service password reset for admins
E.Disable multi-factor authentication for emergency admin accounts
AnswersA, C

MFA adds a strong layer of security for privileged accounts.

Why this answer

Options A and C are correct. Option A: Conditional Access with MFA for admin roles reduces risk of credential theft. Option C: Privileged Identity Management (PIM) provides just-in-time access and approval workflows.

Option B is wrong because security defaults enforce MFA for all users but lack granularity for privileged roles. Option D is wrong because self-service password reset is not specific to privileged accounts and does not protect against misuse. Option E is wrong because disabling MFA would weaken security.

313
MCQmedium

Refer to the exhibit. You are reviewing an Azure Policy definition. What does this policy accomplish?

A.Requires that all network security rules have destination port range between 22 and 3389
B.Denies all inbound traffic except SSH and RDP
C.Allows only SSH and RDP inbound traffic
D.Denies creation of network security rules that allow traffic to ports other than 22 and 3389
AnswerD

The policy uses 'deny' effect on security rules where destinationPortRange is not in [22,3389].

Why this answer

Option C is correct because the policy denies security rules that allow ports other than 22 (SSH) and 3389 (RDP) as destination ports. Option A is wrong because it allows only specific ports. Option B is wrong because it allows those ports.

Option D is wrong because it doesn't enforce a specific range.

314
Multi-Selectmedium

You are designing a solution to protect Microsoft 365 data from insider threats. Which TWO Microsoft Purview features should you use?

Select 2 answers
A.Microsoft Purview Insider Risk Management
B.Microsoft Purview Data Loss Prevention (DLP)
C.Microsoft Purview Communication Compliance
D.Microsoft Purview Audit (Premium)
E.Microsoft Purview eDiscovery (Premium)
AnswersA, B

Detects and investigates risky user activities.

Why this answer

Microsoft Purview Insider Risk Management is correct because it is specifically designed to detect, investigate, and act on malicious and accidental insider risks by correlating signals from Microsoft 365 and Azure services, such as unusual file downloads or data exfiltration patterns. It uses predefined risk indicators and machine learning models to identify risky user activities that could lead to data breaches, making it a primary tool for protecting data from insider threats.

Exam trap

The trap here is that candidates often confuse Data Loss Prevention (DLP) as the primary insider threat tool, but DLP is a content-aware policy enforcement mechanism that blocks or alerts on data sharing based on rules, whereas Insider Risk Management focuses on behavioral analytics and user risk scoring to detect threats that DLP might miss, such as slow data exfiltration or credential misuse.

315
MCQhard

Contoso Ltd. is a multinational organization with a hybrid environment consisting of on-premises Active Directory and Azure AD (now Microsoft Entra ID). They use Microsoft Defender for Cloud Apps, Microsoft Sentinel, and Microsoft 365 Defender. The security operations team has noticed that several high-severity alerts from Microsoft 365 Defender are not being forwarded to Microsoft Sentinel, causing delayed response. The team has confirmed that the data connector between Microsoft 365 Defender and Sentinel is enabled and appears healthy. However, only low-severity alerts appear in Sentinel. Further investigation reveals that the Microsoft 365 Defender portal has a configured rule set that suppresses high-severity alerts for certain users deemed low risk. The security operations manager wants to ensure all high-severity alerts are sent to Sentinel without changing the suppression rules in Microsoft 365 Defender, as those rules are required for operational efficiency. What should the team do to ensure high-severity alerts are ingested into Sentinel?

A.Modify the suppression rules in Microsoft 365 Defender to not suppress high-severity alerts.
B.In the Microsoft 365 Defender data connector in Sentinel, enable the option to include suppressed alerts.
C.Use the Microsoft Graph Security API connector in Sentinel to ingest alerts instead.
D.Create a separate Logic App to fetch high-severity alerts from Microsoft 365 Defender API and send them to Sentinel.
AnswerB

The connector has a setting to include suppressed alerts, which will forward all alerts regardless of suppression status.

Why this answer

Option B is correct because the Microsoft 365 Defender data connector in Microsoft Sentinel includes a configuration setting to 'Include suppressed alerts.' Enabling this option forces Sentinel to ingest all alerts from Microsoft 365 Defender, including those that are suppressed by rule sets in the Defender portal. This satisfies the requirement to forward high-severity alerts without modifying the suppression rules that the operations team relies on for operational efficiency.

Exam trap

The trap here is that candidates assume suppressed alerts are permanently hidden and cannot be ingested, leading them to choose either modifying the suppression rules (Option A) or building a custom workaround (Option D), when in fact the Sentinel connector has a specific toggle to include suppressed alerts.

How to eliminate wrong answers

Option A is wrong because it directly contradicts the requirement to keep the suppression rules unchanged; modifying the rules would break operational efficiency. Option C is wrong because the Microsoft Graph Security API connector ingests alerts from various Microsoft security products but does not bypass the suppression logic applied within Microsoft 365 Defender; suppressed alerts would still be omitted unless the API is specifically configured to include them, which is not a standard option. Option D is wrong because creating a separate Logic App to fetch high-severity alerts via the Microsoft 365 Defender API would be a complex, custom workaround that duplicates functionality already built into the Sentinel connector, and it would still need to handle the suppression flag to retrieve suppressed alerts, making it less efficient and more error-prone than the native connector option.

316
Multi-Selectmedium

A company is implementing a Zero Trust identity strategy. They want to ensure that only compliant and managed devices can access corporate resources. Which THREE components should they include in their solution? (Choose three.)

Select 3 answers
A.Microsoft Intune for device management and compliance policies
B.Azure AD device registration
C.Azure AD Conditional Access policies
D.Azure AD Application Proxy
E.Azure AD B2B collaboration
AnswersA, B, C

Intune manages device compliance and enforces policies.

Why this answer

A is correct because Microsoft Intune provides device management and compliance policies that define the security posture required for managed devices, such as requiring encryption, a minimum OS version, or a specific patch level. These compliance policies are evaluated by Azure AD during authentication, ensuring only devices that meet the organization's security standards can access corporate resources.

Exam trap

The trap here is that candidates may confuse Azure AD Application Proxy (a publishing tool) with a device compliance mechanism, or assume Azure AD B2B collaboration can enforce device management for external users, when in fact neither component evaluates device health or management status.

317
MCQeasy

You need to design a security operations strategy for a hybrid environment using Microsoft Sentinel. Your environment includes on-premises servers and Azure VMs. Which data connector should you use to collect security events from both sources?

A.Azure Activity log connector
B.Windows Security Events via AMA connector
C.Office 365 connector
D.Syslog connector
AnswerB

AMA can collect from both on-prem and Azure VMs.

Why this answer

Option C is correct because the Windows Security Events via AMA connector works for both on-prem and Azure VMs. Option A is wrong because the Azure Activity log covers Azure resource operations, not security events. Option B is wrong because Syslog is for Linux.

Option D is wrong because Office 365 is for cloud apps.

318
Multi-Selectmedium

Which THREE of the following are key components of a defense-in-depth strategy?

Select 3 answers
A.Physical security
B.Flat network topology
C.Single sign-on (SSO)
D.Identity and access management
E.Network segmentation
AnswersA, D, E

Physical security is the first layer of defense.

Why this answer

Physical security is a foundational layer in defense-in-depth, protecting hardware assets from unauthorized physical access, theft, or tampering. It includes measures like biometric locks, surveillance cameras, and secure server rooms, which prevent attackers from bypassing logical controls by directly interacting with systems.

Exam trap

The trap here is that candidates often confuse convenience features like SSO with security controls, or assume a flat network is simpler and thus more secure, failing to recognize that defense-in-depth requires multiple independent barriers, not a single authentication mechanism.

319
MCQhard

A security architect is designing a solution to protect sensitive data stored in SharePoint Online from being shared with unauthorized users. The solution must block sharing of files containing credit card numbers when shared externally. What should they use?

A.Configure a conditional access policy to block access from untrusted networks when credit card numbers are detected
B.Create a Microsoft Purview sensitivity label that automatically applies encryption and blocks external sharing when credit card numbers are detected
C.Create a Microsoft Purview Data Loss Prevention (DLP) policy that blocks external sharing when credit card numbers are detected
D.Use Azure Information Protection to label and protect files with credit card numbers
AnswerB

Sensitivity labels can automatically classify and protect data, and enforce restrictions like blocking external sharing.

Why this answer

Option B is correct because Microsoft Purview sensitivity labels can be configured with automatic classification for sensitive data types (e.g., credit card numbers) and enforce encryption while blocking external sharing. This directly meets the requirement to prevent unauthorized external sharing of files containing credit card numbers in SharePoint Online.

Exam trap

The trap here is that candidates often confuse DLP policies (which block sharing based on content) with sensitivity labels (which can both block sharing and apply encryption), leading them to select Option C without considering the need for encryption.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies control access based on conditions like network location, not content inspection or sharing restrictions; they cannot detect credit card numbers within files. Option C is wrong because a DLP policy can block external sharing when credit card numbers are detected, but it does not automatically apply encryption to the files, which is a key part of the solution requirement to protect data at rest. Option D is wrong because Azure Information Protection (AIP) is a legacy labeling solution that has been largely replaced by Microsoft Purview Information Protection; while it can label and protect files, it lacks the integrated automatic classification and sharing control capabilities of Purview sensitivity labels in SharePoint Online.

320
MCQhard

Refer to the exhibit. A security architect is reviewing a Microsoft Purview sensitivity label configuration for a financial services company. The compliance team requires that employees must provide justification when downgrading a document labeled 'Confidential - Financial' to 'General'. Which configuration is missing?

A.Create a new sublabel under 'General' to match the hierarchy
B.Configure auto-labeling for the sublabel
C.Configure the sublabel's protection settings to require justification for downgrade
D.Enable label analytics in Purview
AnswerC

Protection settings on the label include an option to require justification when lowering the label

Why this answer

The exhibit shows a sensitivity label hierarchy but does not include any marking or protection settings. To require justification for downgrading, the label must have a conditional access policy or auto-labeling policy configured, specifically a 'justification on downgrade' setting. Option B is correct because justification is configured as part of the label's protection settings.

Option A is wrong because auto-labeling is for automatic application, not downgrade control. Option C is wrong because label analytics is for reporting, not enforcement. Option D is wrong because the sublabel itself does not enforce justification.

321
MCQeasy

Your company uses Azure DevOps to manage CI/CD pipelines. You need to ensure that secrets such as API keys are securely stored and automatically injected into pipeline tasks without being exposed in logs. What should you use?

A.Azure DevOps variable groups
B.Azure Key Vault linked to Azure DevOps
C.Azure App Configuration
D.Azure Policy
AnswerB

Provides secure secret storage and injection.

Why this answer

Option B is correct because Azure Key Vault securely stores secrets and Azure DevOps can retrieve them without exposing secrets in logs. Option A is wrong because Azure App Configuration is for application configuration, not secrets. Option C is wrong because variable groups can store secrets but they are not as secure as Key Vault.

Option D is wrong because Azure Policy is for governance, not secret management.

322
MCQeasy

The exhibit shows a conditional access policy from Microsoft Entra ID Identity Protection. When will this policy require MFA?

A.When user risk is medium or high AND sign-in risk is high
B.When either user risk is medium or sign-in risk is high
C.When user risk is medium or high, regardless of sign-in risk
D.When sign-in risk is high, regardless of user risk
AnswerA

Both conditions are required.

Why this answer

Option A is correct because the conditional access policy shown in the exhibit uses the 'Require MFA' grant control with conditions set for user risk (medium or high) AND sign-in risk (high). In Microsoft Entra ID Identity Protection, when both risk levels are evaluated together with an AND operator, MFA is only triggered when both conditions are met simultaneously. This ensures that MFA is enforced only when the user account itself is compromised (medium/high user risk) and the current sign-in session is also risky (high sign-in risk), providing a layered security response.

Exam trap

The trap here is that candidates often confuse the AND operator with OR, assuming that either risk condition alone would trigger MFA, but the exhibit explicitly shows both conditions must be satisfied simultaneously.

How to eliminate wrong answers

Option B is wrong because it describes an OR condition (either user risk medium OR sign-in risk high), but the policy uses an AND operator, meaning both conditions must be true. Option C is wrong because it ignores the sign-in risk condition entirely, suggesting MFA is required regardless of sign-in risk, which contradicts the policy's explicit requirement for high sign-in risk. Option D is wrong because it ignores the user risk condition, stating MFA is required when sign-in risk is high regardless of user risk, but the policy requires user risk to be medium or high as well.

323
MCQhard

A government agency, Northwind, is deploying a sensitive application on Azure App Service Environment (ASE) v3. The application handles classified data and must meet FedRAMP High requirements. You need to design a security solution that includes: (1) encryption at rest for the app's content and configuration, (2) encryption in transit with TLS 1.2 or higher, (3) network isolation using VNet integration and private endpoints, (4) identity-based access to Azure SQL Database using managed identity, and (5) certificate management for custom domains using Azure Key Vault. Which of the following designs meets all requirements?

A.Deploy the app on a multi-tenant App Service plan, enforce HTTPS only with TLS 1.2, use a system-assigned managed identity to access Azure SQL Database, and configure TLS/SSL certificates from Azure Key Vault.
B.Deploy the app on an ASE v3 in a VNet, enforce HTTPS only with TLS 1.2, use a system-assigned managed identity to access Azure SQL Database, and configure TLS/SSL certificates from Azure Key Vault.
C.Deploy the app on an ASE v3 in a VNet, enforce HTTPS only with TLS 1.2, use a user-assigned managed identity to access Azure SQL Database, and configure TLS/SSL certificates from App Service certificates.
D.Deploy the app on an ASE v3 in a VNet, enforce HTTPS only with TLS 1.2, use a service principal to access Azure SQL Database, and configure TLS/SSL certificates from Azure Key Vault.
AnswerB

ASE v3 provides network isolation, managed identity provides secure database access, and Key Vault handles certificates.

Why this answer

Option A is correct because ASE v3 is deployed in a VNet, providing network isolation. App Service can use managed identity for database access. TLS can be enforced in the app settings.

Certificates can be imported from Key Vault. Option B is wrong because App Service on a public plan is not network isolated. Option C is wrong because VNet integration does not provide inbound isolation; private endpoint is needed.

Option D is wrong because service principal is less secure than managed identity.

324
MCQmedium

You are designing a hybrid identity solution for an organization that uses Microsoft Entra ID and an on-premises Active Directory. The organization requires that users who are located in a remote office without a direct VPN connection to the main office can authenticate against on-premises resources using their Entra ID credentials. The solution must minimize latency and support passwordless authentication. Which feature should you implement?

A.Configure Microsoft Entra Application Proxy
B.Implement Microsoft Entra Kerberos authentication
C.Enable Microsoft Entra Conditional Access policies
D.Deploy Microsoft Entra Connect Sync with password hash synchronization
AnswerB

Entra Kerberos authentication allows users to authenticate to on-premises resources using their Entra ID identity, supporting passwordless methods and reducing latency.

Why this answer

Option C is correct because Microsoft Entra Kerberos authentication enables users to access on-premises resources using their Entra ID credentials without requiring a VPN, and it supports passwordless methods like FIDO2 and Windows Hello for Business. Option A is wrong because Entra ID Application Proxy is for publishing on-premises web apps, not general authentication. Option B is wrong because Entra Connect Sync synchronizes identities but does not provide real-time authentication without VPN.

Option D is wrong because Entra ID Conditional Access policies control access but do not enable passwordless authentication.

325
MCQeasy

Your organization uses Microsoft Sentinel for security operations. You need to ensure that all incidents are automatically assigned to the appropriate analyst team based on the type of threat. What should you configure?

A.Use a watchlist to map threat types to teams and trigger a logic app.
B.Modify the analytics rule to include a custom field for the assigned team.
C.Create a playbook that assigns ownership based on incident properties.
D.Configure an automation rule to set the incident owner based on custom conditions.
AnswerD

Automation rules can set the owner of an incident based on conditions like incident tags or properties.

Why this answer

Option B is correct because automation rules in Microsoft Sentinel can automatically assign incidents to specific teams based on conditions such as threat type. Option A is incorrect because playbooks require manual or automated triggers but do not directly assign ownership. Option C is incorrect because analytics rules create incidents but do not assign them.

Option D is incorrect because watchlists are for correlation, not assignment.

326
MCQmedium

A multinational company is implementing a Zero Trust security model. The security team needs to ensure that all access requests to critical applications are evaluated based on user identity, device health, and real-time risk signals. Which Microsoft solution should they use to centralize policy enforcement?

A.Microsoft Defender for Cloud Apps
B.Microsoft Entra Conditional Access
C.Azure AD Identity Protection
D.Microsoft Purview Compliance Manager
AnswerB

Centralizes policy evaluation based on user, device, and risk signals.

Why this answer

Correct answer is C: Microsoft Entra Conditional Access. It evaluates signals like user, device, and location to enforce access policies. Option A (Microsoft Defender for Cloud Apps) is a CASB, not a policy enforcement point for authentication.

Option B (Microsoft Purview Compliance Manager) is for compliance scores. Option D (Azure AD Identity Protection) identifies risks but does not enforce access policies directly.

327
MCQeasy

A small business uses Microsoft 365 Business Premium and wants to secure their Windows 10 devices with Microsoft Intune. They need to ensure that only devices compliant with the company's security policies can access corporate email. What should they configure?

A.Azure AD Application Proxy
B.Windows Defender Firewall rules
C.Microsoft Defender for Cloud Apps session policy
D.Conditional Access policy requiring compliant device
AnswerD

Correct: Blocks non-compliant devices from accessing email.

Why this answer

Conditional Access in Microsoft Entra ID can require device compliance before granting access to Exchange Online. Device compliance policies in Intune define the security requirements. Azure AD Application Proxy is for on-prem apps.

Microsoft Defender for Cloud Apps is for cloud app security. Windows Defender Firewall is for network security.

328
MCQmedium

Your company uses Microsoft Sentinel as a SIEM. You need to create an analytics rule that detects when a user account is created outside of business hours. The rule should trigger an incident for investigation. Which type of analytics rule should you use?

A.Anomaly rule
B.Fusion rule
C.Scheduled query rule
D.NRT query rule
AnswerC

Scheduled query rules run periodically and can trigger incidents based on query results.

Why this answer

A scheduled query rule is the correct choice because it allows you to define a KQL query that checks for user account creation events (e.g., from the SecurityEvent or AuditLogs table) and then use the query scheduling settings to run the query at a specific interval. You can then add a condition in the rule logic to filter for events occurring outside business hours (e.g., using the `datetime_part` function to check the hour of the event). When the query returns results, Sentinel automatically generates an incident for investigation.

Exam trap

The trap here is that candidates often confuse scheduled query rules with NRT query rules, assuming that 'near-real-time' is always better for time-sensitive detections, but NRT rules cannot apply complex time-based filters like 'outside business hours' because they only support a 1-minute lookback and no custom scheduling logic.

How to eliminate wrong answers

Option A is wrong because anomaly rules use machine learning to detect unusual patterns over time without a predefined query, and they cannot be configured with a specific KQL query to filter for account creation outside business hours. Option B is wrong because Fusion rules correlate alerts from multiple products to detect multistage attacks, and they do not allow you to define a custom query for a single event type like user account creation. Option D is wrong because NRT (near-real-time) query rules run queries every minute with a 1-minute lookback, which is not suitable for checking events against a static time window like 'outside business hours' and does not support the same flexible scheduling and incident creation logic as scheduled query rules.

329
Multi-Selecteasy

Which TWO of the following are valid methods to secure traffic between on-premises and Azure?

Select 2 answers
A.Azure Front Door
B.ExpressRoute with MACsec
C.Azure Traffic Manager
D.Azure CDN
E.Site-to-Site VPN
AnswersB, E

MACsec provides encryption on ExpressRoute.

Why this answer

ExpressRoute with MACsec provides encryption at Layer 2 using the IEEE 802.1AE standard, securing traffic between on-premises and Azure over a private connection without traversing the public internet. Site-to-Site VPN uses IPsec (IKEv1/IKEv2) to encrypt traffic over the public internet, establishing a secure tunnel between the on-premises VPN device and Azure VPN Gateway. Both are valid methods for securing traffic, with ExpressRoute+MACsec offering lower latency and higher throughput for private connectivity.

Exam trap

The trap here is that candidates often confuse Azure Front Door or Traffic Manager as security solutions because they offer TLS termination or DDoS protection, but neither provides encrypted site-to-site connectivity between on-premises and Azure; they are traffic routing and acceleration services, not VPN or private connection methods.

330
MCQmedium

Your organization is migrating on-premises Active Directory to Microsoft Entra ID. You need to design the authentication method to support hybrid identities with seamless single sign-on (SSO) for legacy applications that require Kerberos authentication. What should you implement?

A.Federate Microsoft Entra ID with on-premises Active Directory using ADFS.
B.Use password hash synchronization (PHS) only.
C.Deploy pass-through authentication (PTA).
D.Enable Microsoft Entra Seamless SSO via Microsoft Entra Connect.
AnswerD

This provides Kerberos-based SSO for hybrid users.

Why this answer

Option D is correct because Microsoft Entra Connect with Seamless SSO enables Kerberos-based authentication for hybrid users. Option A is wrong because federation with ADFS is not required for Kerberos. Option B is wrong because PHS does not support Kerberos delegation.

Option C is wrong because PTA does not support Kerberos.

331
MCQeasy

A company uses Azure Policy to enforce that all storage accounts must have HTTPS traffic only. They assign a built-in policy to audit this setting. A developer creates a new storage account with HTTP enabled, and the policy reports it as non-compliant. What should the company do to automatically remediate this violation?

A.Enable Azure Security Center's just-in-time access for storage accounts.
B.Change the policy effect to 'Deny' to prevent creation of non-compliant storage accounts.
C.Ask the developer to manually enable HTTPS-only on the storage account.
D.Create a new policy assignment with a 'deployIfNotExists' effect that enables HTTPS-only.
AnswerD

This automatically remediates non-compliant accounts.

Why this answer

Option D is correct because the 'deployIfNotExists' effect in Azure Policy can automatically remediate non-compliant resources by deploying a configuration (such as enabling HTTPS-only) when the policy detects a violation. This effect runs a remediation task that modifies the resource to meet the policy requirement, eliminating the need for manual intervention. In this scenario, it would automatically enable HTTPS traffic on the storage account, bringing it into compliance.

Exam trap

The trap here is that candidates often confuse the 'Deny' effect (which only blocks new non-compliant resources) with 'deployIfNotExists' (which remediates existing non-compliant resources), leading them to choose Option B instead of D.

How to eliminate wrong answers

Option A is wrong because Azure Security Center's just-in-time (JIT) access is a feature for managing virtual machine access, not for enforcing storage account HTTPS settings. Option B is wrong because changing the policy effect to 'Deny' would prevent creation of new non-compliant storage accounts but would not remediate the already existing non-compliant account; it only blocks future violations. Option C is wrong because asking the developer to manually enable HTTPS-only is a manual workaround that does not leverage Azure Policy's automated remediation capabilities, and it does not scale or enforce consistency across the environment.

332
Multi-Selecthard

You are designing a network security strategy for a multicloud environment that includes Azure and Amazon Web Services (AWS). The company requires that all traffic between the two clouds be encrypted and inspected for threats. You need to recommend a solution that meets the following requirements: - Minimize latency. - Use Microsoft-provided security services where possible. - Ensure traffic is inspected at Layers 3-7. Which TWO options should you include in your design?

Select 2 answers
A.Azure Virtual WAN with a secured hub that includes Azure Firewall and Firewall Manager.
B.Azure Firewall with forced tunneling to an on-premises inspection appliance.
C.Azure Policy with built-in network security policies.
D.Azure Front Door Premium with Web Application Firewall (WAF) policy.
E.AWS Transit Gateway with AWS Network Firewall for inspection.
AnswersA, E

Virtual WAN provides global transit and Azure Firewall provides L3-7 inspection.

Why this answer

Azure Virtual WAN with a secured hub integrates Azure Firewall and Firewall Manager to provide a centralized, Microsoft-managed inspection point for traffic between Azure and AWS. This design minimizes latency by routing inter-cloud traffic through Microsoft's global backbone rather than over the public internet, and it supports Layer 3-7 inspection via Azure Firewall's application and network rules, meeting all requirements.

Exam trap

The trap here is that candidates may confuse Azure Front Door (a global load balancer and WAF for web traffic) with a general-purpose inter-cloud inspection solution, overlooking that it only handles HTTP/HTTPS and cannot inspect non-web protocols or traffic between cloud networks.

333
Multi-Selectmedium

Your organization has deployed Microsoft Defender for Cloud with the CSPM (Cloud Security Posture Management) plan enabled. You need to ensure that all Azure subscriptions are covered and that security recommendations are automatically remediated for critical findings. Which two actions should you take? (Choose two.)

Select 2 answers
A.Enable Microsoft Defender for Cloud on all subscriptions.
B.Configure security contact details for each subscription.
C.Configure automatic provisioning of the Log Analytics agent.
D.Set the 'Auto Remediate' toggle to 'On' for all security recommendations.
E.Create Azure Policy assignments with 'deployIfNotExists' effect to auto-remediate critical findings.
AnswersA, C

Required to assess resources across all subscriptions.

Why this answer

Enabling Defender for Cloud on all subscriptions ensures coverage. Configuring automatic provisioning of the Log Analytics agent ensures data collection. To auto-remediate, you need to use Azure Policy with 'deployIfNotExists' or 'modify' effects, not just enable Defender.

The 'Auto Remediate' setting in Defender for Cloud applies only to certain recommendations, but for custom remediation, Azure Policy is needed. The security contacts are for notifications, not remediation.

334
MCQhard

Refer to the exhibit. You are deploying an ARM template for a Windows VM. The adminPassword parameter references a secret in Key Vault. However, the deployment fails with an access denied error. What is the most likely cause?

A.The secret value contains special characters that need to be escaped.
B.The template should use the secret's URI directly instead of a parameter reference.
C.The deployment principal lacks 'Get' and 'List' permissions on the Key Vault secret.
D.The Key Vault is in a different resource group than the deployment.
AnswerC

The deployment principal must have these permissions to retrieve the secret.

Why this answer

Option C is correct because when referencing a Key Vault secret in an ARM template parameter, the user or service principal deploying the template must have 'Get' and 'List' permissions on the secret. If the deployment principal does not have those permissions, access is denied. Option A is wrong because secrets can be used as strings.

Option B is wrong because the resource group is specified, and if the KV is in a different resource group, it's fine as long as permissions are granted. Option D is wrong because the template uses a parameter reference, not a direct secret value.

335
Multi-Selecthard

A company is deploying a new application that uses Azure Cosmos DB. The security requirements include: data encryption at rest, data encryption in transit, and the ability to audit all data access. Which THREE of the following should you implement?

Select 3 answers
A.Use Azure SQL Database instead of Cosmos DB
B.Require TLS for all connections to Cosmos DB
C.Use Azure Active Directory authentication for Cosmos DB
D.Enable encryption at rest with customer-managed keys
E.Enable diagnostic logging for Cosmos DB
AnswersB, D, E

TLS encrypts data in transit between clients and Cosmos DB.

Why this answer

Option A, D, and E are correct. Option A: Cosmos DB requires TLS for all client connections by default, ensuring encryption in transit. Option D: Encryption at rest is enabled by default; using customer-managed keys provides additional control.

Option E: Diagnostic logging enables auditing of data access. Option B is wrong because Azure SQL Database is a different service. Option C is wrong because Azure Active Directory (now Entra ID) authentication is supported but does not by itself encrypt data.

336
MCQhard

Your organization uses Microsoft Defender for Cloud to secure a hybrid environment. You need to ensure that security recommendations are automatically remediated for virtual machines. The solution must use Azure Policy and must be deployed at scale. What should you configure?

A.Create a custom Azure Policy definition with deployIfNotExists effect
B.Create a remediation task for the policy that needs auto-remediation
C.Assign a built-in policy initiative to the management group
D.Enable auto-provisioning for the Log Analytics agent
AnswerB

Remediation tasks automatically fix non-compliant resources.

Why this answer

Option C is correct because implementing a remediation task via Azure Policy can automatically remediate non-compliant resources. Defender for Cloud integrates with Azure Policy to allow automatic remediation. Option A is wrong because just assigning a policy initiative does not enable automatic remediation; a remediation task is needed.

Option B is wrong because enabling auto-provisioning for Log Analytics deploys the agent, but does not remediate security configurations. Option D is wrong because custom Azure Policy definitions require manual assignment and remediation setup.

337
MCQmedium

A security architect needs to design a solution that provides a unified view of security alerts from multiple clouds (Azure, AWS, GCP) and on-premises systems. The solution must also support automated response using playbooks. Which Microsoft service should they use?

A.Microsoft Defender XDR
B.Microsoft Defender for Cloud
C.Microsoft Purview
D.Microsoft Sentinel
AnswerD

Sentinel is a SIEM/SOAR that supports multi-cloud and on-premises with automated playbooks.

Why this answer

Microsoft Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution that ingests security alerts from multiple clouds (Azure, AWS, GCP) and on-premises systems via connectors. It supports automated response through playbooks built on Azure Logic Apps, enabling unified alert management and remediation workflows.

Exam trap

The trap here is confusing Microsoft Defender for Cloud (a CSPM tool) with Microsoft Sentinel (a SIEM/SOAR), as both appear in the Azure portal and deal with security alerts, but only Sentinel provides native multi-cloud SIEM ingestion and automated playbook orchestration for cross-cloud incident response.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender XDR is an extended detection and response solution focused on correlating signals across Microsoft 365, endpoints, and identities, but it does not natively ingest alerts from AWS, GCP, or on-premises systems for a unified multi-cloud SIEM view. Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform that provides security recommendations and alerts primarily for Azure and hybrid environments, but it lacks the native multi-cloud SIEM ingestion and SOAR playbook automation of Sentinel. Option C is wrong because Microsoft Purview is a data governance, risk, and compliance solution (e.g., data classification, eDiscovery, insider risk management) and does not provide SIEM alert correlation or automated response playbooks for security incidents.

338
MCQmedium

A company is using Azure Active Directory (Azure AD) for identity management. They want to implement a policy that requires all users to use multi-factor authentication (MFA) when accessing Office 365 from outside the corporate network. Which conditional access policy setting should they configure?

A.Assignments > Conditions > Client apps
B.Assignments > Conditions > Locations
C.Assignments > Conditions > Device platforms
D.Assignments > Conditions > Sign-in risk
AnswerB

Location condition can be used to enforce MFA for external networks.

Why this answer

Option B is correct because the Locations condition in Azure AD Conditional Access allows administrators to define named locations (such as corporate IP ranges) and then require MFA when access originates from any location that is not trusted. By configuring a policy that targets 'All users' and 'All cloud apps' (or specifically Office 365), and setting the Locations condition to 'Any location' with the exclusion of the corporate network, the policy enforces MFA for all external access attempts. This directly meets the requirement to require MFA when accessing Office 365 from outside the corporate network.

Exam trap

The trap here is that candidates often confuse the Locations condition with the Sign-in risk condition, thinking that external access is inherently risky, but the question specifically asks for a policy based on network location, not risk level.

How to eliminate wrong answers

Option A is wrong because the Client apps condition controls which types of applications (browser, mobile app, legacy authentication) trigger the policy, not the network location of the user. Option C is wrong because the Device platforms condition filters based on the operating system (e.g., Windows, iOS, Android) and does not consider whether the request originates from inside or outside the corporate network. Option D is wrong because the Sign-in risk condition uses Azure AD Identity Protection to detect risky sign-in behavior (e.g., anonymous IP, leaked credentials) and is not designed to enforce MFA based purely on network location.

339
MCQeasy

Your company is developing a Microsoft Teams app that accesses user profiles. You need to ensure the app only accesses minimal required data. What should you implement?

A.Admin consent for all scopes
B.Application permissions for Microsoft Graph
C.Delegated permissions with User.Read
D.Delegated permissions with User.Read.All
AnswerC

User.Read grants read of the signed-in user's profile only, following least privilege.

Why this answer

Option D is correct because Microsoft Graph delegated permissions with least privilege ensure the app only accesses the minimum required data. Option A is wrong because app-only permissions grant broad access. Option B is wrong because admin consent grants full access.

Option C is wrong because application permissions are for background services, not user context.

340
MCQhard

Your organization uses Microsoft Intune to manage devices. You need to ensure that corporate data on personally owned devices is removed when a user leaves the company, but personal data remains intact. What should you use?

A.Selective wipe (retire)
B.Conditional Access policy
C.Full wipe
D.Device compliance policy
AnswerA

Selective wipe removes only corporate data.

Why this answer

Selective wipe (retire) is the correct choice because it removes only corporate data from a personally owned device enrolled in Microsoft Intune, while preserving the user's personal data. This is achieved by targeting managed app data and corporate profiles, leaving personal apps, photos, and settings intact. It aligns with the requirement to protect corporate information upon employee departure without affecting the user's personal property.

Exam trap

The trap here is that candidates often confuse 'selective wipe' with 'full wipe' or assume that a Conditional Access policy can enforce data removal, when in fact only selective wipe provides granular corporate data removal while preserving personal data.

How to eliminate wrong answers

Option B is wrong because Conditional Access policies control access to resources based on conditions like device compliance or location, but they do not perform data removal or wipe operations. Option C is wrong because a full wipe resets the device to factory defaults, erasing both corporate and personal data, which violates the requirement to keep personal data intact. Option D is wrong because device compliance policies enforce security settings (e.g., requiring encryption or a minimum OS version) but do not remove data; they only mark devices as compliant or non-compliant.

341
MCQmedium

Your organization uses Microsoft Defender XDR for incident response. You need to design a process to automatically isolate a compromised device when a high-severity incident is triggered. Which automation approach should you use?

A.Create a compliance policy in Microsoft Intune that marks the device as noncompliant
B.Configure an Azure Automation runbook to poll Defender alerts and isolate devices
C.Set up a Power Automate flow triggered by email notifications from Defender
D.Use automation rules in Microsoft Sentinel with a playbook that runs a Defender for Endpoint isolation action
AnswerD

Sentinel automation rules can trigger playbooks that invoke Defender APIs to isolate devices.

Why this answer

Option D is correct because Microsoft Sentinel's automation rules can directly trigger a playbook (Azure Logic App) that executes the Microsoft Defender for Endpoint 'Isolate device' action. This provides near-real-time, event-driven isolation without polling, aligning with the requirement to automatically isolate a compromised device when a high-severity incident is triggered in Defender XDR.

Exam trap

The trap here is that candidates confuse 'marking a device as noncompliant' (Option A) with actual network isolation, or assume that any automation (Options B and C) is sufficient, overlooking the requirement for event-driven, low-latency integration with Defender for Endpoint's native isolation capability.

How to eliminate wrong answers

Option A is wrong because a compliance policy in Microsoft Intune marks a device as noncompliant but does not perform device isolation; it can trigger conditional access or wipe actions, not the network-level isolation needed for incident response. Option B is wrong because polling Defender alerts via an Azure Automation runbook introduces latency and inefficiency, and it bypasses the native event-driven automation capabilities of Microsoft Sentinel and Defender XDR. Option C is wrong because email notifications are unreliable and introduce delay; Power Automate flows triggered by email cannot guarantee timely, automated isolation and lack direct integration with Defender for Endpoint's isolation API.

342
MCQhard

You are designing a security solution for Azure API Management. The requirements include: protecting APIs from abuse, throttling requests, and validating JSON payloads. Which combination of features should you use?

A.Managed Identities and Azure AD authentication
B.Azure Web Application Firewall (WAF) on Application Gateway
C.Rate limiting policies, validate-json policy, and OAuth 2.0
D.Azure Firewall and Network Security Groups
AnswerC

Rate limiting throttles, validate-json validates payloads, OAuth secures access.

Why this answer

Option D is correct: rate limiting throttles requests, policies validate JSON, and OAuth 2.0 secures access. Option A is wrong because Azure Firewall does not integrate with API Management for payload validation. Option B is wrong because WAF protects at the network edge, not per-API.

Option C is wrong because Managed Identity is for authentication, not throttling or validation.

343
MCQmedium

A company uses Microsoft Defender XDR and wants to ensure that all devices are reporting to the service. They notice that some devices are not appearing in the device inventory. Which log source should they check first to troubleshoot?

A.Microsoft Defender for Endpoint deployment log (MDEClientAnalyzer)
B.Microsoft Intune enrollment logs
C.Windows Event Log - Microsoft-Windows-Windows Defender/Operational
D.Syslog from the device
AnswerA

This log contains onboarding status and connectivity issues.

Why this answer

Option B is correct because the Microsoft Defender for Endpoint deployment log shows onboarding status and errors. Option A is incorrect because Windows Event Log may not be enabled. Option C is incorrect because Intune enrollment is for MDM, not Defender.

Option D is incorrect because Syslog is for non-Microsoft devices.

344
Multi-Selecteasy

Your company uses Microsoft Defender for Endpoint and Microsoft Intune to manage endpoints. You need to ensure that devices are healthy before they can access corporate resources. Which TWO settings should you configure in Microsoft Intune compliance policies to enforce device health?

Select 2 answers
A.Require device encryption (BitLocker) on Windows devices
B.Require a minimum password length of 8 characters
C.Require that the device is not jailbroken or rooted
D.Require the device to be on a specific OS version
E.Require that Windows Defender Antivirus is active and up to date
AnswersA, E

Encryption protects data if the device is lost or stolen.

Why this answer

Requiring antivirus (Windows Defender) to be active ensures protection against malware. Requiring encryption (BitLocker) protects data at rest on lost devices. Password length and OS version are important but not the most direct health checks for threat protection.

Jailbreak detection is for mobile devices.

345
MCQeasy

Your organization is implementing a zero-trust security model and needs to ensure that all access to cloud resources is verified in real-time. You plan to use Microsoft Entra ID Conditional Access. Which policy component enforces real-time verification of user identity and device compliance before granting access?

A.Enable Microsoft Secure Score
B.Use Azure AD Application Proxy
C.Conditional Access policy with conditions and grant controls
D.Assign users and groups to the policy
AnswerC

Conditions evaluate signals and grant controls enforce real-time access decisions.

Why this answer

Conditional Access policies with conditions and grant controls enforce real-time verification by evaluating signals such as user identity, device compliance (via Microsoft Intune), and location before allowing access to cloud resources. The grant controls block or require multi-factor authentication (MFA) or device compliance, ensuring zero-trust principles of explicit verification and least privilege.

Exam trap

The trap here is that candidates confuse policy assignment (users/groups) with the enforcement mechanism (conditions and grant controls), thinking that merely assigning a policy to a user group enforces real-time verification, when in fact the conditions and grant controls are the components that perform the actual evaluation and access decision.

How to eliminate wrong answers

Option A is wrong because Microsoft Secure Score is a security posture measurement tool, not a policy component that enforces real-time access verification. Option B is wrong because Azure AD Application Proxy provides secure remote access to on-premises web applications, not real-time identity and device compliance checks for cloud resources. Option D is wrong because assigning users and groups to a policy defines scope but does not enforce real-time verification; the conditions and grant controls are the components that perform the actual evaluation and enforcement.

346
MCQmedium

Refer to the exhibit. The NSG is applied to a subnet containing a web server. The web server is not receiving HTTP traffic. What is the most likely cause?

A.The DenyAllOther rule has a lower priority than AllowHTTP
B.The rule direction is Inbound, but the traffic is outbound
C.The sourceAddressPrefix 'Internet' does not include all source IPs
D.The priority of the AllowHTTP rule is too low (100)
AnswerC

'Internet' service tag may not cover all public IPs.

Why this answer

Option B is correct because the rule uses 'Internet' as sourceAddressPrefix, which is a service tag that does not include all public IPs. The actual source IPs may not be covered. Option A is wrong because priority 100 is high enough (lower number = higher priority).

Option C is wrong because the rules are correct for inbound traffic. Option D is wrong because the DenyAllOther rule has a higher priority number (1000) than AllowHTTP (100), so it is evaluated after AllowHTTP.

347
MCQhard

A global enterprise uses Azure Firewall and Azure Virtual Network Manager (AVNM) to manage network security. They want to deploy a new spoke virtual network that must be isolated from all other spokes except one specific shared services hub. The hub uses Azure Firewall to inspect traffic. What is the most secure and scalable way to enforce this isolation?

A.Apply a custom Azure Policy definition that denies VNet peering between the new spoke and any VNet other than the hub.
B.Configure direct VNet peering between the new spoke and the hub, and use route tables to block traffic to other spokes.
C.Deploy a network virtual appliance (NVA) in the new spoke and route all traffic through it.
D.Use AVNM to create a network group for the new spoke and apply security admin rules to block inter-spoke traffic except to the hub.
AnswerD

Correct: AVNM provides scalable, centrally managed isolation.

Why this answer

Using AVNM connectivity and security admin rules allows central management of network groups and firewall policies, ensuring isolation while scaling. Direct peering with route tables is less scalable and lacks central management. NSG on the subnet is not scalable and can be overridden.

Enforcing via Azure Policy with deny is possible but less integrated for network topology.

348
MCQhard

A company is deploying a new application that will store sensitive customer data in Azure SQL Database. The security team requires that all data at rest be encrypted using a customer-managed key stored in Azure Key Vault. Additionally, they need to ensure that the database can be restored to a point in time and that the encryption key is rotated every 90 days. Which combination of features should you configure?

A.Enable TDE with service-managed keys and use Azure Policy to enforce rotation.
B.Use Always Encrypted with column master key in Azure Key Vault and manual rotation.
C.Use Azure Storage Service Encryption with customer-managed keys and enable soft delete.
D.Enable TDE with customer-managed keys in Azure Key Vault and configure automatic key rotation.
AnswerD

TDE with CMK encrypts data at rest; automatic rotation handles periodic rotation.

Why this answer

Transparent Data Encryption (TDE) with customer-managed keys in Azure Key Vault meets the encryption requirement. Automatic key rotation via Key Vault ensures rotation every 90 days. Point-in-time restore (PITR) is built into Azure SQL.

Always Encrypted is column-level and not required. Option A correctly combines TDE with customer-managed keys and automatic rotation.

349
MCQhard

You are designing a privileged access solution for your Azure infrastructure. You need to ensure that just-in-time (JIT) access is required for all administrative actions on Azure VMs. What should you configure?

A.Microsoft Entra Privileged Identity Management (PIM) for Azure VM roles
B.Just-in-time VM access in Microsoft Defender for Cloud
C.Network security groups with service tags
D.Azure Bastion with Conditional Access
AnswerB

JIT VM access locks down inbound traffic and requests temporary access.

Why this answer

Option B is correct because Microsoft Defender for Cloud's JIT VM access provides time-bound access to VMs. Option A is incorrect because PIM is for role-based access, not VM access. Option C is incorrect because Azure Bastion provides secure RDP/SSH but not JIT.

Option D is incorrect because NSGs alone do not enforce JIT.

350
MCQeasy

A company uses Microsoft Defender for Cloud Apps to discover and control Shadow IT. They want to block the use of a newly discovered unsanctioned app. What should they do?

A.Create a Conditional Access policy to block the app
B.Use Microsoft Purview Data Loss Prevention to block the app
C.Mark the app as unsanctioned in Defender for Cloud Apps
D.Block the app's domain in Microsoft Intune
AnswerC

Unsanctioning blocks the app's usage.

Why this answer

Option C is correct because marking an app as unsanctioned in Microsoft Defender for Cloud Apps is the direct mechanism to block access to a discovered Shadow IT app. When an app is marked unsanctioned, Defender for Cloud Apps automatically enforces a block by integrating with Conditional Access to prevent users from accessing the app, and it can also generate alerts and session controls. This action is specifically designed for the discovered app governance workflow within Defender for Cloud Apps.

Exam trap

The trap here is that candidates often assume creating a Conditional Access policy directly is the correct action, but the SC-100 exam tests the understanding that marking the app as unsanctioned in Defender for Cloud Apps is the prerequisite step that triggers the automatic Conditional Access policy enforcement.

How to eliminate wrong answers

Option A is wrong because creating a Conditional Access policy to block the app is not the first step; the app must first be marked as unsanctioned in Defender for Cloud Apps, which then automatically creates the necessary Conditional Access policy via the app governance integration. Option B is wrong because Microsoft Purview Data Loss Prevention (DLP) is designed to prevent data exfiltration and sensitive data sharing, not to block access to an entire unsanctioned app. Option D is wrong because blocking the app's domain in Microsoft Intune would only affect managed devices and does not address the broader Shadow IT discovery and control workflow that Defender for Cloud Apps provides.

351
Matchingmedium

Match each identity security concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Policy engine to enforce access controls

Just-in-time privileged role activation

Detect and remediate identity risks

Azure AD identity for Azure resources

Identity for applications in Azure AD

Why these pairings

These are fundamental identity concepts in Azure AD.

352
MCQmedium

Trey Research, a biotech firm, is developing a machine learning model on Azure Machine Learning that uses sensitive genomic data. The data is stored in Azure Blob Storage. The company requires that all data be encrypted at rest using customer-managed keys stored in Azure Key Vault, and that access to the storage account be restricted to the Azure Machine Learning workspace and specific data scientists via Azure AD authentication. Additionally, the storage account must be accessible only from the company's virtual network. Which of the following configurations should you implement?

A.Enable encryption at rest with a customer-managed key, configure a firewall to allow the Machine Learning workspace's IP range, and grant data scientists access via storage account access keys.
B.Enable encryption at rest with a service-managed key, configure a private endpoint, and grant data scientists access using Azure RBAC with the Storage Blob Data Reader role.
C.Enable encryption at rest with a customer-managed key, configure a private endpoint for the storage account, and grant the Machine Learning workspace and data scientists access using Azure RBAC with the Storage Blob Data Contributor role.
D.Enable encryption at rest with a customer-managed key, configure a service endpoint for the storage account, and grant the Machine Learning workspace access using a SAS token.
AnswerC

Private endpoint provides VNet isolation, RBAC provides fine-grained access, and CMK provides encryption control.

Why this answer

Option B is correct because it provides encryption at rest with CMK, private endpoint for VNet isolation, and RBAC for access control. Option A is wrong because firewall rules are less secure than private endpoints. Option C is wrong because SAS tokens are less secure than managed identities.

Option D is wrong because service-managed keys do not meet the CMK requirement.

353
Multi-Selecthard

Your organization uses Microsoft Purview and Microsoft Sentinel. You need to design a solution that alerts the security team when a user tries to share a file labeled 'Highly Confidential' with an external email address. The alert should include the file name, user, and external recipient. Which two components should you use? (Choose TWO.)

Select 2 answers
A.Microsoft Purview Information Protection
B.Microsoft Sentinel analytics rule that queries DLP audit logs
C.Microsoft Purview Audit
D.Microsoft Purview auto-labeling policy
E.Microsoft Purview Data Loss Prevention (DLP) policy
AnswersB, E

Sentinel can ingest DLP logs and create alerts for investigation.

Why this answer

Options B and D are correct because Microsoft Purview DLP can detect and alert on sharing of sensitive files, and Microsoft Sentinel can ingest those DLP alerts and provide a central interface for investigation. Option A (auto-labeling) applies labels but does not generate alerts. Option C (Information Protection) is for labeling, not monitoring.

Option E (audit) logs events but does not generate proactive alerts.

354
MCQhard

Your organization uses Microsoft Sentinel as a SIEM. The security team wants to use Microsoft Copilot for Security to assist in incident investigation. You need to ensure that Copilot can access Sentinel data while meeting compliance requirements. Which integration should you configure?

A.Deploy a playbook to query Sentinel data
B.Enable Microsoft Copilot for Security plugin for Sentinel
C.Enable Sentinel's Threat Intelligence connectors
D.Use Microsoft Defender for Cloud
AnswerB

The plugin allows Copilot to query Sentinel data securely.

Why this answer

The Microsoft Copilot for Security plugin for Sentinel is the correct integration because it enables Copilot to directly query and analyze Sentinel data through a native, compliant connection. This plugin uses Sentinel's API and role-based access control (RBAC) to ensure that Copilot only accesses data the user is authorized to see, meeting compliance requirements without additional data movement.

Exam trap

The trap here is that candidates often confuse enabling Threat Intelligence connectors (Option C) with granting data access, but those connectors only import external threat data and do not provide Copilot with read access to Sentinel's internal logs or incidents.

How to eliminate wrong answers

Option A is wrong because deploying a playbook to query Sentinel data introduces unnecessary complexity and latency; playbooks are designed for automated response workflows, not for providing real-time, compliant data access to Copilot. Option C is wrong because enabling Sentinel's Threat Intelligence connectors only ingests external threat intelligence feeds into Sentinel, it does not grant Copilot access to Sentinel's existing security data or logs. Option D is wrong because Microsoft Defender for Cloud is a separate cloud security posture management (CSPM) tool that does not natively integrate with Copilot for Security to access Sentinel data; it focuses on workload protection, not SIEM data access.

355
Matchingmedium

Match each encryption type to its use case in Azure.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

At-rest encryption for blobs and files

BitLocker-based encryption for VMs

Real-time encryption for SQL databases

Centralized key management service

Encryption in use via TEEs

Why these pairings

These encryption mechanisms protect data at different states.

356
MCQeasy

A SOC analyst needs to investigate a potential privilege escalation using Azure AD roles. Which Microsoft 365 Defender data source would be most useful to review?

A.Microsoft 365 Defender identity logs
B.Azure Active Directory audit logs
C.Microsoft Defender for Cloud Apps logs
D.Microsoft 365 audit logs
AnswerB

Azure AD audit logs track role assignments and privilege changes.

Why this answer

Azure AD audit logs (now part of the Azure Monitor / Microsoft Entra audit logs) are the authoritative source for tracking changes to Azure AD roles, including role assignments, activations of Privileged Identity Management (PIM) roles, and modifications to directory roles. Since the question specifically involves privilege escalation using Azure AD roles, these logs contain the necessary details such as who assigned a role, when, and from which IP address, making them the most directly relevant data source.

Exam trap

Microsoft often tests the distinction between Azure AD audit logs (which track directory configuration changes like role assignments) and Microsoft 365 audit logs (which track user activity across workloads), leading candidates to mistakenly choose the broader Microsoft 365 audit logs when the question specifically targets Azure AD role changes.

How to eliminate wrong answers

Option A is wrong because Microsoft 365 Defender identity logs (derived from Microsoft Defender for Identity) focus on on-premises Active Directory security events and lateral movement detection, not Azure AD role assignments or changes. Option C is wrong because Microsoft Defender for Cloud Apps logs primarily track user activities within cloud applications (e.g., file downloads, app permissions) and do not natively capture Azure AD role assignment events. Option D is wrong because Microsoft 365 audit logs cover a broad range of user and admin activities across Exchange, SharePoint, and Teams, but they do not include the granular Azure AD role assignment and activation events that are specifically recorded in Azure AD audit logs.

357
MCQeasy

Your organization uses Microsoft Intune for mobile device management. You need to ensure that only compliant devices can access corporate email. What should you configure?

A.Configure an app protection policy in Intune.
B.Create a device configuration policy in Intune.
C.Create a Conditional Access policy in Microsoft Entra ID that requires compliant device.
D.Create a device compliance policy in Intune.
AnswerC

Conditional Access evaluates compliance and blocks non-compliant devices.

Why this answer

Option C is correct because Conditional Access in Microsoft Entra ID can enforce device compliance for access. Option A is incorrect because configuration policies set settings but don't control access. Option B is incorrect because compliance policies define compliance, but Conditional Access enforces it.

Option D is incorrect because app protection policies protect data within apps, not device access.

358
MCQhard

Refer to the exhibit. A security architect is reviewing an ARM template that deploys an Azure Storage container. They want to ensure the container is not publicly accessible. What is the security implication of this template?

A.The container allows public access
B.The template creates a container with versioning enabled
C.The template enables encryption at rest
D.The template does not configure network rules, so the container may be accessible from the internet, but only to authenticated users
AnswerD

Without network restrictions, authenticated users from anywhere can access the container.

Why this answer

The template sets 'publicAccess' to 'None', which means no anonymous access. However, the container inherits default network rules from the storage account. If the storage account firewall is not configured, the container may still be accessible over the internet by authenticated users.

Option C is correct. Option A is wrong because public access is set to None. Option B is wrong because network rules are not defined in this template.

Option D is wrong because the template does not mention encryption.

359
MCQeasy

Your company uses Microsoft 365 E5 licenses and has deployed Microsoft Defender for Office 365. The security team wants to be alerted when a user reports a phishing email using the built-in report message button in Outlook. The alert should be sent to the security team's email address. You need to configure this in the Microsoft 365 Defender portal. What should you do?

A.Create an anti-phishing policy that notifies users about phishing.
B.Configure the User reported messages settings to send alerts to the security team.
C.Create a Safe Attachments policy to detect phishing attachments.
D.Create a Safe Links policy that alerts on phishing URLs.
AnswerB

User reported messages settings allow you to specify where reports are sent.

Why this answer

Option C is correct because user-reported messages can be configured in the Microsoft 365 Defender portal under Policies & rules > Threat policies > User reported messages settings. Option A is incorrect because Safe Links policies are for URL protection. Option B is incorrect because Safe Attachments policies are for attachments.

Option D is incorrect because anti-phishing policies handle detection, not user submissions.

360
MCQeasy

Your organization uses Microsoft Entra ID. You need to enforce multi-factor authentication (MFA) for all users accessing the Azure portal. What is the simplest way to configure this?

A.Enable per-user MFA for all users.
B.Enable security defaults.
C.Create a conditional access policy targeting the Azure portal app requiring MFA.
D.Configure Microsoft Entra ID MFA registration policy.
AnswerC

Conditional access allows granular enforcement.

Why this answer

Option C is correct because a conditional access policy can be targeted to the Azure portal app and require MFA. Option A is wrong because per-user MFA is legacy and less flexible. Option B is wrong because MFA registration policy ensures registration but does not enforce MFA.

Option D is wrong because security defaults apply to all apps, not just Azure portal, and may be too broad.

361
Multi-Selectmedium

Your company is implementing Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Microsoft 365. The compliance team needs to monitor and block the sharing of credit card numbers in emails. Which THREE actions should they configure in a DLP policy?

Select 3 answers
A.Encrypt the email automatically
B.Notify the user with a policy tip
C.Block sharing of emails containing the sensitive data
D.Detect sensitive information type (credit card number)
E.Apply a sensitivity label automatically
AnswersB, C, D

Policy tips educate users about policy violations.

Why this answer

Correct answers: A, B, C. DLP policies can detect sensitive info types (credit card numbers), block sharing, and notify users. Option D is wrong because encryption is a separate feature, not a DLP action.

Option E is wrong because auto-labeling is a classification action, not a DLP enforcement action.

362
MCQhard

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Microsoft Teams. You need to prevent users from sharing credit card numbers in Teams chat messages. However, the policy should allow sharing with external vendors if they are in your organization's approved list. What should you configure?

A.Configure a DLP policy with a condition to block sharing of credit card numbers to external users except those from approved domains.
B.Create a DLP policy that blocks credit card numbers and set the action to 'Block external sharing' for all external users.
C.Use Microsoft Purview Information Protection to automatically apply a 'Confidential' label to messages containing credit card numbers and block forwarding.
D.Create a sensitivity label for credit card data and publish it to Teams, then configure auto-labeling.
AnswerA

Allows approved external vendors while blocking others.

Why this answer

Option D is correct because DLP policies for Teams can use conditions to restrict sharing to specific domains or approved external organizations. Option A is wrong because blocking all external sharing is too restrictive. Option B is wrong because sensitivity labels are separate from DLP and not designed for this granular condition.

Option C is wrong because labels can't directly control sharing in Teams chat based on external party approval.

363
Multi-Selecthard

A company is implementing a Zero Trust security model using Microsoft 365 Defender. Which THREE of the following are key principles they should follow?

Select 3 answers
A.Trust all traffic originating from within the corporate network.
B.Use least privilege access by limiting user permissions with Just-In-Time and Just-Enough-Access.
C.Provide implicit trust to known users and devices.
D.Assume breach and segment access to minimize blast radius.
E.Verify explicitly based on all available data points (user, device, location, etc.).
AnswersB, D, E

Minimizes the blast radius of a breach.

Why this answer

Option B is correct because Zero Trust mandates least privilege access, and Microsoft 365 Defender integrates with Azure AD Privileged Identity Management (PIM) to enforce Just-In-Time (JIT) and Just-Enough-Access (JEA) policies. This ensures users receive only the permissions necessary for a specific task, for a limited duration, reducing the risk of lateral movement and privilege escalation.

Exam trap

The trap here is that candidates often confuse Zero Trust with traditional perimeter-based security, mistakenly believing that internal network origin or known user status should be trusted implicitly, when in fact Zero Trust requires explicit verification for every access request regardless of source.

364
MCQeasy

You are designing an incident response plan for a company using Microsoft Defender XDR. The team needs to automatically notify the SOC via email when an incident of high severity is created. What should you use?

A.Modify the analytics rule to send an email when an alert fires.
B.Create a playbook that sends an email when an incident is created.
C.Configure an automation rule with an action to send an email notification.
D.Use advanced hunting to query high severity incidents and send email.
AnswerC

Automation rules can trigger actions like email notifications when incidents meet criteria.

Why this answer

Option B is correct because automated investigation and response can be configured to send email notifications. Option A is wrong because playbooks are run manually or via automation rules. Option C is wrong because analytics rules generate alerts.

Option D is wrong because hunting queries are for proactive threat hunting.

365
Multi-Selecteasy

A company wants to improve their security posture by using Microsoft Defender for Cloud. Which TWO of the following are features of Defender for Cloud that help with governance and compliance?

Select 2 answers
A.Azure Blueprints
B.Azure Policy
C.Microsoft Sentinel
D.Regulatory compliance dashboard
E.Secure Score
AnswersD, E

Tracks compliance with standards like SOC 2, ISO 27001.

Why this answer

The Regulatory compliance dashboard in Defender for Cloud provides continuous monitoring of your Azure and hybrid workloads against industry standards like SOC 2, ISO 27001, PCI DSS, and Azure CIS. It dynamically tracks compliance posture over time, highlights non-compliant resources, and maps controls to specific assessments, directly supporting governance and compliance workflows.

Exam trap

The trap here is that candidates confuse Azure Policy or Azure Blueprints as features of Defender for Cloud, when they are separate Azure services that Defender for Cloud can integrate with but are not part of its feature set.

366
MCQhard

Your organization is deploying Microsoft Copilot for Security (Microsoft 365 Copilot). You need to design a solution that ensures Copilot queries are audited and that access to Copilot is restricted to authorized users based on their role. Which Microsoft Purview capabilities should you use together?

A.Data Lifecycle Management and Records Management
B.Audit (Standard) and Communication Compliance
C.Data Loss Prevention (DLP) and Insider Risk Management
D.eDiscovery and Compliance Manager
AnswerB

Audit logs all Copilot interactions; Communication Compliance monitors for inappropriate use.

Why this answer

Audit (Standard) captures and logs all Copilot for Security queries, providing a record of who asked what and when. Communication Compliance then allows you to define policies to review those queries for policy violations, such as unauthorized data sharing or inappropriate content, and restrict access based on user roles. Together, they fulfill both the auditing and role-based access control requirements.

Exam trap

The trap here is that candidates often confuse 'auditing' with 'data loss prevention' or 'insider risk management', but the question specifically requires both query auditing and role-based access restriction, which only Audit and Communication Compliance provide together.

How to eliminate wrong answers

Option A is wrong because Data Lifecycle Management and Records Management focus on retention, deletion, and preservation of data, not on auditing queries or restricting access based on role. Option C is wrong because Data Loss Prevention (DLP) prevents data exfiltration and Insider Risk Management detects risky user behavior, but neither provides the granular query-level auditing or role-based access control needed for Copilot queries. Option D is wrong because eDiscovery is for searching and exporting content for legal cases, and Compliance Manager is for managing compliance scores and controls, not for auditing or restricting access to Copilot queries.

367
MCQeasy

Your organization uses Microsoft 365 and wants to prevent users from sharing sensitive documents externally via email. The solution must be able to detect credit card numbers and automatically block the email. Which technology should you use?

A.Microsoft Purview Sensitivity labels with auto-classification
B.Microsoft Defender for Office 365 Safe Attachments
C.Microsoft Purview Data Loss Prevention (DLP) policy for Exchange Online
D.Azure Information Protection (AIP) unified labeling client
AnswerC

DLP policies can detect sensitive data and block emails containing that data.

Why this answer

Option A is correct because Microsoft Purview DLP policies can automatically detect sensitive information types like credit card numbers and block emails. Option B is wrong because Sensitivity labels are for classification, not for blocking. Option C is wrong because AIP (now part of Purview) is for labeling, not for blocking.

Option D is wrong because Microsoft Defender for Office 365 focuses on phishing and malware, not on DLP.

368
MCQmedium

A company uses Microsoft Defender for Cloud Apps to enforce session policies. The security team needs to block downloads of sensitive files from Microsoft 365 when accessed from unmanaged devices. Which type of policy should they configure?

A.File policy
B.Data Loss Prevention (DLP) policy in Microsoft 365
C.Session policy
D.Access policy
AnswerC

Session policies monitor and control user activities in real-time based on device compliance.

Why this answer

Session policies in Defender for Cloud Apps allow real-time monitoring and control of user activities based on device state. Option A is correct. Option B is wrong because file policies are post-hoc, not real-time.

Option C is wrong because access policies govern access at the app level, not session-level controls. Option D is wrong because DLP policies in Microsoft 365 are broader and not tied to session enforcement.

369
MCQeasy

Your organization needs to meet regulatory requirements that mandate keeping security audit logs for at least seven years. Which Microsoft Sentinel feature should you configure to comply with this requirement?

A.Configure data connectors to collect logs from all sources.
B.Adjust the data retention settings in the Log Analytics workspace used by Microsoft Sentinel.
C.Develop a playbook to export logs to Azure Blob Storage.
D.Create a workbook to archive logs to a storage account.
AnswerB

Retention settings control how long data is stored.

Why this answer

Option B is correct because retention settings in the Log Analytics workspace allow you to specify how long data is kept, up to seven years (or longer with archive). Option A (data connectors) are for ingestion, not retention. Option C (workbooks) are for visualization.

Option D (playbooks) are for automation.

370
Multi-Selecthard

Which THREE of the following are key components of a security operations strategy according to Microsoft's best practices?

Select 3 answers
A.Detection and analysis
B.Preparation including playbooks and training
C.Microsoft Sentinel deployment
D.Post-incident activity (containment, eradication, recovery)
E.Policy and standards development
AnswersA, B, D

Detection and analysis is the core of security operations, identifying and investigating threats.

Why this answer

Detection and analysis is a core component of a security operations strategy because it defines how security events are identified, triaged, and investigated. Microsoft's NIST-based SOC maturity model emphasizes continuous monitoring and analytics (e.g., using Microsoft Sentinel analytics rules, UEBA, and threat intelligence) to reduce mean time to detect (MTTD). Without robust detection and analysis, an organization cannot effectively respond to threats.

Exam trap

The trap here is confusing a specific Microsoft product (Sentinel) with a strategic component of the security operations lifecycle, leading candidates to select a tool name instead of the process phase it supports.

371
MCQmedium

You are designing a security strategy for a hybrid identity infrastructure that uses Microsoft Entra ID. The company requires that all administrative access to on-premises servers be secured using least-privilege principles and just-in-time (JIT) access. You plan to implement Microsoft Entra Privileged Identity Management (PIM) for Azure resources, but on-premises servers are not Azure resources. Which solution should you use to provide JIT access to on-premises servers?

A.Install Azure Arc agents on the on-premises servers and use Azure Policy to enforce JIT access.
B.Deploy Windows Admin Center and integrate with Microsoft Entra ID for authentication.
C.Configure Azure Bastion to connect to on-premises servers via a site-to-site VPN.
D.Use Microsoft Entra Privileged Identity Management (PIM) for Groups to manage membership of an on-premises Active Directory group that has administrative privileges on the servers.
AnswerD

PIM for Groups can be used to manage on-premises AD group membership, enabling JIT access to on-premises servers.

Why this answer

Option D is correct because Microsoft Entra PIM for Groups allows you to manage just-in-time membership of an on-premises Active Directory group that is synced via Microsoft Entra Connect. When a user activates their membership in PIM, the group membership change is written back to on-premises AD via group writeback, granting temporary administrative privileges on the target servers. This extends PIM's JIT capabilities to non-Azure resources without requiring the servers to be Azure Arc-enabled.

Exam trap

The trap here is that candidates assume JIT access requires the target resource to be an Azure resource, overlooking that PIM for Groups with group writeback can extend JIT to on-premises Active Directory groups, which then control access to on-premises servers.

How to eliminate wrong answers

Option A is wrong because Azure Arc agents enable Azure Policy and guest configuration, but Azure Policy cannot enforce JIT access to on-premises servers—JIT is a PIM feature for Azure resources, not a policy effect. Option B is wrong because Windows Admin Center provides a management interface but does not natively support JIT or PIM-based activation; it relies on existing credentials and does not enforce time-bound, approved access. Option C is wrong because Azure Bastion is a PaaS service for secure RDP/SSH connectivity to Azure VMs only; it cannot be used to connect to on-premises servers even with a site-to-site VPN, as Bastion does not support hybrid network targets.

372
Multi-Selectmedium

Your organization is implementing a Zero Trust architecture for access to cloud applications. Which TWO of the following are core components of the Microsoft Zero Trust model?

Select 2 answers
A.Microsoft Purview Data Loss Prevention policies to protect sensitive data
B.Conditional Access policies that enforce access decisions based on user, device, location, and risk
C.Microsoft Entra ID as the centralized identity provider for authentication and authorization
D.Microsoft Intune for mobile device management and application management
E.Microsoft Defender for Cloud to assess the security posture of cloud workloads
AnswersB, C

Conditional Access is a key pillar of Zero Trust, enforcing explicit verification.

Why this answer

Option B is correct because Conditional Access policies are the core policy engine in Microsoft's Zero Trust model, enforcing access decisions dynamically based on signals such as user identity, device health, location, and real-time risk. This aligns with the Zero Trust principle of 'never trust, always verify' by continuously evaluating each access request.

Exam trap

The trap here is that candidates often confuse supporting security tools (like Purview, Intune, or Defender for Cloud) with the core Zero Trust components, which are specifically the identity provider (Entra ID) and the policy enforcement engine (Conditional Access).

373
MCQhard

A company uses Microsoft Defender for Cloud to protect their hybrid environment. They have on-premises servers that are monitored by Microsoft Defender for Servers. The security team notices that some servers are missing critical security updates. They want to automatically remediate missing updates on these servers. Which feature should they enable?

A.Adaptive Application Controls
B.Azure Automation Update Management
C.Azure Update Manager
D.Just-in-Time (JIT) VM access
AnswerC

Integrated with Defender for Cloud to assess and remediate missing updates on servers.

Why this answer

Defender for Cloud can integrate with Azure Update Manager (formerly Update Management) to remediate missing updates. Option D is correct. Option A is wrong because Azure Automation Update Management is the legacy solution, but the current recommendation is Azure Update Manager.

Option B is wrong because Just-in-Time access is for VM access control. Option C is wrong because Adaptive Application Controls are for allowing specific applications.

374
MCQhard

You are a security architect for a global financial services company. The company is adopting Microsoft Sentinel as its primary SIEM and Microsoft Defender XDR for endpoint, email, and identity protection. The company has a hybrid environment with on-premises Active Directory and Microsoft Entra ID. The SOC team needs to be able to investigate incidents that involve lateral movement between on-premises and cloud resources. Additionally, the company must comply with GDPR, requiring that personal data be protected and that data residency requirements are met: all security logs for EU users must remain within the EU. The company already has a Microsoft Sentinel workspace in the West Europe region. You need to design a solution that meets these requirements while minimizing administrative overhead. What should you do?

A.Deploy Azure Arc on on-premises servers and use Azure Policy to enforce log collection to the West Europe workspace.
B.Use the existing West Europe Sentinel workspace and ensure that all EU user logs are sent to that workspace via diagnostic settings.
C.Create a new Sentinel workspace in the EU region for EU logs and a separate workspace for non-EU logs.
D.Deploy a separate Sentinel workspace in each region where you have users.
AnswerB

A single workspace can collect logs from all regions; data residency is achieved by storing logs in the EU region.

Why this answer

Option B is correct because a single Sentinel workspace can handle logs from multiple regions, and using the same workspace across regions is simpler. For GDPR data residency, you can configure diagnostics settings to send logs to the workspace without needing separate workspaces. Option A is incorrect because multiple workspaces increase overhead.

Option C is incorrect because Azure Arc doesn't change data residency. Option D is incorrect because a separate workspace for EU data adds complexity.

375
MCQhard

You are designing a network security solution for a multi-tier application in Azure that must meet PCI DSS compliance. You need to restrict traffic between tiers to only necessary ports and protocols. You also need to log all denied traffic for auditing. What is the most efficient design?

A.Deploy Azure Application Gateway in front of each tier. Use WAF policies to filter traffic.
B.Use network security groups (NSGs) on each subnet to allow/deny traffic by IP and port. Enable NSG flow logs for auditing.
C.Deploy Azure Firewall in a hub virtual network. Use application rules to allow specific FQDNs between tiers. Enable diagnostic logs and send them to a Log Analytics workspace.
D.Deploy a third-party NVA (e.g., Palo Alto) in the hub. Configure inter-tier routing through the NVA.
AnswerC

Provides L7 filtering and logging.

Why this answer

Option A is correct because Azure Firewall with application rules provides L7 filtering, and diagnostic logs capture denied traffic. Option B is wrong because NSGs lack L7 filtering and logging of denied traffic is not as comprehensive. Option C is wrong because Application Gateway is a load balancer, not a firewall for inter-tier traffic.

Option D is wrong because NVAs add complexity and cost without clear benefit over Azure Firewall for this use case.

Page 4

Page 5 of 13

Page 6