Microsoft Cybersecurity Architect (SC-100) — Questions 376450

969 questions total · 13pages · All types, answers revealed

Page 5

Page 6 of 13

Page 7
376
MCQhard

Refer to the exhibit. You run the PowerShell command against an Azure SQL Database. The command returns a baseline object for rule VA2108. What does this indicate about the database's vulnerability assessment configuration?

A.The vulnerability assessment scan is automatically remediating findings for rule VA2108
B.The security team has approved the current state of rule VA2108 as acceptable
C.Vulnerability assessment is disabled for this database
D.The database has no vulnerability findings
AnswerB

Setting a baseline indicates acceptance of the current state.

Why this answer

Option C is correct. The presence of a baseline for rule VA2108 means that previous findings for that rule have been approved, so the rule will not be flagged as a vulnerability in future scans. Option A is wrong because it does not mean automatic remediation.

Option B is wrong because a baseline is set for specific rules, not all. Option D is wrong because vulnerability assessment is still enabled.

377
Multi-Selectmedium

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Microsoft 365. You need to create a DLP policy that detects and blocks sharing of credit card numbers in Exchange Online emails. Which TWO components must you configure?

Select 2 answers
A.Retention label for financial data
B.Auto-labeling policy
C.Action to block sharing
D.Sensitive info type for credit card number
E.Trainable classifier for credit card numbers
AnswersC, D

The DLP policy must have an action to block the email containing credit card data.

Why this answer

Option A is correct because a sensitive info type for credit card number is required to identify the data. Option C is correct because the action 'Block' must be set to prevent sharing. Option B is wrong because a retention label is for data retention, not DLP.

Option D is wrong because trainable classifiers are for complex patterns, but credit card numbers are predefined. Option E is wrong because auto-labeling is separate from DLP.

378
MCQmedium

A company uses Microsoft 365 and wants to protect sensitive documents from being shared externally. They need a solution that automatically classifies documents containing personally identifiable information (PII) and applies appropriate protection. Which two services should they combine?

A.Microsoft Defender for Cloud Apps and Microsoft Intune
B.Microsoft Purview Compliance Manager and Microsoft Sentinel
C.Azure Information Protection and Microsoft Entra ID
D.Microsoft Purview Information Protection and Data Loss Prevention (DLP)
AnswerD

Purview Information Protection classifies and labels documents, and DLP enforces policies to prevent external sharing

Why this answer

Microsoft Purview Information Protection provides classification and labeling, while Data Loss Prevention (DLP) enforces protection actions. Option A is correct because these two services work together to automatically classify and protect documents. Option B is wrong because Microsoft Defender for Cloud Apps is for SaaS app security, not primarily for document classification.

Option C is wrong because Azure Information Protection is the predecessor, now part of Purview. Option D is wrong because Microsoft Entra ID is for identity, not document classification.

379
MCQhard

Contoso, a healthcare provider, is deploying a new patient portal on Azure App Service that stores electronic health records (EHR) in Azure Cosmos DB for NoSQL. The solution must comply with HIPAA and HITRUST. You need to ensure that data is encrypted at rest and in transit, and that access is restricted based on user roles. Cosmos DB must be configured with a private endpoint to prevent public internet access. You plan to use Azure Key Vault to manage encryption keys. Additionally, the application will access Cosmos DB using a system-assigned managed identity. Which of the following is the most complete and secure design?

A.Enable encryption at rest using service-managed keys, enforce TLS 1.2, configure a service endpoint for Cosmos DB, and grant the managed identity access using Cosmos DB built-in roles (e.g., Cosmos DB Built-in Data Contributor).
B.Disable encryption at rest to improve performance, enforce TLS 1.2, configure a private endpoint, and use the managed identity with a read-write key in Azure Key Vault.
C.Enable encryption at rest using service-managed keys, enforce TLS 1.2, configure a firewall to allow only the App Service outbound IP, and use read-write keys in application settings.
D.Enable encryption at rest using a customer-managed key in Azure Key Vault, enforce TLS 1.2, configure a private endpoint for Cosmos DB, and grant the managed identity access via Azure RBAC with a custom role that allows read/write to specific containers.
AnswerD

CMK provides key control, private endpoint isolates network, managed identity eliminates key management, and RBAC provides fine-grained access.

Why this answer

Option B is correct because it enables both encryption at rest (with CMK) and encryption in transit (TLS 1.2), uses private endpoints for network isolation, and implements Azure RBAC for granular access control. Option A is wrong because service-managed keys do not meet HIPAA requirements for key control, and firewall rules are less secure than private endpoints. Option C is wrong because RBAC with Cosmos DB built-in roles does not support custom role-based access for patient data.

Option D is wrong because disabling encryption at rest is a security risk.

380
MCQhard

A large enterprise is designing a secure infrastructure for a multi-region application deployment. They have a hub-spoke topology in two Azure regions (East US and West US) with VNet peering between the hubs. Each region has a shared services spoke containing Azure AD Domain Services (AAD DS) and management jump boxes. Application spokes in each region host VMs that need to authenticate to the local AAD DS. The company mandates that all traffic between regions must traverse a network virtual appliance (NVA) for inspection, except for Azure management traffic. They also require that all outbound internet traffic from application VMs goes through a single Azure Firewall in the East US hub. They have deployed ExpressRoute to on-premises. Currently, application VMs in West US cannot authenticate to the local AAD DS. What is the most likely cause?

A.The Azure Firewall in East US is not configured to allow traffic from West US to AAD DS.
B.The VNet peering between East and West US hubs is not properly configured with 'Allow forwarded traffic' enabled.
C.The ExpressRoute circuit is down, causing traffic to be routed over the internet.
D.The route table for the West US application spoke has a default route (0.0.0.0/0) pointing to the NVA, causing traffic to AAD DS to be sent across regions.
AnswerD

This forces traffic to the NVA, which may route it out of region or cause asymmetric routing.

Why this answer

The most likely cause is that the route table for the West US application spoke has a default route (0.0.0.0/0) pointing to the NVA. This forces all outbound traffic, including traffic destined for the local AAD DS (which resides in the same region's shared services spoke), to be routed through the NVA and potentially across regions via the hub peering, rather than staying within the local VNet. Since AAD DS requires low-latency, direct connectivity within the same region, this misrouting prevents authentication.

Exam trap

The trap here is that candidates often assume the Azure Firewall or VNet peering is misconfigured, but the real issue is a routing override that forces local traffic through a non-local path, a classic 'asymmetric routing' or 'forced tunneling' pitfall in multi-region hub-spoke topologies.

How to eliminate wrong answers

Option A is wrong because the Azure Firewall in East US only inspects outbound internet traffic from application VMs; it does not handle intra-region traffic between West US application VMs and West US AAD DS, so its configuration is irrelevant to this issue. Option B is wrong because VNet peering between hubs is used for inter-region traffic, but the problem is that traffic is being forced across regions unnecessarily; the peering itself is likely functional, but the routing misdirects traffic. Option C is wrong because ExpressRoute is used for on-premises connectivity, not for Azure-to-Azure traffic between regions or within a region; its status does not affect local AAD DS authentication.

381
MCQhard

Your company uses Microsoft Azure to host a critical application that processes credit card payments. The application must comply with PCI DSS. You need to ensure that all access to cardholder data is logged and monitored, and that any unauthorized access attempts trigger an alert. Which combination of services should you use?

A.Azure Policy and Microsoft Defender for Cloud Apps
B.Azure Policy and Microsoft Defender for Cloud
C.Azure Key Vault and Microsoft Defender for Cloud
D.Azure Monitor and Microsoft Sentinel
AnswerD

Azure Monitor collects logs, and Sentinel provides alerting on suspicious activity.

Why this answer

Option B is correct: Azure Monitor logs access, and Microsoft Sentinel provides alerting. Option A is wrong: Defender for Cloud provides security posture but not logging. Option C is wrong: Azure Policy enforces compliance but does not log or alert.

Option D is wrong: Key Vault is for secrets, not logging.

382
MCQmedium

Your organization uses Microsoft Entra ID. You need to design a solution that requires users to perform multifactor authentication when accessing a critical application from an untrusted network. The solution should not require additional licensing beyond Microsoft Entra ID P1. What should you use?

A.Create a Conditional Access policy in Microsoft Entra ID.
B.Configure a risk-based policy in Microsoft Entra ID Protection.
C.Enable per-user MFA in Microsoft Entra ID.
D.Deploy a device compliance policy in Microsoft Intune.
AnswerA

Conditional Access policies can enforce MFA based on location and are included in P1.

Why this answer

Option A is correct because Conditional Access policies are included with Microsoft Entra ID P1 and can enforce MFA based on network location. Option B (ID Protection) requires P2 licensing. Option C (Intune) is for device management.

Option D (per-user MFA) is legacy and less flexible.

383
MCQhard

Your organization uses Microsoft Defender XDR for detection and response. You need to create a custom detection rule that alerts when a user performs more than 10 failed sign-ins from different countries within 5 minutes. Which component should you use?

A.Automation rule in Microsoft Sentinel
B.Custom detection rule in Microsoft 365 Defender
C.Analytics rule in Microsoft Sentinel
D.Attack simulation training
AnswerB

Custom detection rules in Microsoft 365 Defender use advanced hunting queries to create alerts.

Why this answer

Custom detection rules in Microsoft 365 Defender allow you to define advanced hunting queries that trigger alerts based on specific event patterns, such as more than 10 failed sign-ins from different countries within 5 minutes. This is the correct component because it operates directly on data within the Defender XDR ecosystem (e.g., AADSignInEventsBeta) without requiring data ingestion into Sentinel.

Exam trap

The trap here is that candidates confuse Microsoft Sentinel analytics rules (which require data ingestion) with Microsoft 365 Defender custom detection rules (which operate natively on Defender XDR data), leading them to choose Sentinel options when the question explicitly states 'Microsoft Defender XDR' as the platform.

How to eliminate wrong answers

Option A is wrong because automation rules in Microsoft Sentinel are used to automate incident response actions (e.g., assigning ownership or running playbooks), not to define detection logic based on raw event patterns. Option C is wrong because analytics rules in Microsoft Sentinel require data to be ingested into the Sentinel workspace first, whereas the question specifies using Microsoft Defender XDR directly for detection and response. Option D is wrong because attack simulation training is a phishing simulation and security awareness tool, not a detection mechanism for sign-in anomalies.

384
MCQmedium

You are designing a security solution for containers running on Azure Kubernetes Service (AKS). The requirements include: scanning container images for vulnerabilities, enforcing runtime security, and generating alerts for suspicious activities. Which combination of services should you use?

A.Azure Security Center and Azure Policy
B.Azure Container Registry and Azure Monitor
C.Azure Policy and Azure Firewall
D.Microsoft Defender for Cloud with Defender for Containers plan
AnswerD

Provides image scanning, runtime security, and alerts.

Why this answer

Option B is correct because Microsoft Defender for Containers provides image scanning and runtime threat detection integrated with AKS. Option A is wrong because Azure Security Center is now part of Defender for Cloud but the specific plan is Defender for Containers. Option C is wrong because Azure Policy can enforce configurations but not runtime security.

Option D is wrong because Azure Container Registry provides image storage, not scanning.

385
MCQhard

An organization uses Microsoft Purview to enforce data loss prevention (DLP) policies. They need to prevent users from pasting sensitive data into AI-powered tools like Microsoft Copilot. Which DLP rule condition should they configure?

A.Cloud app includes Microsoft Copilot
B.Content is shared with external users
C.Access from unmanaged devices
D.File extension is .docx or .pdf
AnswerA

This condition allows targeting specific apps.

Why this answer

To prevent users from pasting sensitive data into AI-powered tools like Microsoft Copilot, you need to configure a DLP rule condition that targets the specific application. The 'Cloud app includes Microsoft Copilot' condition allows the DLP policy to inspect and block sensitive content when it is being pasted into Copilot, as Copilot is a cloud app that can be monitored via Microsoft Purview's endpoint DLP and cloud app discovery capabilities.

Exam trap

The trap here is that candidates may think DLP only applies to file sharing or external sharing, but Microsoft Purview DLP can also monitor and block clipboard-based paste actions into specific cloud apps like Copilot using the 'Cloud app includes' condition.

How to eliminate wrong answers

Option B is wrong because 'Content is shared with external users' controls data sharing outside the organization, but does not target the specific action of pasting into an AI tool like Copilot, which may be an internal app. Option C is wrong because 'Access from unmanaged devices' restricts data access based on device compliance, not the destination application or the paste action. Option D is wrong because 'File extension is .docx or .pdf' filters by file type, which is irrelevant to the action of pasting data into an AI tool; DLP policies for paste actions require app-based conditions, not file extension conditions.

386
MCQhard

A company uses Azure Policy to enforce compliance. They want to automatically remediate non-compliant resources by deploying a custom template. Which effect should they use in the policy definition?

A.DeployIfNotExists
B.Audit
C.Disabled
D.Deny
AnswerA

DeployIfNotExists triggers deployment of a template when a resource is non-compliant.

Why this answer

The DeployIfNotExists effect is correct because it allows Azure Policy to automatically remediate non-compliant resources by deploying a custom ARM template when the resource is found to be non-compliant. This effect is specifically designed for automatic remediation scenarios, as it triggers a deployment to bring the resource into compliance without manual intervention.

Exam trap

The trap here is that candidates often confuse DeployIfNotExists with Deny, thinking that blocking non-compliant resources is sufficient for remediation, but Deny only prevents future non-compliance and does not fix existing resources.

How to eliminate wrong answers

Option B (Audit) is wrong because it only logs non-compliance events without any remediation action, so it cannot automatically fix resources. Option C (Disabled) is wrong because it disables the policy entirely, preventing any evaluation or remediation. Option D (Deny) is wrong because it blocks the creation or update of non-compliant resources but does not remediate already existing non-compliant resources, which is required for automatic remediation.

387
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to design a solution that automatically creates an incident in Sentinel when a high-severity alert is generated in Defender for Cloud. What should you configure?

A.Enable the Microsoft Defender for Cloud data connector and create an analytics rule
B.Create a workbook to track alerts
C.Create a playbook in Microsoft Sentinel
D.Use a watchlist to import alerts
AnswerA

Data connector ingests alerts; analytics rule creates incidents.

Why this answer

The Microsoft Defender for Cloud data connector ingests security alerts from Defender for Cloud into Microsoft Sentinel. Once ingested, you create an analytics rule with a rule query that triggers on high-severity alerts and configures the rule to automatically create an incident. This is the standard method to convert a Defender for Cloud alert into a Sentinel incident without manual intervention.

Exam trap

The trap here is that candidates often confuse a playbook (which automates responses) with the analytics rule that actually creates the incident, or they think a workbook or watchlist can trigger incident creation, but only an analytics rule with the proper data connector can automatically generate incidents from ingested alerts.

How to eliminate wrong answers

Option B is wrong because a workbook is a visualization tool for dashboards and reports, not a mechanism to create incidents from alerts. Option C is wrong because a playbook automates response actions (e.g., sending emails or blocking IPs) after an incident is created, but it does not itself generate the incident from a Defender for Cloud alert. Option D is wrong because a watchlist is a collection of static data (e.g., IP addresses or hostnames) used for correlation or enrichment in analytics rules, not a method to import live alerts and create incidents.

388
MCQeasy

A company uses Azure DevOps for CI/CD. The security team wants to ensure that secrets like API keys and connection strings are never stored in code repositories. Which best practice should they recommend?

A.Use environment variables in the pipeline YAML
B.Use Azure Key Vault references in Azure DevOps variable groups
C.Encrypt secrets using Git-secret and commit to repo
D.Store secrets in Azure App Configuration with encryption
AnswerB

Key Vault references securely fetch secrets at pipeline runtime.

Why this answer

Option B is correct because Azure Key Vault references in Azure DevOps variable groups allow secrets to be securely linked to pipelines without ever storing them in code repositories. At pipeline runtime, the agent retrieves the secret value directly from Azure Key Vault using a managed identity or service principal, ensuring secrets are never exposed in YAML files, logs, or build artifacts.

Exam trap

The trap here is that candidates confuse Azure App Configuration (which is for app-level settings) with Azure Key Vault (which is the correct service for secret management in CI/CD pipelines), or they assume that encrypting secrets before committing them is acceptable, when the best practice is to never store secrets in repositories at all.

How to eliminate wrong answers

Option A is wrong because environment variables in pipeline YAML still require the secret value to be defined somewhere in the pipeline definition or as a plain-text variable, which can be exposed in logs or repository history. Option C is wrong because committing encrypted secrets to a repo using Git-secret still stores the encrypted blob in the repository, violating the principle of never storing secrets in code; decryption keys must also be managed, increasing risk. Option D is wrong because Azure App Configuration with encryption is designed for application configuration settings, not for CI/CD pipeline secrets; it lacks native integration with Azure DevOps variable groups and does not support dynamic secret retrieval during pipeline execution.

389
MCQeasy

Your company is designing a solution to store sensitive documents in Azure Files. The files must be encrypted at rest and in transit. Which two configurations are required? (Each correct answer presents part of the solution.)

A.Enable Azure Disk Encryption on the VMs that mount the share.
B.Configure the storage account to use HTTPS only.
C.Enable Azure Storage Service Encryption (SSE) for the storage account.
D.Configure the Azure file share to require SMB 3.0 with encryption.
E.Use Azure File Sync to sync files to on-premises servers.
AnswerC, D

SSE encrypts data at rest automatically.

Why this answer

Option A and B are correct. Encryption at rest is provided by Azure Storage Service Encryption (SSE). Encryption in transit is provided by SMB 3.0 with encryption.

Option C is wrong because Azure File Sync does not provide encryption at rest or in transit for the file share itself. Option D is wrong because Azure Disk Encryption is for VMs, not Azure Files. Option E is wrong because TLS is for HTTPS, not SMB.

390
MCQhard

Your organization uses Microsoft Intune to manage devices. You need to deploy a line-of-business (LOB) app to iOS devices that is not available in the public App Store. The app is signed with an enterprise certificate. Which app deployment method should you use?

A.Android Enterprise managed Google Play
B.Volume Purchase Program (VPP) token
C.Microsoft Store for Business
D.iOS line-of-business app deployment in Intune
AnswerD

Supports enterprise-signed LOB apps.

Why this answer

Option D is correct because Intune can deploy LOB apps to iOS devices using enterprise certificate signing and MDM distribution. Option A is wrong because the VPP store only contains public apps. Option B is wrong because Android Enterprise is not for iOS.

Option C is wrong because Microsoft Store for Business is for Windows apps.

391
MCQeasy

A company is implementing a zero-trust network for their Azure environment. They want to ensure that only authenticated and authorized users can access specific VMs, regardless of network location. Which Azure service should they use?

A.Just-in-Time (JIT) VM Access
B.Azure Bastion
C.Site-to-Site VPN
D.Network Security Groups (NSGs)
AnswerB

Provides secure, identity-based access to VMs without exposing public IPs.

Why this answer

Option A is correct because Azure Bastion provides secure, RDP/SSH access to VMs without public IPs, and integrates with Entra ID for authentication. Option B is wrong because site-to-site VPN requires network connectivity, not zero-trust. Option C is wrong because Just-in-Time (JIT) VM access reduces exposure but still requires a public IP.

Option D is wrong because NSGs filter by IP, not user identity.

392
MCQhard

Refer to the exhibit. You are reviewing an Azure Policy definition for storage accounts. You assign this policy with effect set to 'Deny' on a resource group. Which of the following scenarios will be blocked by this policy?

A.Creating a storage account with a firewall set to deny all public access
B.Creating a storage account with TLS 1.0 enabled
C.Creating a storage account with blob service encryption disabled
D.Creating a storage account with infrastructure encryption disabled
AnswerC

The policy denies if blob service encryption is not enabled.

Why this answer

Option B is correct because the policy denies storage accounts that do not have blob service encryption enabled. Option A is wrong because the policy checks blob service encryption, not infrastructure encryption. Option C is wrong because the policy does not check TLS version.

Option D is wrong because the policy does not check network access.

393
MCQmedium

Your organization is migrating on-premises Active Directory to Microsoft Entra ID. You need to design a solution that aligns with the Zero Trust principle of 'verify explicitly'. Which approach should you recommend for user authentication?

A.Deploy passwordless authentication using Microsoft Authenticator with phone sign-in for all users
B.Enable users to sign in with Windows Hello for Business and allow password recovery via self-service
C.Implement password hash synchronization and enforce MFA only for privileged users
D.Deploy passwordless authentication using FIDO2 security keys for all users
AnswerD

FIDO2 security keys provide strong, phishing-resistant authentication without passwords, aligning with Zero Trust verify explicitly.

Why this answer

D is correct because FIDO2 security keys provide phishing-resistant, passwordless authentication that aligns with the Zero Trust 'verify explicitly' principle by requiring a hardware-bound cryptographic proof of identity at every sign-in. This eliminates reliance on shared secrets (passwords) and ensures that authentication is explicitly verified through a physical device, meeting the strictest security requirements for user authentication.

Exam trap

The trap here is that candidates often confuse 'passwordless' with 'phishing-resistant,' assuming any passwordless method (like Authenticator) meets Zero Trust requirements, but only FIDO2 keys provide the hardware-backed, explicit verification that fully satisfies the 'verify explicitly' principle.

How to eliminate wrong answers

Option A is wrong because Microsoft Authenticator with phone sign-in, while passwordless, relies on a mobile device that can be compromised via phishing or device theft, and does not provide the same hardware-backed, phishing-resistant assurance as FIDO2 keys. Option B is wrong because Windows Hello for Business, though strong, still allows password recovery via self-service, which reintroduces a password-based fallback that violates the 'verify explicitly' principle by not requiring explicit verification at every step. Option C is wrong because password hash synchronization retains the use of passwords, which are inherently vulnerable to replay and phishing, and enforcing MFA only for privileged users leaves non-privileged users without explicit verification, contradicting the Zero Trust mandate to verify every access request.

394
MCQmedium

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel that detects machines with more than two malware alerts in a day. The query returns no results even though you know there are machines with multiple malware alerts. What is the most likely reason?

A.The 'summarize' function is incorrectly used and creates duplicate counts.
B.The query filters out alerts with severity less than 'High'.
C.The query does not include a time range filter, so it returns data from all time.
D.The alert name in the environment is not exactly 'Malware detected'; it might include a suffix like 'on endpoint'.
AnswerD

The exact string match is too restrictive.

Why this answer

Option D is correct because the KQL query likely uses a hardcoded string 'Malware detected' in a where clause to filter alerts. If the actual alert names in the environment include a suffix like 'on endpoint' (e.g., 'Malware detected on endpoint'), the exact string match fails, causing the query to return no results. This is a common issue when alert naming conventions vary across Microsoft Defender for Endpoint or other data sources ingested into Sentinel.

Exam trap

The trap here is that candidates assume the query logic is correct and focus on aggregation or time range issues, overlooking the exact string match requirement in KQL, which is a frequent cause of false negatives in detection queries.

How to eliminate wrong answers

Option A is wrong because the 'summarize' function, when used with 'dcount' or 'count', does not create duplicate counts; it aggregates correctly. If duplicates existed, the query would return results, not zero. Option B is wrong because the query does not filter on severity; the question states it detects 'more than two malware alerts in a day' without any severity filter, so excluding high severity would not cause zero results if lower severity alerts exist.

Option C is wrong because omitting a time range filter would cause the query to return data from all time, which would likely return more results, not zero; the issue is the opposite—no results despite known alerts.

395
MCQhard

You are designing a secure hybrid network architecture that connects an on-premises data center to Azure. The requirements include: encrypted traffic, high availability across two Azure regions, and automatic failover. You need to recommend a connectivity solution that meets these requirements. What should you use?

A.Azure Point-to-Site VPN
B.Azure ExpressRoute with VPN gateway failover
C.Azure Site-to-Site VPN with active-passive configuration
D.Azure ExpressRoute with Microsoft Peering
AnswerB

Provides encrypted, highly available connectivity with automatic failover.

Why this answer

Option D is correct because ExpressRoute with VPN gateway failover provides encrypted connectivity with high availability and automatic failover across regions. Option A is wrong because Site-to-Site VPN alone may not meet high availability requirements. Option B is wrong because ExpressRoute alone does not encrypt traffic by default.

Option C is wrong because Point-to-Site VPN is for individual clients, not site-to-site.

396
Multi-Selectmedium

Which TWO actions should you take to implement a Zero Trust security strategy for identity and access? (Choose two.)

Select 2 answers
A.Require Multi-Factor Authentication for all users.
B.Use VPN for remote access to the corporate network.
C.Implement Conditional Access policies that evaluate user, device, and location.
D.Rely on strong passwords only.
E.Create shared accounts for temporary workers.
AnswersA, C

MFA is a key Zero Trust control.

Why this answer

Options A and D are correct. Option A is correct because Multi-Factor Authentication is a fundamental Zero Trust control. Option D is correct because Conditional Access enforces policies based on signals.

Option B is incorrect because VPN is a perimeter-based approach, not Zero Trust. Option C is incorrect because shared accounts violate the principle of least privilege. Option E is incorrect because passwords alone are not sufficient.

397
MCQmedium

Refer to the exhibit. You create this conditional access policy in Microsoft Entra ID. What is the result?

A.Requires MFA for medium and high risk users for all applications
B.Blocks sign-ins from medium and high risk users for all applications
C.Blocks sign-ins from low risk users for all applications
D.Blocks sign-ins from medium and high risk users only for selected applications
AnswerB

The policy applies to all applications and blocks sign-ins for medium or high user risk levels.

Why this answer

The conditional access policy shown assigns the 'Block access' control to the 'Medium and High' risk levels for 'All cloud apps'. This means any sign-in from a user or session detected as medium or high risk will be blocked, regardless of the application. Option B correctly identifies this outcome.

Exam trap

The trap here is that candidates often confuse 'Block access' with 'Require MFA' when they see risk levels, assuming the policy will prompt for MFA instead of outright blocking the sign-in.

How to eliminate wrong answers

Option A is wrong because the policy uses 'Block access', not 'Grant access' with MFA, so it does not require MFA. Option C is wrong because the policy targets 'Medium and High' risk levels, not 'Low' risk. Option D is wrong because the policy applies to 'All cloud apps', not only selected applications.

398
MCQeasy

Your organization uses Microsoft Purview to classify and protect sensitive data. You need to prevent users from accidentally sharing files that contain credit card numbers via email. What should you configure in Microsoft Purview?

A.Enable Microsoft Defender for Cloud Apps session policy to monitor file downloads.
B.Configure a retention policy for files containing credit card numbers.
C.Implement a data loss prevention (DLP) policy that detects credit card numbers and blocks email sharing.
D.Create a sensitivity label that automatically classifies credit card numbers.
AnswerC

DLP policies can detect sensitive data and enforce actions like block or warn.

Why this answer

Data Loss Prevention (DLP) policies in Microsoft Purview can detect sensitive information types like credit card numbers and block sharing via email. Sensitivity labels can be applied automatically but do not block sharing by themselves. The correct answer is DLP policy.

399
MCQhard

A global enterprise uses Microsoft Entra ID with Privileged Identity Management (PIM) and Conditional Access. They need to ensure that all privileged role activations require an approval workflow, and that the approval process is documented for compliance. What configuration should they implement?

A.Create a Conditional Access policy requiring an Authentication Strength
B.In PIM, edit the role settings to require approval for activation
C.Configure an access review for the privileged roles
D.Create a role-assignable group and assign the privileged role to the group
AnswerB

This enforces approval each time a role is activated.

Why this answer

Option C is correct because PIM approvals require configuring role settings with approval required. Option A is incorrect because role-assignable groups are for group-based assignments, not approval workflows. Option B is incorrect because access reviews are for periodic review, not per-activation approval.

Option D is incorrect because Authentication Strengths control MFA, not approval.

400
MCQhard

A financial services organization is designing a zero-trust architecture for its Azure environment. They need to ensure that all administrative access to critical systems uses just-in-time (JIT) access and that privileged role assignments are time-bound. Which combination of Microsoft security best practices should they implement?

A.Azure AD Conditional Access and Azure AD Identity Protection
B.Azure Policy and Azure Blueprints
C.Azure Sentinel and Azure Workbook
D.Azure AD Privileged Identity Management (PIM) and Azure Bastion
AnswerD

PIM provides time-bound privileges; Bastion provides JIT VM access.

Why this answer

Azure AD Privileged Identity Management (PIM) provides just-in-time (JIT) activation and time-bound role assignments for privileged roles, directly meeting the requirement for time-bound administrative access. Azure Bastion enables secure, audited RDP/SSH access to Azure VMs without exposing public IP addresses, ensuring that administrative sessions are isolated and monitored. Together, they enforce zero-trust principles by granting ephemeral, scoped access to critical systems.

Exam trap

The trap here is that candidates confuse Azure AD Conditional Access (which controls sign-in conditions) with PIM’s JIT role activation, or they assume Azure Bastion is only a connectivity tool rather than a critical component of zero-trust administrative access.

How to eliminate wrong answers

Option A is wrong because Azure AD Conditional Access and Identity Protection focus on user sign-in risk and session controls, not on time-bound role assignments or JIT access to Azure resources. Option B is wrong because Azure Policy and Blueprints enforce compliance and resource governance (e.g., tagging, allowed locations), but they do not provide JIT activation or time-bound privileged role management. Option C is wrong because Azure Sentinel and Workbooks are for security information and event management (SIEM) and visualization, not for controlling privileged access or session isolation.

401
MCQmedium

You are designing a security solution for Azure Kubernetes Service (AKS). You need to ensure that only authorized container images from a private container registry can run in the cluster. What should you configure?

A.Use Azure Policy to enforce that containers run only from allowed registries.
B.Implement Azure Container Registry tasks to scan images.
C.Configure network policies in AKS to block outbound traffic to public registries.
D.Enable Microsoft Defender for Containers to block unauthorized images.
AnswerA

Azure Policy for Kubernetes has a built-in policy to restrict container images.

Why this answer

Option B is correct because Azure Policy for Kubernetes can enforce using only images from specific registries via built-in policy 'Ensure only allowed container images'. Option A is wrong because AKS network policies control traffic, not image source. Option C is wrong because Azure Container Registry tasks build images, not enforce usage.

Option D is wrong because Microsoft Defender for Containers provides threat detection, not image authorization.

402
Multi-Selecthard

Which THREE components are required to implement a Zero Trust network architecture using Microsoft Entra Internet Access (formerly Microsoft 365 Network Connectivity)?

Select 3 answers
A.Conditional Access policies
B.Azure AD Application Proxy
C.Site-to-site VPN
D.Microsoft Intune device compliance policies
E.Microsoft Entra Internet Access (Microsoft Global Secure Access)
AnswersA, D, E

Enforces access controls based on user, device, and location.

Why this answer

Options A, B, and D are correct because Entra Internet Access, Conditional Access, and Intune compliance are core Zero Trust components. Option C is wrong because VPN is traditional perimeter security. Option E is wrong because Azure AD Application Proxy (now Entra Application Proxy) is for legacy app publishing.

403
Multi-Selectmedium

Your organization uses Microsoft 365 and wants to protect against phishing attacks. Which TWO configurations should you recommend?

Select 2 answers
A.Enable anti-spoofing protection in Exchange Online Protection.
B.Configure DMARC policy to reject spoofed emails.
C.Enable Safe Links and Safe Attachments in Microsoft Defender for Office 365.
D.Require MFA for all external email access.
E.Configure DLP policies to detect sensitive data in email.
AnswersA, C

Anti-spoofing helps detect phishing emails.

Why this answer

Option A is correct because Safe Links and Safe Attachments in Defender for Office 365 protect against malicious links and attachments. Option C is correct because anti-spoofing protection in Exchange Online Protection helps prevent phishing. Option B is wrong because DMARC is for email authentication, not phishing protection.

Option D is wrong because MFA is for authentication, not phishing. Option E is wrong because DLP is for data protection.

404
MCQhard

Your company uses Microsoft Defender for Cloud Apps (MDA). You need to create a policy that automatically suspends a user's access to a cloud app if the user is confirmed as compromised by Microsoft Entra ID Protection. Which policy type should you use?

A.Session policy
B.Access policy
C.App permissions policy
D.Anomaly detection policy
AnswerA

Session policies can use risk from Microsoft Entra ID Protection to block access.

Why this answer

A session policy in Microsoft Defender for Cloud Apps can be configured to take real-time actions based on risk signals from Microsoft Entra ID Protection. When a user is confirmed as compromised, a session policy can enforce automatic suspension of access to cloud apps by blocking the session or requiring reauthentication, directly addressing the requirement.

Exam trap

The trap here is that candidates often confuse session policies with access policies, assuming access policies handle user risk-based suspension, but access policies lack the real-time session control and direct Entra ID Protection integration that session policies provide.

How to eliminate wrong answers

Option B (Access policy) is wrong because access policies in Defender for Cloud Apps control access based on device, location, or app permissions, but they do not natively integrate with Entra ID Protection's user risk signals to trigger automatic suspension upon compromise confirmation. Option C (App permissions policy) is wrong because it governs OAuth app permissions (e.g., revoking app consent) rather than user-level access suspension based on identity risk. Option D (Anomaly detection policy) is wrong because it detects unusual behavior patterns (e.g., impossible travel) but does not directly respond to a confirmed compromise signal from Entra ID Protection; it generates alerts rather than enforcing automatic access suspension.

405
MCQmedium

You are designing a data classification strategy for a Microsoft 365 tenant. You need to automatically classify documents that contain personally identifiable information (PII) and apply a retention label. Which Microsoft Purview feature should you use?

A.Auto-labeling policies
B.Trainable classifiers
C.Manual labeling
D.Data Loss Prevention (DLP) policies
AnswerA

Auto-labeling policies can automatically apply labels based on sensitive info types.

Why this answer

Option C is correct: Auto-labeling policies in Purview can automatically classify and apply labels based on sensitive information types. Option A is wrong: Trainable classifiers require training and are for more complex classification, not automatic for PII. Option B is wrong: Manual labeling is not automatic.

Option D is wrong: DLP policies are for enforcement, not automatic labeling.

406
MCQhard

Refer to the exhibit. You are evaluating an Azure Policy definition that checks whether a web app redirects HTTP to HTTPS. The policy uses 'auditIfNotExists' effect. After assigning this policy to a subscription, you notice that a web app that does not redirect HTTP to HTTPS is marked as 'Healthy'. What is the most likely cause?

A.The policy assignment is scoped to a management group that does not include the web app's subscription.
B.The custom assessment referenced in the policy does not exist in Microsoft Defender for Cloud.
C.The policy definition has a syntax error in the 'existenceCondition' field.
D.The web app is not running and therefore not assessed.
AnswerB

If the custom assessment does not exist, the policy cannot evaluate it and defaults to compliant.

Why this answer

The 'auditIfNotExists' effect in Azure Policy requires a linked assessment in Microsoft Defender for Cloud to evaluate the existence condition. If the custom assessment referenced in the policy does not exist in Defender for Cloud, the policy cannot detect the missing HTTP-to-HTTPS redirect, causing non-compliant resources to be incorrectly marked as 'Healthy'.

Exam trap

The trap here is that candidates assume 'auditIfNotExists' works independently like 'audit' or 'deny', but it requires a pre-existing Defender for Cloud assessment to function, and a missing assessment silently produces a 'Healthy' result.

How to eliminate wrong answers

Option A is wrong because if the policy assignment scope (management group) did not include the web app's subscription, the web app would not be evaluated at all, not marked as 'Healthy'. Option C is wrong because a syntax error in the 'existenceCondition' field would cause the policy to fail during evaluation or return an error, not silently mark resources as 'Healthy'. Option D is wrong because Azure Policy evaluates the configuration of the web app resource itself, not its runtime state; a stopped web app is still assessed for compliance.

407
Multi-Selectmedium

A company uses Microsoft Defender for Cloud to assess compliance with Azure Security Benchmark (ASB). The security team wants to ensure that all recommendations are being followed. Which three actions should the team take to manage and remediate recommendations effectively?

Select 3 answers
A.Enable continuous export of compliance data to Log Analytics or Event Hubs.
B.Manually remediate all high-severity recommendations each month.
C.Create exemption rules for resources that are compliant by other means.
D.Enable automatic provisioning of the Log Analytics agent for all supported VMs.
E.Disable recommendations that are not applicable to the environment.
AnswersA, C, D

Continuous export allows for long-term retention and analysis of compliance data.

Why this answer

Option A is correct because enabling continuous export of compliance data to Log Analytics or Event Hubs allows the security team to centralize, query, and monitor compliance data over time. This is essential for tracking the status of all Azure Security Benchmark recommendations, creating custom alerts, and integrating with SIEM or automation workflows, rather than relying on manual checks.

Exam trap

The trap here is that candidates may think manual monthly remediation (Option B) is sufficient for compliance, but the SC-100 exam emphasizes continuous, automated monitoring and remediation as a core principle of a secure operations strategy.

408
MCQhard

Your organization uses Microsoft Sentinel to detect threats. You need to design a solution that automatically remediates a detected threat on an Azure VM by isolating the VM from the network. What should you use?

A.Create a Microsoft Sentinel automation rule that triggers a playbook to run an Azure Automation runbook to modify the NSG.
B.Configure a Log Analytics workspace query to run on a schedule and automatically block the VM.
C.Use Azure Policy to audit and automatically remediate non-compliant VMs.
D.Enable Microsoft Defender for Cloud's 'Just-in-time VM access' policy.
AnswerA

Sentinel playbooks can automate remediation via Azure Automation.

Why this answer

Option A is correct because Microsoft Sentinel can trigger a playbook (automation rule) that runs an Azure Automation runbook to modify the NSG and isolate the VM. Option B is wrong because Log Analytics workspace doesn't have remediation actions. Option C is wrong because Azure Policy is for compliance, not incident response.

Option D is wrong because Defender for Cloud has some automation, but Sentinel playbook is the designed method for automated response.

409
MCQhard

Your company is designing a Zero Trust network for a hybrid workforce. Remote users connect via VPN to on-premises resources, while cloud apps use Microsoft Entra ID. You need to enforce conditional access based on device compliance and user risk. Which Microsoft security solution should you integrate with Entra ID to provide real-time device posture signals?

A.Microsoft Purview
B.Microsoft Intune
C.Microsoft Defender for Cloud Apps
D.Microsoft Sentinel
AnswerB

Intune manages device compliance and provides signals to Entra ID for conditional access.

Why this answer

Option C is correct because Microsoft Intune provides device compliance policies that integrate with Entra ID Conditional Access. Option A is wrong because Microsoft Defender for Cloud Apps is a CASB, not a device management solution. Option B is wrong because Microsoft Purview focuses on data governance.

Option D is wrong because Microsoft Sentinel is a SIEM/SOAR, not a device management tool.

410
MCQhard

Your organization uses Microsoft Purview Information Protection to classify and protect sensitive data. The compliance team wants to automatically apply a 'Highly Confidential' sensitivity label to emails that contain credit card numbers. Which solution should you configure?

A.Microsoft Purview auto-labeling policy
B.Microsoft Defender for Office 365 Safe Attachments policy
C.Microsoft 365 Data Loss Prevention (DLP) policy
D.Microsoft Endpoint DLP
AnswerA

Auto-labeling can apply labels based on sensitive info types in emails.

Why this answer

Option C is correct because Microsoft Purview auto-labeling policies can automatically apply sensitivity labels based on sensitive information types like credit card numbers. Option A is wrong because Microsoft 365 DLP policies block or warn, not apply labels. Option B is wrong because endpoint DLP protects data on devices, not email.

Option D is wrong because Microsoft Defender for Office 365 protects against threats, not data classification.

411
Multi-Selecthard

Your company is designing a zero-trust security posture for a new application in Azure. The application uses Azure Functions, Azure SQL Database, and Azure Blob Storage. You need to ensure that data in transit is encrypted and that the application can authenticate without storing secrets in code. Which THREE actions should you take?

Select 3 answers
A.Enable 'Enforce minimum TLS version' on the Blob Storage account
B.Configure the application to use TLS 1.2 or higher for all connections
C.Use managed identity for Azure Functions to access Azure SQL Database
D.Enable customer-managed keys (CMK) for Azure SQL Database
E.Configure the Azure SQL firewall to allow only the Functions IP range
AnswersA, B, C

Ensures clients use TLS 1.2+ for encrypted connections.

Why this answer

Options A, C, and E are correct. Enforcing TLS 1.2 encrypts data in transit, managed identity for Azure Functions provides secretless authentication to Azure SQL, and Enforce minimum TLS version on Blob Storage ensures encrypted connections. Option B is wrong because firewall rules don't encrypt data.

Option D is wrong because CMK is for encryption at rest, not in transit.

412
MCQhard

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. What is the purpose of this query?

A.Correlate malware alerts with device OS version
B.List all malware alerts in the last 7 days
C.Identify malware alerts on unmanaged devices
D.Show device inventory for unmanaged devices
AnswerC

Exactly: filters on IsManaged == false.

Why this answer

The query uses the `DeviceInfo` table to filter for devices where `IsManaged` is `false`, then joins with `SecurityAlert` to find alerts where `AlertName` contains 'Malware'. This specifically identifies malware alerts generated on unmanaged devices, not all malware alerts or a general device inventory.

Exam trap

The trap here is that candidates may confuse the purpose of the query as simply listing all malware alerts (Option B) or showing device inventory (Option D), overlooking the critical `IsManaged == false` filter that narrows the scope to unmanaged devices.

How to eliminate wrong answers

Option A is wrong because the query does not correlate malware alerts with device OS version; it only filters on `IsManaged` and `AlertName`, with no reference to OS version fields. Option B is wrong because the query does not list all malware alerts in the last 7 days; it restricts results to alerts on unmanaged devices (IsManaged == false) and does not include a time filter for the last 7 days. Option D is wrong because the query returns alerts, not a device inventory; the output includes alert details (e.g., AlertName, TimeGenerated) rather than a list of devices.

413
MCQmedium

Refer to the exhibit. You receive an alert from Microsoft Defender for Cloud Apps. You need to investigate this alert in Microsoft Sentinel. Which Microsoft Sentinel feature should you use to visualize the relationship between the user account and the IP address?

A.Configure an automation rule to trigger a playbook.
B.Run a hunting query to search for similar alerts.
C.Use the Investigation graph to explore the entities involved.
D.Create a new workbook to display the alert details.
AnswerC

The investigation graph visually maps entities and their connections.

Why this answer

Option B is correct because the investigation graph in Microsoft Sentinel provides a visual representation of entities and their relationships, which is ideal for understanding connections between a user and an IP address. Option A (workbook) is for dashboards. Option C (hunting query) is for proactive threat hunting.

Option D (automation rule) is for automated responses.

414
MCQeasy

You are designing a secure DevOps pipeline using GitHub Actions and Azure. The security team requires that all container images pushed to Azure Container Registry (ACR) are scanned for vulnerabilities before deployment. If critical vulnerabilities are found, the pipeline must fail. What should you integrate into the pipeline?

A.Configure Azure Policy to require image scanning before deployment
B.Integrate Microsoft Defender for Cloud with Azure Container Registry scanning and configure a GitHub Actions step to check scan results
C.Deploy Azure Bastion to scan images during build
D.Use Azure Security Center (legacy) to scan images on push
AnswerB

Defender for Cloud provides vulnerability scanning for ACR images and can be queried via API.

Why this answer

Option A is correct because Microsoft Defender for Cloud can scan container images in ACR for vulnerabilities and integrate with GitHub Actions to fail the pipeline on critical findings. Option B is wrong because Azure Security Center is now part of Defender for Cloud. Option C is wrong because Azure Policy can enforce compliance but not scan images.

Option D is wrong because Azure Bastion is for secure remote access.

415
MCQhard

You are designing a secure access strategy for a manufacturing plant using Azure IoT Hub and Azure Defender for IoT. The plant has unpatched legacy PLCs that cannot be updated. What is the best approach to prevent these devices from being compromised and used as an entry point into the corporate network?

A.Use Azure VPN Gateway to connect PLCs to the virtual network.
B.Implement network micro-segmentation using Azure Firewall and NSGs to isolate the PLCs from the corporate network.
C.Install the Microsoft Defender for IoT micro-agent on each PLC.
D.Enforce TLS 1.2 for all PLC communications.
AnswerB

Isolation limits the blast radius if a device is compromised.

Why this answer

Option D is correct because micro-segmentation with network security groups (NSGs) and Azure Firewall isolates the legacy devices, limiting lateral movement. Option A is wrong because unpatched devices cannot be hardened with Defender for IoT agents. Option B is wrong because TLS is often not supported on legacy PLCs.

Option C is wrong because VPN would expose the devices to more traffic.

416
Multi-Selectmedium

A company is designing a security solution for a new application that will be deployed on Azure Kubernetes Service (AKS). They need to protect secrets and ensure that only authorized pods can access them. Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Enable pod identity to assign managed identities to pods for Key Vault access
B.Configure network policies to restrict pod-to-pod traffic
C.Store secrets in Kubernetes ConfigMaps
D.Enable Azure Disk Encryption for AKS nodes
E.Use Azure Key Vault Provider for Secrets Store CSI Driver to mount secrets as volumes
AnswersA, E

Pod identity allows pods to authenticate to Key Vault using managed identities

Why this answer

Using Azure Key Vault Provider for Secrets Store CSI Driver (Option A) allows pods to mount secrets from Key Vault. Enabling pod identity with managed identity (Option C) ensures that only authorized pods can access Key Vault. Option B is wrong because storing secrets in ConfigMaps is not secure.

Option D is wrong because Azure Disk Encryption does not apply to secrets. Option E is wrong because Network Policies control traffic, not secrets access.

417
MCQeasy

Your organization uses Microsoft Sentinel to detect threats. You need to ensure that sensitive data stored in Azure SQL Database is protected from unauthorized access by Sentinel playbooks. What should you implement?

A.Enable dynamic data masking on the SQL database
B.Use customer-managed keys (CMK) for SQL Transparent Data Encryption
C.Configure Azure SQL firewall rules to allow only Sentinel IP addresses
D.Use a managed identity assigned to the playbook to authenticate to Azure SQL
AnswerD

Managed identities provide secure, credential-free authentication for Azure resources.

Why this answer

Option A is correct because managed identities provide a secure, identity-based authentication for playbooks to access Azure SQL without storing credentials. Option B is wrong because firewall rules are network-level, not identity-based. Option C is wrong because data masking is for query results, not access control.

Option D is wrong because CMK is for encryption at rest, not access control.

418
MCQhard

Refer to the exhibit. You are an Azure security engineer reviewing a custom Azure Policy definition. The policy is intended to audit virtual machines to ensure they have the Azure Security extension installed. However, the policy is not triggering on any resources. What is the most likely reason?

A.The policy condition requires a managed disk, but the VMs might have unmanaged disks.
B.The 'existenceCondition' field path is incorrect; it should be 'Microsoft.Compute/virtualMachines/extensions/publisher'.
C.The policy is assigned to a management group, but the VMs are in a subscription under a different management group.
D.The policy effect should be 'Deny' instead of 'auditIfNotExists'.
AnswerA

If the VM does not have a managed disk, the 'if' condition is false, and the policy does not evaluate the audit effect.

Why this answer

Option A is correct because the policy condition uses `field` to check for `Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.id`, which requires the VM to have a managed disk. If the VMs use unmanaged disks (i.e., the `managedDisk` property is absent), the condition evaluates to false, and the `auditIfNotExists` effect never triggers the existence check for the Azure Security extension.

Exam trap

The trap here is that candidates focus on the `existenceCondition` or effect syntax, overlooking that the parent `field` condition silently fails on VMs without managed disks, preventing the entire policy from evaluating.

How to eliminate wrong answers

Option B is wrong because the `existenceCondition` field path `Microsoft.Compute/virtualMachines/extensions/publisher` is syntactically valid for checking the extension's publisher property; the issue is not with the path but with the parent condition failing. Option C is wrong because policy assignment inheritance works correctly across management group hierarchies—if the policy is assigned to a management group, it applies to all descendant subscriptions, so VMs in a child subscription would still be evaluated. Option D is wrong because changing the effect to `Deny` would not fix the triggering issue; the policy is not evaluating resources at all due to the condition, not because of the effect type.

419
MCQmedium

Your organization uses Microsoft Sentinel for security operations. You need to ensure that an attacker cannot disable data collection by deleting the diagnostic settings on the Sentinel workspace. What should you configure?

A.Enable Sentinel's workspace deletion protection.
B.Assign the Log Analytics Contributor role only to specific users.
C.Apply a CanNotDelete resource lock on the Log Analytics workspace.
D.Create an Azure Policy to audit diagnostic settings.
AnswerC

Resource locks block deletion of the workspace and its diagnostic settings.

Why this answer

Option C is correct because applying a CanNotDelete resource lock on the Log Analytics workspace prevents any user or process, including an attacker, from deleting the workspace or its diagnostic settings. This lock overrides all role-based permissions, ensuring that even if an attacker gains high-privileged access, they cannot remove the diagnostic settings that stream telemetry to Microsoft Sentinel. Sentinel's data collection relies entirely on these diagnostic settings, so protecting them with a resource lock is the most direct and effective defense against deletion attacks.

Exam trap

The trap here is that candidates confuse workspace deletion protection (which only prevents workspace deletion) with diagnostic settings deletion protection, or they assume that RBAC alone (Option B) is sufficient to block a privileged attacker, when in fact a resource lock is the only control that enforces a hard deny on deletion regardless of permissions.

How to eliminate wrong answers

Option A is wrong because Sentinel's workspace deletion protection only prevents the accidental deletion of the Sentinel workspace itself, not the deletion of diagnostic settings on that workspace; an attacker could still remove the diagnostic settings and stop data ingestion without deleting the workspace. Option B is wrong because assigning the Log Analytics Contributor role only to specific users limits who can modify the workspace, but it does not prevent an attacker with compromised credentials or a privileged user from deleting diagnostic settings; role-based access control (RBAC) alone is insufficient against a determined attacker with elevated permissions. Option D is wrong because creating an Azure Policy to audit diagnostic settings only reports on compliance (e.g., whether settings exist) but does not block deletion; it provides no preventive control and cannot stop an attacker from removing the settings in real time.

420
Multi-Selecthard

A company is designing a Zero Trust security posture for their Azure environment. They need to assess and improve their security posture. Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Enable Azure Update Management for all VMs
B.Use Azure Policy to enforce security configurations
C.Deploy Microsoft Entra Permissions Management
D.Review and implement recommendations from Microsoft Defender for Cloud Secure Score
E.Use Microsoft Security Copilot to generate security policies
AnswersB, D

Azure Policy can enforce compliance and security baselines.

Why this answer

Azure Policy enforces organizational standards and assesses compliance at scale, which is a core Zero Trust principle of continuous verification and policy-driven access control. By applying policies that enforce security configurations (e.g., requiring HTTPS, restricting public network access), the company can proactively prevent misconfigurations and maintain a consistent security baseline across their Azure environment.

Exam trap

The trap here is that candidates confuse operational tools (like Update Management) or AI assistants (like Security Copilot) with core Zero Trust assessment and enforcement mechanisms, when the exam specifically tests understanding that Azure Policy and Secure Score are the primary built-in tools for continuous posture evaluation and improvement.

421
Multi-Selectmedium

Which TWO of the following are true about Azure DDoS Protection?

Select 2 answers
A.It automatically blocks all traffic during an attack
B.It protects VMs from internal traffic attacks
C.It can be used to protect against application-layer attacks when combined with WAF
D.It provides cost protection through service credits
E.It provides a monthly allowance of attacks
AnswersC, D

Together with WAF, it can mitigate application-layer DDoS.

Why this answer

Option C is correct because Azure DDoS Protection operates at Layers 3 and 4 of the OSI model, but when combined with Azure Application Gateway WAF (Web Application Firewall), it can also mitigate application-layer (Layer 7) attacks such as SQL injection or cross-site scripting. The WAF inspects HTTP/HTTPS traffic and blocks malicious payloads, while Azure DDoS Protection handles volumetric attacks, providing a layered defense.

Exam trap

The trap here is that candidates often assume Azure DDoS Protection alone handles all layers, including Layer 7, but it only covers Layers 3 and 4 natively, requiring WAF integration for application-layer protection.

422
Multi-Selectmedium

An organization uses Microsoft Purview to classify and protect sensitive data. Which THREE capabilities can be used to discover sensitive data? (Choose three.)

Select 3 answers
A.Trainable classifiers
B.Data loss prevention policies
C.Retention labels
D.Data classification rules
E.Sensitive information types
AnswersA, D, E

Machine learning models to identify content.

Why this answer

Trainable classifiers use machine learning to identify content based on patterns and context, not just exact matches. They can be trained on sample data to recognize custom sensitive information, such as specific contract clauses or internal project codes, enabling discovery of sensitive data that predefined sensitive information types might miss.

Exam trap

Microsoft often tests the distinction between discovery capabilities (which identify sensitive data) and enforcement or lifecycle management capabilities (which act on already-discovered data), causing candidates to mistakenly select DLP policies or retention labels as discovery tools.

423
MCQhard

Your organization uses Microsoft Sentinel with the Microsoft 365 Defender connector. You need to create an analytics rule that generates an incident when a user is reported as compromised by Microsoft Defender for Identity. The rule should use the most efficient method to get this data. What should you use as the data source?

A.The SecurityAlert table with a filter for Defender for Identity.
B.The DeviceEvents table from Advanced Hunting.
C.The OfficeActivity table.
D.The IdentityInfo table.
AnswerA

Defender for Identity alerts are stored in SecurityAlert table.

Why this answer

Option B is correct because Defender for Identity alerts are ingested via the Microsoft 365 Defender connector and can be queried using the SecurityAlert table. Option A is incorrect because IdentityInfo does not contain alerts. Option C is incorrect because the Advanced Hunting schema is not directly available in Sentinel tables.

Option D is incorrect because the OfficeActivity table is for audit logs, not security alerts.

424
MCQmedium

Your organization uses Microsoft Defender for Cloud to secure a multi-cloud environment including Azure, AWS, and GCP. You need to design a solution that centralizes security alerts and automates remediation across all clouds. Which security operations capability should you prioritize?

A.Configure Microsoft Purview Compliance Manager for regulatory assessments
B.Enable Microsoft Defender for Cloud's multi-cloud connector to aggregate alerts
C.Use Microsoft Sentinel as a single SIEM and SOAR platform with connectors for AWS and GCP
D.Deploy Microsoft Defender for Identity to monitor hybrid identities
AnswerC

Sentinel ingests alerts from multiple clouds and can automate remediation via playbooks.

Why this answer

Option D is correct because Microsoft Sentinel provides a centralized SIEM and SOAR solution that ingests security alerts from multiple clouds and can automate remediation. Option A is wrong because Defender for Cloud does not natively ingest alerts from AWS/GCP into a single SIEM. Option B is wrong because Defender for Identity is focused on on-premises identity threats.

Option C is wrong because Microsoft Purview is for data governance, not security operations.

425
Multi-Selectmedium

Which THREE capabilities are provided by Microsoft Defender for Cloud Apps (MDA) when integrated with Microsoft Defender XDR?

Select 3 answers
A.Email protection against phishing and malware.
B.Discovery of shadow IT cloud apps.
C.App permissions and OAuth app governance.
D.Endpoint detection and response (EDR) for devices.
E.Conditional access session controls for cloud apps.
AnswersB, C, E

MDA discovers apps used in the organization.

Why this answer

Microsoft Defender for Cloud Apps (MDA) integrates with Microsoft Defender XDR to provide shadow IT discovery by analyzing traffic logs from network devices and cloud app catalogs, identifying unsanctioned cloud applications used in the organization. This capability is core to MDA's Cloud Discovery feature, which uses log parsing and machine learning to detect and classify shadow IT.

Exam trap

The trap here is that candidates often confuse the capabilities of Microsoft Defender for Cloud Apps with those of other Microsoft Defender XDR components, such as Defender for Office 365 (email security) or Defender for Endpoint (EDR), leading them to select options that are valid security features but not provided by MDA.

426
MCQeasy

Your company is deploying Microsoft Entra ID for application authentication. You need to register a new web application that uses OAuth 2.0 for user sign-in. Which authentication flow should you use?

A.Device code flow
B.Authorization code flow
C.Implicit flow
D.Client credentials flow
AnswerB

Standard flow for web apps with backend.

Why this answer

Option B is correct because Authorization Code Flow is the recommended flow for web applications that have a backend server. Option A is wrong because Implicit Flow is deprecated for user sign-in. Option C is wrong because Client Credentials Flow is for server-to-server without user.

Option D is wrong because Device Code Flow is for input-constrained devices.

427
MCQhard

A company uses Microsoft Entra ID with P2 licenses and wants to implement a zero-trust identity security model. They need to require multi-factor authentication (MFA) for all external users accessing internal applications. The solution should not require external users to have Entra ID licenses. What should you configure?

A.Configure Privileged Identity Management (PIM) for external users.
B.Create a conditional access policy for external users requiring MFA.
C.Enable identity protection for external users.
D.Use Entra ID B2B collaboration and configure MFA enforcement.
AnswerB

Conditional access policies can target external users and require MFA without additional licenses for the external user.

Why this answer

Option C is correct because Entra ID B2B collaboration allows external users to use their own identities and MFA can be enforced via conditional access. Option A is wrong because external identities feature includes B2B collaboration. Option B is wrong because identity protection is for risk detection.

Option D is wrong because PIM manages privileged access, not external user authentication.

428
MCQmedium

An organization is planning to use Microsoft Defender for Cloud's regulatory compliance dashboard to track adherence to PCI DSS. The security team wants to ensure that all Azure resources are covered by the compliance assessment. What is the first step?

A.Enable Microsoft Defender for Cloud on all subscriptions and ensure resources are covered.
B.Configure the compliance dashboard to show PCI DSS controls.
C.Create a custom regulatory compliance standard for PCI DSS.
D.Enable the built-in PCI DSS policy initiative in Azure Policy.
AnswerA

Resources must be onboarded to Defender for Cloud to be assessed against the regulatory compliance standard.

Why this answer

Option D is correct because to assess compliance, the resources must first be onboarded to Defender for Cloud (enabling enhanced security features). Option A is incorrect because the built-in initiative does not apply automatically without enabling Defender for Cloud coverage. Option B is incorrect because while you can assign a custom initiative, the first step is still to ensure resources are covered.

Option C is incorrect because the compliance dashboard shows results only after assessment.

429
Multi-Selecthard

You are designing a solution to protect Azure SQL Database from SQL injection attacks. The solution must use a web application firewall (WAF) and also ensure that queries from the application are parameterized. Which two components should you include? (Choose two. Each correct answer presents part of the solution.)

Select 2 answers
A.Azure SQL Database firewall rules
B.Transparent Data Encryption (TDE)
C.Azure Application Gateway with WAF
D.Parameterized queries in the application code
AnswersC, D

WAF can detect and block SQL injection attempts.

Why this answer

Options A and D are correct because Azure Application Gateway with WAF can block SQL injection at the network edge, and using parameterized queries in the application code prevents SQL injection at the application layer. Option B is wrong because TDE encrypts data at rest. Option C is wrong because Azure SQL Database firewall controls IP access.

430
MCQmedium

Your company is implementing Microsoft Purview Information Protection to protect sensitive data. The compliance team requires that when a user applies a 'Highly Confidential' sensitivity label to a document, the document is automatically encrypted and watermarked. Which configuration should you use?

A.Create a DLP policy that encrypts and watermarks the document when it is shared externally
B.Create an auto-labeling policy that detects sensitive content and applies the label automatically
C.Create a Conditional Access policy that requires the label to be applied to all documents
D.Configure the sensitivity label to apply encryption and dynamic watermarking. Publish the label to users.
AnswerD

Encryption and watermarking are configured in the label settings; user applies the label manually.

Why this answer

Option A is correct because encryption and dynamic watermarking are built-in label settings. Option B is wrong because auto-labeling policies apply labels based on conditions, not user action. Option C is wrong because access policies control access but do not add watermarks.

Option D is wrong because DLP policies apply actions like block, not encryption or watermarking.

431
MCQhard

Your organization uses Microsoft Defender XDR to correlate alerts across endpoints, email, and identities. You need to create a custom detection rule that triggers when a user receives a phishing email and then attempts to log in from a new location. Which approach should you use?

A.Use Advanced Hunting to create a custom detection rule
B.Create a custom detection rule in Microsoft Defender for Endpoint
C.Use an automation rule in Microsoft Defender XDR
D.Create an analytics rule in Microsoft Sentinel
AnswerA

Advanced Hunting allows cross-domain queries in Defender XDR.

Why this answer

Option A is correct because Advanced Hunting in Microsoft Defender XDR allows you to write Kusto Query Language (KQL) queries that correlate events across multiple data tables (e.g., EmailEvents, IdentityLogonEvents). You can then create a custom detection rule from that query, which will trigger an alert when a user receives a phishing email and subsequently logs in from a new location, enabling cross-domain correlation within Defender XDR.

Exam trap

The trap here is that candidates often confuse the scope of custom detection rules in Defender for Endpoint (endpoint-only) with the cross-domain capability of Advanced Hunting in Defender XDR, or they mistakenly think automation rules can create new detection logic rather than just automate responses to existing alerts.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint custom detection rules are limited to endpoint data (e.g., DeviceEvents, DeviceProcessEvents) and cannot query email or identity events, so they cannot correlate a phishing email with a login from a new location. Option C is wrong because automation rules in Microsoft Defender XDR are designed to automate responses (e.g., isolate a device, block an IP) based on existing alerts, not to create new detection logic that correlates raw events across different data sources. Option D is wrong because analytics rules in Microsoft Sentinel are used for SIEM-style detection across multiple data sources ingested into Sentinel, but the question specifies using Microsoft Defender XDR (not Sentinel) to correlate alerts, and Sentinel requires separate licensing and data ingestion pipelines.

432
Multi-Selecthard

Your organization is implementing Microsoft Defender for Identity to protect on-premises Active Directory. Which THREE activities does Defender for Identity monitor?

Select 3 answers
A.Privilege escalation attempts
B.Lateral movement paths using Pass-the-Hash
C.File integrity changes on domain controllers
D.Reconnaissance attacks using LDAP queries
E.Network traffic to external IP addresses
AnswersA, B, D

Defender for Identity monitors for privilege escalation.

Why this answer

Option A, C, and D are correct. Defender for Identity monitors lateral movement paths, reconnaissance attacks, and privilege escalation. Option B is wrong because file integrity monitoring is a feature of Defender for Servers or Azure Policy.

Option E is wrong because network traffic to internet is monitored by Defender for Network or network security groups.

433
MCQeasy

Your organization is deploying a new application on Azure Kubernetes Service (AKS). You need to ensure that only authorized containers can run in the cluster and that any unauthorized containers are automatically blocked. What should you configure?

A.Implement network policies to restrict communication between pods.
B.Apply an Azure Policy that restricts container images to only those from approved registries.
C.Enable Azure AD integration for the AKS cluster.
D.Configure Azure RBAC roles to limit who can deploy containers.
AnswerB

Azure Policy for AKS can enforce allowed container images.

Why this answer

Option A is correct because Azure Policy for AKS, using the built-in 'Kubernetes cluster containers should only use allowed images' policy, ensures that only images from approved registries can run. Option B is wrong because Azure RBAC controls who can manage the cluster, not which containers run. Option C is wrong because network policies control traffic, not container authorization.

Option D is wrong because Azure AD integration controls authentication, not container image approval.

434
Multi-Selecteasy

Which TWO features of Microsoft Defender for Cloud help you identify and remediate misconfigurations in your Azure environment? (Choose two.)

Select 2 answers
A.File integrity monitoring (FIM).
B.Security recommendations.
C.Just-in-time (JIT) VM access.
D.Adaptive application controls.
E.Secure score.
AnswersB, E

Recommendations identify misconfigurations and suggest fixes.

Why this answer

Options B and D are correct. B: Security recommendations provide actionable steps to fix misconfigurations. D: Secure score measures overall security posture and guides prioritization.

Option A is wrong because JIT is for VM access. Option C is wrong because FIM is for file integrity. Option E is wrong because adaptive application controls are for allowed apps.

435
MCQeasy

You are designing a security solution for a small business that uses Azure App Services to host a web application. The business has the following requirements: - The web application must be protected against common web vulnerabilities like SQL injection and cross-site scripting (XSS). - All traffic to the application must be encrypted. - The solution should be cost-effective and require minimal management overhead. - The application must be able to scale automatically based on demand. Which Azure service should you use to meet these requirements?

A.Use Azure Firewall to inspect traffic to the App Service.
B.Use Azure CDN with custom domain and HTTPS.
C.Deploy Azure Front Door with WAF policies.
D.Deploy Azure Application Gateway with Web Application Firewall (WAF) in front of the App Service.
AnswerD

WAF protects against common web attacks, provides TLS, and autoscales.

Why this answer

Option A is correct: Azure Web Application Firewall (WAF) on Application Gateway protects against web vulnerabilities, provides TLS termination, and supports autoscaling. Option B is incorrect: Azure Front Door also provides WAF but is more expensive and suited for global scenarios. Option C is incorrect: Azure CDN does not include WAF.

Option D is incorrect: Azure Firewall is a network firewall, not a web application firewall.

436
MCQeasy

Refer to the exhibit. You are analyzing sign-in failures in Microsoft Sentinel using a KQL query. What does this query identify?

A.Accounts that have been locked out due to multiple failures.
B.Computers with more than 10 login attempts from the same IP address.
C.Accounts that had more than 10 failed logon attempts in the last 7 days.
D.Accounts that successfully logged in more than 10 times.
AnswerC

The query sums failed logons per account per computer.

Why this answer

Option B is correct because the query filters EventID 4625 (failed logon) and groups by Account and Computer, then filters accounts with more than 10 failures in the last 7 days. Option A is wrong because it does not show success events. Option C is wrong because it does not group by IP address.

Option D is wrong because it does not include locked accounts.

437
Multi-Selecthard

A company is implementing Microsoft Purview to protect sensitive data in Microsoft 365. They need to prevent users from sharing credit card numbers via email. Which THREE components must be configured? (Choose three.)

Select 3 answers
A.Create an auto-labeling policy for credit card data
B.Create a retention label for credit card data
C.Create a sensitive info type for credit card numbers
D.Create a Data Loss Prevention (DLP) policy that blocks sharing
E.Configure policy tips to notify users of policy violations
AnswersC, D, E

Sensitive info types are used to detect credit card numbers in content

Why this answer

A sensitive info type for credit card numbers (Option A) is needed to detect the data. A DLP policy (Option C) enforces the rule. A policy tip (Option E) notifies users about the policy.

Option B is wrong because retention labels are for retention, not prevention. Option D is wrong because auto-labeling applies labels, but DLP policies are needed to block sharing.

438
MCQeasy

Your company uses Microsoft Intune for mobile device management. You need to ensure that corporate data on iOS devices is protected by requiring a PIN and encrypting the device. What configuration should you create?

A.Create a device configuration profile to enforce PIN and encryption.
B.Create a Conditional Access policy that requires compliant devices.
C.Create a compliance policy that requires a device PIN and encryption.
D.Create an app protection policy for Microsoft apps.
AnswerC

Compliance policies enforce device security requirements.

Why this answer

Option C is correct because a compliance policy in Intune defines device requirements like PIN and encryption. Option A is wrong because app protection policies target apps, not device-level settings. Option B is wrong because device configuration profiles can enforce settings but compliance policy is the standard way to require PIN and encryption for compliance.

Option D is wrong because Conditional Access policies control access based on compliance, not enforce settings directly.

439
Multi-Selecteasy

Which TWO Azure services should you use to implement a defense-in-depth strategy for protecting Azure virtual machines?

Select 2 answers
A.Network Security Groups (NSGs)
B.Azure Logic Apps
C.Azure Backup
D.Azure Automation
E.Azure Front Door
AnswersA, C

NSGs filter traffic at the network layer.

Why this answer

Options A and D are correct because NSGs provide network segmentation and Azure Backup provides data protection. Option B is wrong because Azure Front Door is for global load balancing. Option C is wrong because Azure Logic Apps is an integration service.

Option E is wrong because Azure Automation is for process automation.

440
MCQhard

You are a security architect for a large financial services company. The company has a hybrid identity environment with on-premises Active Directory synchronized to Microsoft Entra ID using Microsoft Entra Connect. They use Microsoft 365 E5 licenses and have deployed Microsoft Defender for Cloud, Microsoft Defender for Identity, Microsoft Sentinel, and Microsoft Purview. The company has recently suffered a ransomware attack where an attacker gained access via a compromised service account that had permanent Global Administrator privileges. The attacker then used the account to create a backdoor user and exfiltrate sensitive data from SharePoint Online. After the incident, the CISO mandates a Zero Trust security transformation with the following requirements: 1. Eliminate standing privileged access for all cloud admins. 2. Require phishing-resistant authentication for all privileged roles. 3. Ensure that all sensitive data in SharePoint Online is automatically classified and protected. 4. Enable detection of lateral movement using anomalous behavior analytics. Which combination of actions should you recommend?

A.Implement Privileged Identity Management (PIM) for Global Administrator roles, configure Authentication Strengths to require FIDO2, create auto-labeling policies for credit card numbers, and enable Defender for Identity lateral movement path detection.
B.Deploy Microsoft Entra Identity Protection for all users, configure Azure AD Conditional Access with MFA, use Microsoft Purview Information Protection with manual labeling, and enable Microsoft Sentinel analytics for lateral movement.
C.Configure Conditional Access to require MFA for admins, enable Microsoft Purview DLP for SharePoint, deploy Defender for Cloud Apps, and use Identity Protection for user risk.
D.Remove all permanent admin roles and use just-in-time access via PIM, enforce MFA via Conditional Access, apply sensitivity labels via Microsoft Purview Data Map, and use Microsoft Defender for Cloud for network security groups.
AnswerA

Meets all requirements: PIM eliminates standing access, Authentication Strengths enforces phishing-resistant MFA, auto-labeling protects data, Defender for Identity detects lateral movement.

Why this answer

Option A is correct because it directly addresses all four CISO requirements: Privileged Identity Management (PIM) eliminates standing Global Administrator privileges by requiring just-in-time activation; Authentication Strengths with FIDO2 enforces phishing-resistant authentication for privileged roles; auto-labeling policies in Microsoft Purview automatically classify and protect sensitive data like credit card numbers in SharePoint Online; and Defender for Identity lateral movement path detection uses behavioral analytics to detect anomalous lateral movement, fulfilling the detection requirement.

Exam trap

The trap here is that candidates often confuse MFA (which can be phishable) with phishing-resistant authentication (e.g., FIDO2 or certificate-based), and they may overlook that automatic classification requires auto-labeling policies, not manual labeling or data discovery tools like Data Map.

How to eliminate wrong answers

Option B is wrong because it relies on manual labeling instead of automatic classification, which fails to meet the requirement for automatic protection of sensitive data in SharePoint Online; additionally, Identity Protection does not provide lateral movement detection. Option C is wrong because it only enforces MFA via Conditional Access, which is not phishing-resistant (e.g., it allows TOTP or phone call verification), and it lacks automatic data classification and lateral movement detection. Option D is wrong because it enforces MFA via Conditional Access instead of phishing-resistant authentication (e.g., FIDO2), and it uses Microsoft Defender for Cloud for network security groups, which does not address lateral movement detection; Purview Data Map is for data discovery, not automatic classification and protection.

441
MCQeasy

Your organization uses Microsoft Defender for Office 365 and wants to block malicious links in email messages in real time. Which policy should you configure?

A.Anti-phishing policy
B.Safe Attachments policy
C.Safe Links policy
D.Anti-spam policy
AnswerC

Safe Links provides real-time scanning and blocking of malicious URLs in email.

Why this answer

Safe Links policy in Microsoft Defender for Office 365 provides real-time URL scanning and rewriting at the time of click, enabling the blocking of malicious links in email messages. This policy wraps URLs to route clicks through Microsoft's threat intelligence service, which checks the link against current threat data and blocks access if malicious content is detected.

Exam trap

The trap here is that candidates often confuse Safe Links with Safe Attachments, mistakenly thinking that attachment scanning covers embedded links, but Safe Attachments only handles file payloads, not URLs.

How to eliminate wrong answers

Option A is wrong because Anti-phishing policy is designed to protect against impersonation attacks and phishing attempts by analyzing sender identity and message content, not by scanning or blocking individual URLs in real time. Option B is wrong because Safe Attachments policy focuses on scanning email attachments for malware using detonation in a sandbox environment, not on inspecting links within the message body. Option D is wrong because Anti-spam policy filters messages based on bulk mail, spam, and spoofing criteria, and does not perform real-time URL blocking or rewriting.

442
MCQmedium

Refer to the exhibit. You are reviewing an Azure Policy definition that is assigned to a subscription containing several virtual machines. After the assignment, users report that they cannot create new VMs. What is the most likely reason?

A.The policy denies creation of VMs with a specific size.
B.The policy denies creation of VMs that do not use managed disks.
C.The policy denies creation of VMs that use managed disks.
D.The policy denies creation of VMs that do not use premium SSDs.
AnswerB

The policy rule denies if managed disk does not exist for OS disk.

Why this answer

Option A is correct because the policy denies creation of VMs that do not use managed disks. The condition checks if the osDisk.managedDisk field does not exist, and if so, denies the request. Therefore, any attempt to create a VM with unmanaged disks will be denied.

Option B is wrong because the policy only denies creation, it does not affect existing VMs. Option C is wrong because the policy denies all VMs without managed disks, not just those with a specific size. Option D is wrong because the policy does not require premium SSDs; it only requires managed disks.

443
MCQmedium

A company uses Microsoft Entra ID for identity management. They want to ensure that only managed devices can access corporate email. Which Conditional Access policy setting should be configured?

A.Require multifactor authentication
B.Block legacy authentication
C.Require approved client app
D.Require device to be marked as compliant
AnswerD

This ensures only managed and compliant devices can access.

Why this answer

To ensure only managed devices can access corporate email, you need to enforce device compliance. The Conditional Access policy setting 'Require device to be marked as compliant' checks that the device is enrolled in Microsoft Intune and meets all compliance policies (e.g., encryption, OS version, jailbreak detection) before granting access. This directly restricts access to managed devices only.

Exam trap

The trap here is that candidates often confuse 'Require device to be marked as compliant' with 'Require approved client app' or 'Require multifactor authentication,' thinking that MFA or app approval alone ensures device management, but only compliance enforcement ties directly to Intune-managed device policies.

How to eliminate wrong answers

Option A is wrong because requiring multifactor authentication (MFA) verifies the user's identity but does not enforce any device management or compliance; a personal device with MFA could still access email. Option B is wrong because blocking legacy authentication prevents protocols like POP3, IMAP, or SMTP that don't support modern authentication, but it does not ensure the device is managed or compliant; a managed device using legacy auth would still be blocked, but an unmanaged device using modern auth would not be blocked. Option C is wrong because requiring an approved client app (e.g., Outlook mobile) ensures the app is from a trusted source but does not enforce device management; an unmanaged device with the approved app could still access email.

444
MCQmedium

Your organization uses Microsoft Defender for Cloud to protect its Azure workloads. You have an application that runs on Azure Virtual Machines and uses a storage account to store sensitive data. The security team wants to detect when the storage account access keys are used from an unexpected location. What should you configure?

A.Configure adaptive application controls on the storage account.
B.Create an Azure Monitor alert based on the 'Storage Account List Keys' operation.
C.Enable just-in-time VM access in Microsoft Defender for Cloud.
D.Enable Microsoft Defender for Storage and configure anomaly detection alerts.
AnswerD

Defender for Storage detects unusual patterns, including access from unexpected locations.

Why this answer

Microsoft Defender for Cloud provides adaptive application controls, file integrity monitoring, and just-in-time access, but not specifically for detecting storage key usage from unexpected locations. Microsoft Defender for Storage (part of Defender for Cloud) provides anomaly detection, including unusual access patterns. You can also use Azure Monitor with alerts on storage metrics, but the most direct is Defender for Storage.

Option D is correct.

445
MCQhard

Your organization is planning to use Microsoft Sentinel for security information and event management (SIEM). The security team wants to ensure that Sentinel can ingest logs from on-premises servers that are not connected to the internet. The solution must use Azure Arc for management. Which data connector should you use?

A.Azure Monitor Agent
B.Common Event Format (CEF) via AMA
C.Syslog via AMA
D.Log Analytics agent (MMA)
AnswerA

AMA can be installed on Arc-enabled servers and send logs to Log Analytics, which Sentinel uses.

Why this answer

Option A is correct because the Azure Monitor Agent (AMA) can be deployed via Azure Arc to on-premises servers, collecting logs and forwarding them to Sentinel via a Log Analytics workspace. Option B is wrong because the Log Analytics agent (MMA) is being deprecated. Option C is wrong because the Syslog connector typically requires direct connectivity or a forwarder.

Option D is wrong because the Common Event Format (CEF) connector also requires a forwarder with internet access.

446
MCQmedium

A company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. They want to prevent users from sharing credit card numbers in email but allow sharing via encrypted email. What should they configure?

A.Assign a sensitivity label that encrypts the email automatically
B.Create a Microsoft Purview Message Encryption policy
C.Configure a DLP rule that blocks sharing unless the email is encrypted, with user override
D.Use Exchange mail flow rules to block unencrypted credit card data
AnswerC

DLP can allow encrypted emails as an exception.

Why this answer

Option A is correct because the DLP rule can be set to block with override allowing encrypted email. Option B is wrong because encryption policies don't block unencrypted sharing. Option C is wrong because sensitivity labels are for classification, not DLP enforcement.

Option D is wrong because mail flow rules are separate from DLP.

447
MCQeasy

Your company runs a critical application on Azure VMs. You need to ensure that only authorized applications can run on the VMs to prevent malware. Which Azure security feature should you enable?

A.Azure Security Center adaptive application controls
B.Just-In-Time VM access
C.Azure Antimalware
D.Windows Defender Application Control (WDAC)
AnswerD

WDAC allows you to control which applications can run on the VM.

Why this answer

Option B is correct: Application Control (Windows Defender Application Control) allows you to specify which applications are allowed to run. Option A is wrong: Antimalware detects and removes malware but does not control which apps can run. Option C is wrong: Just-In-Time VM access controls network access, not application execution.

Option D is wrong: Azure Security Center (now Defender for Cloud) provides recommendations but not direct app control.

448
Multi-Selecthard

Which THREE of the following are valid ways to protect sensitive data in Microsoft 365 using Microsoft Purview? (Choose three.)

Select 3 answers
A.Sensitivity labels
B.Data Loss Prevention (DLP) policies
C.Data Lifecycle Management (retention policies)
D.Conditional Access policies
E.Microsoft Defender for Endpoint
AnswersA, B, C

Labels classify and protect data with encryption and markings.

Why this answer

Sensitivity labels are a core Microsoft Purview Information Protection capability that allows you to classify and protect data at the item level. They can apply encryption, visual markings (headers/footers/watermarks), and enforce rights management (Azure RMS) directly on documents and emails, ensuring protection persists even when data leaves Microsoft 365.

Exam trap

The trap here is that candidates often confuse Conditional Access policies (which control access) or Defender for Endpoint (which protects endpoints) with Purview's data protection capabilities, but neither directly classifies, encrypts, or prevents data loss at the content level.

449
MCQeasy

A company deploys Azure App Service with a custom domain and SSL certificate. They want to enforce HTTPS only. Which configuration setting should they enable?

A.HTTPS Only
B.Client Certificates
C.Minimum TLS Version
D.Custom Domain
AnswerA

Enforces HTTPS redirect.

Why this answer

The 'HTTPS Only' setting in Azure App Service enforces that all incoming requests are redirected from HTTP to HTTPS, ensuring encrypted communication. This is achieved by returning a 301 redirect for any HTTP request, which aligns with the requirement to enforce HTTPS only.

Exam trap

The trap here is that candidates may confuse 'HTTPS Only' with 'Minimum TLS Version', thinking that setting a high TLS version also enforces HTTPS, but the latter only restricts the TLS protocol version without redirecting HTTP traffic.

How to eliminate wrong answers

Option B is wrong because 'Client Certificates' enables mutual TLS authentication, requiring clients to present a certificate, but does not enforce HTTPS-only traffic. Option C is wrong because 'Minimum TLS Version' controls the lowest TLS version allowed for incoming connections, but does not redirect HTTP to HTTPS. Option D is wrong because 'Custom Domain' is used to map a custom domain name to the app service, not to enforce HTTPS-only traffic.

450
MCQeasy

You are designing a secure data classification strategy for documents in Microsoft 365. The compliance officer wants to automatically apply a 'Confidential' label to documents containing credit card numbers. Which Microsoft Purview feature should you use?

A.Auto-labeling policies
B.Data loss prevention policies
C.Trainable classifiers
D.Manual labeling
AnswerA

Auto-labeling policies can automatically apply sensitivity labels based on sensitive info types like credit card numbers.

Why this answer

Option C is correct because auto-labeling policies in Microsoft Purview can automatically apply sensitivity labels based on sensitive info types. Option A is wrong because trainable classifiers require training and are for more complex patterns. Option B is wrong because manual labeling is not automatic.

Option D is wrong because data loss prevention policies prevent sharing but do not apply labels.

Page 5

Page 6 of 13

Page 7