Microsoft Cybersecurity Architect (SC-100) — Questions 451525

969 questions total · 13pages · All types, answers revealed

Page 6

Page 7 of 13

Page 8
451
Multi-Selecthard

Your company is planning to use Azure Policy to enforce security compliance across multiple subscriptions. You need to define a set of policies that will be applied to all subscriptions. Which THREE components should you include in your policy assignment?

Select 3 answers
A.Parameters.
B.Policy definition.
C.Assignment scope.
D.Initiative definition.
E.Remediation task.
AnswersA, B, C

Parameters allow customization of policies at assignment.

Why this answer

Option A is correct because policy definitions are the rules that enforce compliance. Option C is correct because assignment scope defines where the policy applies (e.g., management group, subscription). Option D is correct because parameters allow customization of policy definitions at assignment time.

Option B is wrong because initiative definitions are groups of policies, but the question asks for components of a single policy assignment; an initiative is a separate artifact. Option E is wrong because remediation tasks are actions taken after assignment, not part of the assignment itself.

452
MCQeasy

You are designing a security operations strategy for a multinational organization. The SOC team needs to correlate alerts from multiple sources including Microsoft Defender for Cloud, Microsoft Sentinel, and third-party firewalls. Which solution should you use as the primary platform for correlation?

A.Microsoft Defender for Cloud
B.Microsoft 365 Defender
C.Azure Monitor
D.Microsoft Sentinel
AnswerD

Sentinel is a SIEM that can ingest and correlate data from various sources.

Why this answer

Option B is correct because Microsoft Sentinel is a SIEM that can ingest logs from multiple sources and correlate alerts. Option A is incorrect because Defender for Cloud is a CSPM, not a SIEM. Option C is incorrect because Microsoft 365 Defender is for endpoint and email, not for third-party firewalls.

Option D is incorrect because Azure Monitor is for infrastructure monitoring, not SIEM.

453
MCQmedium

Your organization is deploying Azure Kubernetes Service (AKS) and plans to use Azure Policy to enforce security controls on the cluster. The security team wants to automatically audit and deny the creation of privileged containers. Which Azure Policy initiative should you assign?

A.Azure RBAC roles for AKS
B.Azure Policy for Kubernetes (preview)
C.Microsoft Defender for Containers
D.AKS Pod Identity
AnswerB

This initiative includes policies to restrict privileged containers, host networking, and other security settings.

Why this answer

Option A is correct because the Azure Policy for Kubernetes initiative (preview) includes built-in policies to enforce security constraints like preventing privileged containers. Option B is wrong because Defender for Cloud's workload protection provides monitoring but not policy enforcement. Option C is wrong because Azure RBAC roles control permissions, not container security.

Option D is wrong because AKS Pod Identity is for pod authentication to Azure resources.

454
MCQmedium

A company is migrating its on-premises Active Directory to Microsoft Entra ID. They need to ensure that all user authentication for cloud apps uses passwordless methods. Which security best practice should they implement?

A.Implement Microsoft Entra ID passwordless authentication
B.Configure conditional access policies to block legacy authentication
C.Enable Microsoft Entra ID Privileged Identity Management (PIM)
D.Require multifactor authentication (MFA) for all users
AnswerA

Passwordless methods such as FIDO2 keys eliminate passwords entirely, aligning with Zero Trust.

Why this answer

Option B is correct because implementing Microsoft Entra ID passwordless authentication (e.g., FIDO2 keys, Windows Hello for Business) aligns with the Zero Trust principle of eliminating passwords. Option A is wrong because MFA alone still relies on a password. Option C is wrong because conditional access policies can enforce passwordless but are not the best practice itself.

Option D is wrong because privileged identity management addresses just-in-time access, not passwordless.

455
MCQeasy

Your organization uses Microsoft Intune to manage endpoints. The security team wants to ensure that devices that cannot be enrolled in Intune (e.g., unmanaged BYOD devices) are still subject to security policies when accessing corporate resources. Which Microsoft Entra ID feature should you use?

A.Microsoft Entra Conditional Access policies
B.Microsoft Intune enrollment policies
C.Windows Defender Application Control
D.Microsoft Defender for Endpoint
AnswerA

Conditional Access can block or limit access from unmanaged devices, enforcing MFA or session controls.

Why this answer

Option B is correct because Microsoft Entra Conditional Access policies can enforce access controls based on device compliance, including requiring MFA or blocking access from unmanaged devices. Option A is wrong because Intune enrollment is only for managed devices. Option C is wrong because Microsoft Defender for Endpoint (now part of Defender XDR) provides threat detection but not access policy enforcement.

Option D is wrong because Windows Defender Application Control is for code integrity on managed devices.

456
MCQmedium

Your company uses Microsoft Intune to manage mobile devices. You need to ensure that corporate data in Microsoft 365 apps cannot be copied to personal apps on the same device. What should you configure?

A.App protection policy (MAM) with 'Restrict cut, copy, and paste'
B.Conditional Access policy requiring compliant device
C.Device configuration profile with restrictions
D.Device compliance policy for mobile devices
AnswerA

App protection policies control data transfer between managed apps and unmanaged apps.

Why this answer

Option C is correct because app protection policies (MAM) can prevent data transfer between managed and unmanaged apps. Option A is wrong because conditional access blocks access but does not control copy/paste. Option B is wrong because compliance policies enforce device health, not app-level data movement.

Option D is wrong because device configuration profiles set device settings, not app restrictions.

457
MCQeasy

Your organization uses Microsoft Intune to manage iOS and Android devices. You need to ensure that corporate data on these devices is protected in case the device is lost or stolen. The security policy requires that corporate data be automatically removed from the device when it is reported lost, while personal data remains intact. The devices are enrolled in Intune with user affinity. What should you configure?

A.Configure a selective wipe (retire) action that can be triggered via a Power Automate flow when a device is reported lost through a custom app.
B.Create a compliance policy that marks the device as non-compliant after 30 days of inactivity.
C.Configure a device wipe action in Intune that can be triggered manually from the console.
D.Enable conditional access to require the device to be compliant before accessing data.
AnswerA

Selective wipe removes only corporate data; automation via Power Automate allows immediate response.

Why this answer

Option C uses selective wipe, which removes only corporate data. Option A is a full wipe; Option B is not automatic; Option D is for conditional access, not data removal.

458
MCQmedium

Your organization uses Microsoft Entra ID. You need to ensure that when a user's risk level is assessed as high by Identity Protection, the user is automatically blocked from signing in. The block should apply immediately. What should you configure?

A.Configure a Conditional Access policy that blocks access when sign-in risk is high.
B.Enable self-service password reset for high-risk users.
C.Create an access review to require re-certification of high-risk users.
D.Configure a user risk policy in Identity Protection to block sign-in.
AnswerA

Conditional Access policies can use sign-in risk as a condition and block access.

Why this answer

Option A is correct because a Conditional Access policy with a session control can block access based on sign-in risk. Option B is incorrect because Identity Protection user risk policy can block sign-in, but Conditional Access is the more common method. Option C is incorrect because an access review does not block sign-ins.

Option D is incorrect because MFA registration does not block based on risk.

459
MCQeasy

A company is designing a Zero Trust security strategy. They want to ensure that all access requests are authenticated, authorized, and encrypted before granting access. Which Microsoft security solution should they use as the central policy engine?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Entra ID
D.Microsoft Intune
AnswerC

Entra ID is the identity provider that enforces conditional access.

Why this answer

Microsoft Entra ID (formerly Azure AD) is the correct central policy engine because it provides identity-based conditional access policies that authenticate, authorize, and enforce encryption (e.g., via device compliance or app protection policies) before granting access. It acts as the policy decision point (PDP) in a Zero Trust architecture, evaluating signals like user risk, device state, and location to allow or deny access.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a security posture tool) or Microsoft Sentinel (a monitoring tool) with the identity-based policy engine required for Zero Trust access control, but only Microsoft Entra ID handles real-time authentication and authorization decisions.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform, not a policy engine for authentication/authorization decisions. Option B is wrong because Microsoft Sentinel is a SIEM/SOAR solution for security information and event management, not a real-time access policy engine. Option D is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) tool, which enforces device compliance but does not serve as the central policy engine for authentication and authorization.

460
MCQeasy

Refer to the exhibit. You need to ensure that the storage account 'seccorpstorage' is only accessible from a specific Azure virtual network. What should you do?

A.Add a virtual network rule for the specific VNet
B.Enable the service endpoint for Microsoft.Storage on the VNet subnet
C.Enable firewall and add an IP rule for the VNet's public IP
D.Enable public network access and add a firewall rule
AnswerA

Adding a VNet rule allows traffic from that VNet while blocking all other traffic.

Why this answer

Option B is correct because you need to add a virtual network rule to allow traffic from the VNet. The current configuration has no rules, so all traffic is denied. Option A is wrong because the storage account already has public network access disabled.

Option C is wrong because enabling firewall and adding IP rules would allow specific IPs, not a VNet. Option D is wrong because adding a service endpoint alone is incomplete without the rule.

461
MCQhard

Your organization uses Microsoft Sentinel to aggregate logs from on-premises and cloud sources. You need to reduce the cost of data ingestion while ensuring security-critical logs are retained for at least one year. What should you do?

A.Archive all logs to Azure Storage after 90 days
B.Ingress security-critical logs to the Analytics logs tier with 365-day retention, and other logs to the Auxiliary logs tier with shorter retention
C.Use the Basic logs tier for all logs and set retention to 365 days
D.Set the default retention to 30 days and export logs to Log Analytics Workspace
AnswerB

Auxiliary logs tier is for verbose logs at lower cost, while Analytics logs provide full capabilities and longer retention for critical data.

Why this answer

Option B is correct because it leverages the Analytics logs tier for security-critical logs, which supports full KQL query capabilities and allows setting a 365-day retention period to meet compliance requirements. Other logs can be sent to the Auxiliary logs tier (formerly Basic logs), which offers lower ingestion costs and shorter retention, reducing overall data ingestion expenses while still retaining necessary logs for security analysis.

Exam trap

The trap here is that candidates often confuse the Basic logs tier (now Auxiliary logs) with a cost-saving measure for all logs, not realizing that security-critical logs require the Analytics tier for full functionality, and that tiered retention policies can be applied per table to balance cost and compliance.

How to eliminate wrong answers

Option A is wrong because archiving all logs to Azure Storage after 90 days would remove them from Sentinel's queryable workspace, preventing real-time security monitoring and alerting on older logs, and does not guarantee one-year retention for security-critical logs. Option C is wrong because using the Basic logs tier for all logs limits query capabilities (no full KQL support) and incurs higher costs for security-critical logs that require Analytics-tier features; setting retention to 365 days on Basic logs does not address cost optimization for non-critical logs. Option D is wrong because setting default retention to 30 days and exporting logs to Log Analytics Workspace is redundant (Log Analytics Workspace is the same as Sentinel workspace) and does not reduce ingestion costs; it also fails to ensure security-critical logs are retained for one year without additional configuration.

462
MCQeasy

You are designing a solution to protect an Azure App Service web application from common web attacks like SQL injection and cross-site scripting. What should you implement?

A.Azure Firewall
B.Azure DDoS Protection
C.Azure Web Application Firewall (WAF) policy on Azure Front Door
D.Network Security Groups (NSGs) on the subnet
AnswerC

WAF protects against SQL injection and XSS.

Why this answer

Option A is correct because Azure Web Application Firewall (WAF) with Application Gateway or Front Door protects against SQL injection and XSS. Option B is wrong because Network Security Groups (NSGs) filter network traffic, not application layer. Option C is wrong because Azure DDoS Protection protects against DDoS, not web attacks.

Option D is wrong because Azure Firewall is a network firewall, not a web application firewall.

463
MCQmedium

A company is designing a defense-in-depth strategy for their Azure environment. They want to ensure that if a virtual machine is compromised, the attacker cannot move laterally to other VMs in the same virtual network. Which security control should they prioritize?

A.Enable Azure DDoS Protection on the virtual network
B.Implement network segmentation using NSGs and application security groups
C.Enable multi-factor authentication (MFA) for all admin accounts
D.Deploy Azure Bastion for secure remote access
AnswerB

Network segmentation restricts east-west traffic, limiting lateral movement.

Why this answer

Network segmentation using NSGs and application security groups is the correct priority because it directly controls east-west traffic between VMs within the same virtual network. By defining explicit inbound and outbound rules that restrict communication to only necessary ports and protocols (e.g., TCP 443 for HTTPS), an attacker who compromises one VM cannot initiate lateral movement to other VMs, as the NSG will drop unauthorized traffic at the subnet or NIC level.

Exam trap

The trap here is that candidates often confuse network-level controls (NSGs) with identity or access controls (MFA, Bastion) or perimeter defenses (DDoS Protection), failing to recognize that lateral movement is a network traffic problem that requires explicit east-west traffic filtering.

How to eliminate wrong answers

Option A is wrong because Azure DDoS Protection protects against volumetric attacks from the internet, not against lateral movement from a compromised VM inside the same virtual network. Option C is wrong because MFA protects authentication to the Azure portal or management plane, but does not prevent an attacker who already has a foothold on a VM from moving laterally via network traffic. Option D is wrong because Azure Bastion provides secure RDP/SSH access to VMs without exposing public IPs, but once a VM is compromised, Bastion does not restrict the attacker's ability to initiate outbound connections to other VMs in the same network.

464
MCQeasy

Your organization uses Microsoft Purview to govern data assets across Azure and on-premises. You need to automatically classify sensitive data such as credit card numbers in Azure SQL Database. What should you use?

A.Microsoft Purview Data Map
B.Microsoft Defender for Cloud
C.Microsoft Entra ID
D.Microsoft Sentinel
AnswerA

Purview Data Map scans and classifies sensitive data.

Why this answer

Option B is correct because Microsoft Purview Data Map can scan Azure SQL Database and apply automatic classification using built-in classifiers. Option A is wrong because Microsoft Sentinel is for SIEM, not data classification. Option C is wrong because Microsoft Defender for Cloud is for security posture, not data classification.

Option D is wrong because Microsoft Entra ID is for identity.

465
Multi-Selectmedium

A company uses Azure Storage for sensitive data. They need to ensure that data is encrypted at rest and that encryption keys are managed by the customer (Customer-Managed Keys). Which THREE actions are required?

Select 3 answers
A.Enable double encryption
B.Create an Azure Key Vault to store the customer-managed key
C.Assign RBAC role to storage account to access Key Vault
D.Enable Azure Information Protection
E.Enable Storage Service Encryption (SSE) with customer-managed keys
AnswersB, C, E

Key Vault required for CMK.

Why this answer

Option B is correct because customer-managed keys (CMK) for Azure Storage encryption must be stored in an Azure Key Vault, which provides a secure, centralized repository for managing cryptographic keys. Without a Key Vault, the customer cannot control or rotate the encryption keys used by Storage Service Encryption (SSE).

Exam trap

The trap here is that candidates may confuse optional features like double encryption or Azure Information Protection with mandatory prerequisites for customer-managed keys, when in fact only Key Vault creation, RBAC assignment, and enabling SSE with CMK are required.

466
Multi-Selecthard

Which THREE actions should you take to secure a CI/CD pipeline using Azure DevOps and GitHub?

Select 3 answers
A.Enable secret scanning in GitHub to detect leaked credentials
B.Run all pipeline tasks with administrative privileges
C.Disable pull request code reviews to speed deployment
D.Store secrets in Azure Key Vault and use variable groups linked to Key Vault
E.Configure branch protection rules in GitHub to require status checks
AnswersA, D, E

Secret scanning helps prevent accidental exposure of secrets in repositories.

Why this answer

Options A, D, and E are correct. Using secure variables, branch protection rules, and secret scanning are key security measures. Option B is wrong because disabling code review reduces security.

Option C is wrong because running pipelines with admin privileges increases risk.

467
MCQmedium

Refer to the exhibit. You are reviewing a Conditional Access policy JSON. What is the effect of this policy?

A.Blocks sign-ins from locations with high sign-in risk
B.Blocks sign-ins from users with high user risk
C.Blocks all sign-ins from any user
D.Requires multifactor authentication for high-risk users
AnswerB

The policy targets high user risk and blocks.

Why this answer

The policy JSON specifies `"userRiskLevels": ["high"]` under the conditions block, which means it targets only users whose user risk level is assessed as high by Microsoft Entra ID Protection. The grant control is set to `"builtInControls": ["block"]`, so the policy blocks sign-ins for those high-risk users. Option B is correct because the policy explicitly blocks sign-ins from users with high user risk, not sign-in risk or all users.

Exam trap

Microsoft often tests the distinction between `userRiskLevels` and `signInRiskLevels` in Conditional Access policies, and candidates frequently confuse the two, thinking a high user risk policy blocks sign-in risk events rather than user account risk.

How to eliminate wrong answers

Option A is wrong because the policy uses `userRiskLevels`, not `signInRiskLevels`; sign-in risk levels are a separate property in Conditional Access policies that assess the risk of a specific authentication attempt, not the user account. Option C is wrong because the policy has a condition targeting only high user risk levels, not all users; a block-all policy would omit the risk level condition or use an empty conditions block. Option D is wrong because the grant control is `"block"`, not `"mfa"`; requiring multifactor authentication would use `"mfa"` in the builtInControls array, and the policy does not include any authentication requirement.

468
Multi-Selecteasy

A company is designing a secure DevOps pipeline for deploying Azure App Service applications. They need to ensure that secrets are not exposed in source code. Which TWO practices should they implement?

Select 2 answers
A.Use Azure Key Vault references in App Service application settings
B.Implement Git pre-commit hooks to scan for secrets
C.Store secrets in Azure DevOps library variable groups
D.Use Azure Policy to audit for secret exposure
E.Use Azure Key Vault variables in Azure DevOps release pipelines
AnswersA, E

Secrets retrieved at runtime from Key Vault.

Why this answer

Option A is correct because Azure Key Vault references allow App Service to securely retrieve secrets (e.g., connection strings, API keys) at runtime without storing them in source code or configuration files. The reference syntax @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/) is resolved by the App Service platform, ensuring secrets are never exposed in the repository or build artifacts.

Exam trap

The trap here is that candidates confuse Azure DevOps library variable groups (which can be linked to Key Vault) with the direct use of Key Vault references in App Service settings, but the question specifically asks for practices that prevent secret exposure in source code, and variable groups still store the secret reference in the pipeline definition, which can be exposed in logs or YAML files.

469
Multi-Selecthard

Which THREE components are required to implement a secure hybrid network architecture using Azure VPN Gateway? (Choose three.)

Select 3 answers
A.A local network gateway resource in Azure.
B.A connection resource with a shared key.
C.An ExpressRoute circuit.
D.A virtual network gateway in Azure.
E.An Azure Firewall.
AnswersA, B, D

Represents the on-premises VPN device.

Why this answer

Options A, B, and C are correct. A: Local network gateway represents on-premises VPN device. B: Virtual network gateway (VPN Gateway) is the Azure side.

C: Connection object ties them together with shared key. Option D is wrong because ExpressRoute is a different connectivity method. Option E is wrong because Azure Firewall is not required for VPN.

470
MCQmedium

A company uses Microsoft Intune and wants to ensure that devices are compliant before accessing corporate resources. They create a Conditional Access policy that requires devices to be marked as compliant. However, some users report that they are blocked even though their device shows as compliant in Intune. What is the most likely cause?

A.The user's location is blocked by a location-based policy
B.The policy also requires MFA, and users haven't registered for MFA
C.The device is not registered in Microsoft Entra ID
D.The policy requires an app protection policy, which is not applied
AnswerC

Compliance check requires device registration.

Why this answer

Option B is correct because the device must be registered in Entra ID for the Conditional Access policy to evaluate its compliance status. Option A is incorrect because the policy is for compliant devices, not MFA. Option C is incorrect because the policy is for compliance, not app protection.

Option D is incorrect because location is not mentioned.

471
MCQmedium

A company uses Microsoft Defender for Cloud to assess the security posture of their hybrid environment. They need to ensure that all Azure subscriptions are evaluated against the same set of regulatory compliance standards. What should they configure?

A.Assign the standard to each subscription individually
B.Create an Azure Policy initiative and assign it to the management group
C.Assign the regulatory compliance standard to the management group containing all subscriptions
D.Use Microsoft Defender for Cloud's default policy
AnswerC

Management group scope applies to all child subscriptions.

Why this answer

Option C is correct because regulatory compliance standards in Microsoft Defender for Cloud are assigned at the management group scope, which automatically applies the standard to all subscriptions within that management group. This ensures consistent evaluation across the entire hybrid environment without needing per-subscription configuration. The assignment inherits down the hierarchy, so all subscriptions under the management group are assessed against the same compliance framework.

Exam trap

The trap here is that candidates confuse Azure Policy initiatives (used for custom compliance enforcement) with Defender for Cloud's regulatory compliance standards (which are pre-built frameworks assigned directly to management groups or subscriptions), leading them to select Option B instead of C.

How to eliminate wrong answers

Option A is wrong because assigning the standard to each subscription individually is inefficient and error-prone, and does not guarantee consistent application across all subscriptions; it also violates the principle of centralized management. Option B is wrong because Azure Policy initiatives are used to enforce custom policies and compliance rules, not to assign regulatory compliance standards in Defender for Cloud; Defender for Cloud uses its own built-in compliance standards (e.g., CIS, PCI DSS) that are assigned at the management group or subscription level, not via Azure Policy initiatives. Option D is wrong because Defender for Cloud's default policy only provides basic security recommendations and does not include regulatory compliance standards; you must explicitly assign a specific compliance standard (e.g., SOC 2, ISO 27001) to meet regulatory requirements.

472
MCQeasy

Your organization is deploying Microsoft Intune to manage Windows 11 devices. You need to ensure that devices automatically receive security updates and that users cannot defer updates. Which configuration profile setting should you configure?

A.Create a device configuration profile to enable automatic updates.
B.Create a Windows 10/11 Update Rings policy with a deadline for quality and feature updates.
C.Create a compliance policy that requires the device to have the latest updates installed.
D.Create an endpoint security policy for Windows Defender Antivirus to enforce update installation.
AnswerB

Update rings allow setting deadlines and grace periods to enforce automatic updates.

Why this answer

Option A is correct because the Update rings policy in Intune allows configuring Windows Update settings, including setting deadlines for updates to prevent deferral. Option B is wrong because Compliance policies enforce device compliance but do not control update deferral. Option C is wrong because Device configuration policies are for settings like BitLocker, not update rings.

Option D is wrong because Endpoint security policies include antivirus and firewall, not update rings.

473
MCQmedium

A company uses Microsoft Sentinel for security operations. The SOC team needs to automatically respond to a specific type of incident involving a known malicious IP address. They want to create an automated response that blocks the IP at the firewall and creates a Teams notification. Which feature should they use?

A.UEBA to detect anomalous behavior
B.Watchlist to correlate IP addresses
C.Automation rule with a playbook
D.Analytics rule with scheduled query
AnswerC

Automation rules can trigger playbooks that perform automated actions.

Why this answer

Automation rules in Microsoft Sentinel allow you to trigger automated responses when incidents are created or updated. By associating a playbook (an Azure Logic Apps workflow) with the automation rule, you can execute actions such as blocking an IP at a firewall via a connector and posting a Teams notification. This directly meets the requirement for a two-step automated response triggered by a specific incident type.

Exam trap

The trap here is that candidates confuse the role of analytics rules (which generate incidents) with automation rules (which respond to incidents), leading them to choose option D, thinking a scheduled query can directly execute actions, whereas it only creates alerts or incidents.

How to eliminate wrong answers

Option A is wrong because UEBA (User and Entity Behavior Analytics) is used to detect anomalous behavior based on historical baselines, not to trigger automated responses to known malicious IPs. Option B is wrong because a Watchlist is a static or dynamic list of data (e.g., IP addresses) used for correlation in analytics rules or queries, but it does not itself execute automated actions like blocking or notifications. Option D is wrong because an analytics rule with a scheduled query generates alerts or incidents based on log data, but it cannot directly run multi-step automated responses; it requires an automation rule or playbook to act on the incident.

474
MCQhard

You are the security architect for a large financial services company. The company has a hybrid environment with on-premises Active Directory, Azure AD, and multiple Azure subscriptions. They use Microsoft Sentinel as their SIEM and have deployed Microsoft Defender for Cloud to assess their cloud security posture. Recently, the security team discovered that a critical Azure SQL database was exposed to the internet with a firewall rule allowing 'AllowAllWindowsAzureIps'. This misconfiguration was not flagged by Defender for Cloud because the corresponding recommendation was disabled in the security policy. The company wants to prevent such misconfigurations in the future and ensure that all critical resources are covered by security recommendations. They also need to ensure that any changes to security policies are reviewed and approved. Which of the following actions should you recommend as the most comprehensive solution?

A.Review and enable all relevant security recommendations in Defender for Cloud, and implement a change management process using Azure Policy and a custom workflow that requires approval before modifying security policies.
B.Deploy Azure Monitor alerts on all SQL Server firewall rule changes and instruct the security team to manually review each change.
C.Assign the Contributor role to the security team on the subscription so they can directly modify firewall rules if needed.
D.Enable the specific recommendation for SQL Server firewall rules in Defender for Cloud and set up an automation rule to send alerts when the recommendation is triggered.
AnswerA

Comprehensive approach: ensures all recommendations are active and changes are controlled.

Why this answer

Option A is correct because it addresses the root cause—disabled security recommendations—by enabling all relevant recommendations in Defender for Cloud, and it enforces a change management process using Azure Policy with a custom approval workflow. This ensures that any modifications to security policies are reviewed and approved, preventing future misconfigurations like the 'AllowAllWindowsAzureIps' rule from going unnoticed. The combination of policy enforcement and approval workflow provides a comprehensive, automated governance layer that covers both detection and prevention.

Exam trap

The trap here is that candidates often focus on a single technical fix (like enabling a recommendation or setting an alert) rather than recognizing the need for a comprehensive governance solution that combines policy enforcement with a change management approval process to prevent and detect misconfigurations across all critical resources.

How to eliminate wrong answers

Option B is wrong because Azure Monitor alerts on firewall rule changes only provide reactive notifications; they do not prevent misconfigurations or ensure that security policies are reviewed and approved, leaving the manual review process prone to human error and delays. Option C is wrong because assigning the Contributor role to the security team grants them broad permissions to modify firewall rules directly, which increases the risk of unauthorized or accidental changes without any approval gate, contradicting the requirement for reviewed and approved changes. Option D is wrong because enabling only the specific recommendation for SQL Server firewall rules and setting up automation alerts is a narrow, reactive fix that does not address the broader need to ensure all critical resources are covered by security recommendations, nor does it implement a change management process for policy modifications.

475
MCQmedium

A company uses Microsoft Entra ID and wants to enable passwordless authentication for all users to reduce phishing risks. Users are already using Microsoft Authenticator for MFA. Which passwordless method should you prioritize?

A.Windows Hello for Business
B.FIDO2 security keys
C.Certificate-based authentication
D.Microsoft Authenticator passwordless sign-in
AnswerD

Leverages existing app and is user-friendly.

Why this answer

Option D is correct because the organization already uses Microsoft Authenticator for MFA, making the transition to passwordless sign-in via Authenticator the most seamless and cost-effective path. This method leverages the existing app registration and push notification infrastructure, allowing users to authenticate with a biometric or PIN gesture without deploying additional hardware or certificates.

Exam trap

The trap here is that candidates may choose Windows Hello for Business (A) because it is a common passwordless option, but they overlook the requirement that it only works on Windows devices, not for all users across platforms.

How to eliminate wrong answers

Option A is wrong because Windows Hello for Business requires Windows devices and is not universally applicable to all users (e.g., mobile or non-Windows users). Option B is wrong because FIDO2 security keys require purchasing and distributing physical hardware, which adds cost and logistical overhead not justified when Authenticator is already deployed. Option C is wrong because certificate-based authentication requires a public key infrastructure (PKI) and certificate enrollment, which is more complex to deploy and manage than leveraging the existing Authenticator app.

476
MCQmedium

Your organization is deploying Microsoft Defender for Cloud Apps. You need to create a policy that blocks downloads of sensitive files from sanctioned cloud apps to unmanaged devices. What type of policy should you create?

A.Session policy
B.App discovery policy
C.Anomaly detection policy
D.Access policy
AnswerA

Session policies provide real-time session control, including blocking downloads.

Why this answer

Option B is correct because Session policies in Defender for Cloud Apps can monitor and control user sessions in real-time, including blocking downloads based on device tags. Option A is wrong because access policies control access but not session-level actions like downloads. Option C is wrong because app discovery policies are for discovering shadow IT.

Option D is wrong because anomaly detection policies detect unusual behavior, not block downloads.

477
Multi-Selecthard

A security operations center (SOC) uses Microsoft Sentinel. They want to automate incident response for common alerts. Which THREE components are required to build an automated response? (Choose three.)

Select 3 answers
A.Connectors
B.Workbooks
C.Playbooks
D.Watchlists
E.Automation rules
AnswersA, C, E

Connect to external services.

Why this answer

Connectors are required to ingest security events and alerts into Microsoft Sentinel from various data sources (e.g., Microsoft 365 Defender, Azure Active Directory, third-party SIEMs). Without connectors, there would be no alerts to trigger automated responses, making them a foundational component for any automated incident response workflow.

Exam trap

The trap here is that candidates often confuse Workbooks (visualization) or Watchlists (data enrichment) as components of automation, when in fact they are passive tools that do not execute response actions.

478
Multi-Selecteasy

Which TWO configurations are required to enable Microsoft Defender for Cloud Apps to monitor cloud app usage?

Select 2 answers
A.Add app connectors for the cloud apps you want to monitor
B.Configure Microsoft Intune device compliance policies
C.Deploy Azure Information Protection scanner
D.Synchronize with Microsoft Entra ID
E.Enable Conditional Access App Control
AnswersA, E

App connectors enable API-based monitoring.

Why this answer

A is correct because Microsoft Defender for Cloud Apps requires app connectors to establish API-based connections with cloud applications (e.g., Office 365, Salesforce, AWS). These connectors enable the service to ingest activity logs, file metadata, and user sessions for monitoring and threat detection. Without app connectors, Defender for Cloud Apps cannot access the cloud app's data plane to perform its core monitoring functions.

Exam trap

The trap here is that candidates often confuse prerequisites (like Microsoft Entra ID sync) with the actual enabling configurations, or they assume device compliance policies (Intune) are required for cloud app monitoring when they are only relevant for conditional access grant controls.

479
MCQeasy

A company plans to use Microsoft Defender for Cloud to secure a multi-cloud environment including Azure, AWS, and GCP. What is the first step to enable multi-cloud visibility?

A.Enable all Defender plans for subscription
B.Connect AWS and GCP accounts using the cloud connectors in Defender for Cloud
C.Create custom compliance policies
D.Deploy Azure Arc agents on all cloud VMs
AnswerB

Defender for Cloud provides native connectors to onboard AWS and GCP accounts.

Why this answer

Option C is correct because you must first onboard the AWS/GCP accounts into Defender for Cloud by connecting them via the native cloud connectors. Option A is wrong because deploying Azure Arc agents is for on-premises servers, not cloud accounts. Option B is wrong because enabling Defender plans is done after onboarding.

Option D is wrong because custom policies are optional.

480
MCQeasy

Your company uses Microsoft Sentinel as a SIEM. You need to ensure that all Azure subscription activity logs are ingested into Sentinel. What is the most efficient way to configure this?

A.Configure diagnostic settings on the subscription to send logs to a Log Analytics workspace.
B.Create an Azure Logic App to periodically pull activity logs.
C.Enable the 'Azure Activity' data connector in Sentinel.
D.Manually export activity logs to a storage account and connect to Sentinel.
AnswerC

This automatically streams activity logs.

Why this answer

Option B is correct because the data connector for Azure Activity is designed for this purpose. Option A is wrong because manual export is not efficient. Option C is wrong because diagnostic settings export to a Log Analytics workspace, but Sentinel requires the data connector.

Option D is wrong because Logic Apps are unnecessary overhead.

481
MCQmedium

Your organization uses Microsoft Sentinel for security operations. You need to ensure that incident investigations automatically enrich alerts with relevant user and device information from Microsoft Defender XDR and Microsoft Entra ID. What should you configure?

A.Enable Fusion detection for multistage attacks.
B.Create watchlists for user and device information and reference them in analytics rules.
C.Configure automation rules to trigger a playbook on alert creation.
D.Enable User and Entity Behavior Analytics (UEBA) and configure entity behavior settings.
AnswerD

UEBA enriches alerts by correlating user and device activities across data sources.

Why this answer

Option B is correct because Microsoft Sentinel's UEBA analytics with entity behavior settings can automatically enrich alerts by linking entities like users and devices to threat intelligence and activity data. Option A is wrong because automation rules primarily handle incident orchestration, not enrichment. Option C is wrong because watchlists are for static reference data.

Option D is wrong because Fusion is for advanced multistage attack detection.

482
MCQmedium

Refer to the exhibit. You are reviewing an Azure Policy definition that denies deployment of virtual machines without encryption at host enabled. A developer reports they cannot deploy a VM that already has encryption at host enabled. What is the most likely cause?

A.The policy applies to all VMs regardless of encryption setting.
B.The policy effect is 'audit' instead of 'deny', so it does not block deployment.
C.The policy definition uses an incorrect field path for encryptionAtHost.
D.The policy is missing an exemption for the developer's subscription.
AnswerC

The field path 'Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost' uses a dot instead of a slash; the correct path uses slashes. An invalid path may cause the policy to evaluate incorrectly.

Why this answer

Option D is correct because the policy rule uses an incorrect field path for encryptionAtHost. The correct property path is 'Microsoft.Compute/virtualMachines/securityProfile/encryptionAtHost'. Option A is wrong because the effect is deny, not audit.

Option B is wrong because the policy applies to all VMs, not just those without encryption. Option C is wrong because the deny effect is correctly targeting VMs with encryptionAtHost false, but the field path is wrong.

483
MCQhard

A company is planning their cloud governance strategy. They have multiple business units with varying compliance requirements. They need to enforce policies consistently across subscriptions while allowing some flexibility. Which Azure governance structure should they recommend?

A.Assign RBAC roles to each subscription owner.
B.Use a management group hierarchy with Azure Policy assignments and exemptions.
C.Create separate Azure AD tenants for each business unit.
D.Use Azure Blueprints with locked permissions.
AnswerB

Management groups allow inheritance; exemptions provide flexibility.

Why this answer

B is correct because a management group hierarchy allows the company to organize subscriptions by business unit or compliance requirement, then apply Azure Policy assignments at the management group level to enforce consistent policies across all subscriptions. Exemptions can be granted at lower scopes (e.g., specific subscriptions or resource groups) to provide the required flexibility while maintaining overall governance. This structure centralizes policy enforcement without requiring separate tenants or manual RBAC assignments.

Exam trap

The trap here is that candidates often confuse RBAC (access control) with Azure Policy (compliance enforcement), or assume that separate tenants or Blueprints are needed for isolation, when in fact management groups with policy exemptions provide the exact balance of consistency and flexibility required.

How to eliminate wrong answers

Option A is wrong because assigning RBAC roles to each subscription owner delegates access control but does not enforce consistent policies across subscriptions; RBAC controls who can manage resources, not what configurations or compliance rules must be applied. Option C is wrong because creating separate Azure AD tenants for each business unit isolates identities and policies completely, preventing centralized governance and increasing administrative overhead; it also breaks cross-tenant resource access and reporting. Option D is wrong because Azure Blueprints with locked permissions can define a repeatable environment, but locked permissions prevent any flexibility for business units to deviate when needed, and Blueprints are deprecated in favor of deployment stacks; they do not support the exemption-based flexibility required.

484
MCQeasy

Your company uses Microsoft Sentinel for security information and event management (SIEM). You need to design a solution that reduces alert fatigue by correlating low-fidelity alerts from multiple sources into a single high-fidelity incident. Which Microsoft Sentinel feature should you use?

A.Workbooks
B.Analytics rules with alert grouping enabled
C.Playbooks
D.Hunting queries
AnswerB

Analytics rules can correlate alerts and group them into incidents.

Why this answer

Analytics rules with alert grouping enabled allow you to configure a rule that correlates multiple low-fidelity alerts (e.g., from different data sources or detection types) into a single high-fidelity incident. When alert grouping is enabled, the rule groups alerts that occur within a specified time window and share common entities (such as IP addresses or user accounts), reducing alert fatigue by presenting one consolidated incident instead of many individual alerts.

Exam trap

The trap here is that candidates often confuse 'alert grouping' with 'playbook automation' or 'workbook visualization', thinking that any tool that reduces noise must involve automation or dashboards, rather than understanding that the correlation logic is built directly into the analytics rule configuration.

How to eliminate wrong answers

Option A is wrong because Workbooks are visualization tools that display data from queries and logs; they do not perform correlation or grouping of alerts into incidents. Option C is wrong because Playbooks are automated response workflows (based on Azure Logic Apps) that trigger on incidents or alerts but do not correlate or group alerts into a single incident. Option D is wrong because Hunting queries are ad-hoc, interactive searches for threats in raw log data; they do not automatically create incidents or group alerts.

485
MCQhard

A healthcare organization uses Microsoft Purview Information Protection to classify and protect patient data. They want to automatically apply a 'High Confidentiality' label to any document containing a patient ID pattern (###-####). The label should also encrypt the document. Which configuration should they use?

A.Retention label with auto-labeling policy
B.Data Loss Prevention (DLP) policy with a block action
C.Sensitivity label with auto-labeling for sensitive info types
D.Trainable classifier with a retention policy
AnswerC

Sensitivity labels can be configured to automatically apply based on sensitive info types (like patient ID pattern) and include encryption.

Why this answer

Option B is correct because a sensitivity label with auto-labeling for files containing sensitive info types (like patient IDs) can apply encryption automatically. Option A is wrong because a retention label only manages retention, not encryption. Option C is wrong because a DLP policy alerts but does not automatically label.

Option D is wrong because a trainable classifier requires training and does not use a regex pattern.

486
MCQmedium

Your organization is implementing Microsoft Entra ID Conditional Access. You need to require multi-factor authentication (MFA) for all users accessing financial applications, but only when the sign-in risk is medium or higher. What is the most efficient way to achieve this?

A.Create a Microsoft Entra ID Protection user risk policy to require MFA
B.Enable MFA per user for all users in the financial team
C.Create a Conditional Access policy that targets all users, includes a named location, and requires MFA
D.Create a Conditional Access policy that targets the financial applications, uses sign-in risk as a condition, and requires MFA
AnswerD

This directly meets the requirement.

Why this answer

Option D is correct because it uses a single Conditional Access policy to target the specific financial applications and sets the sign-in risk condition to medium or higher, which triggers MFA only when the risk threshold is met. This approach is efficient as it avoids per-user MFA configuration and leverages Microsoft Entra ID Protection's risk detection to dynamically enforce MFA based on real-time sign-in risk, aligning with the principle of adaptive access control.

Exam trap

The trap here is that candidates often confuse user risk policies with sign-in risk conditions, or they default to per-user MFA or location-based policies, missing the precise combination of application scoping and risk-based conditions that the question requires.

How to eliminate wrong answers

Option A is wrong because a user risk policy in Microsoft Entra ID Protection targets user-level risk (e.g., compromised credentials) rather than sign-in risk, and it cannot be scoped to specific applications like financial apps; it would apply MFA based on user risk, not sign-in risk. Option B is wrong because enabling MFA per user forces MFA on every authentication for those users, regardless of sign-in risk level, which violates the requirement to only require MFA when risk is medium or higher and is less efficient than a risk-based policy. Option C is wrong because it includes a named location condition, which is irrelevant to sign-in risk, and targets all users without application scoping, meaning it would apply MFA to all applications for all users, not just financial apps when risk is elevated.

487
MCQeasy

A company wants to monitor and respond to threats across their entire digital estate, including on-premises servers, cloud workloads, and identities. Which Microsoft solution should they use as a central security information and event management (SIEM) and extended detection and response (XDR) platform?

A.Microsoft Intune
B.Microsoft Defender for Cloud
C.Microsoft Sentinel and Microsoft Defender XDR
D.Microsoft Purview
AnswerC

Sentinel provides SIEM, Defender XDR provides XDR.

Why this answer

Option D is correct because Microsoft Sentinel is the SIEM and SOAR solution, while Microsoft Defender XDR provides XDR capabilities. The question asks for a central SIEM and XDR platform; Microsoft Sentinel integrates with Defender XDR. Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection (CWP) tool, not a SIEM.

Option B is wrong because Microsoft Intune is for device management. Option C is wrong because Microsoft Purview is for data governance and compliance.

488
MCQhard

The exhibit shows a conditional access policy in Microsoft Entra ID. What will be the effect of this policy?

A.Allow all applications except Office365
B.Block all applications including Office365
C.Allow all applications including Office365
D.Block all applications except Office365
AnswerD

Excluded Office365 is not blocked.

Why this answer

The exhibit shows a Conditional Access policy that includes 'All cloud apps' in the target resources and is configured with a 'Block access' grant control. The 'Exclude' list contains 'Office365', meaning the policy applies to all applications except Office365. Therefore, the effect is to block access to all applications except Office365, making option D correct.

Exam trap

The trap here is that candidates often overlook the 'Exclude' list and assume that selecting 'All cloud apps' with 'Block access' blocks everything, but the exclusion of Office365 means it is not blocked.

How to eliminate wrong answers

Option A is wrong because the policy blocks access, not allows it; 'Allow all applications except Office365' would require an 'Allow' grant control, not 'Block'. Option B is wrong because Office365 is explicitly excluded from the policy, so it is not blocked; 'Block all applications including Office365' would require no exclusion for Office365. Option C is wrong because the policy blocks access, not allows it; 'Allow all applications including Office365' would require an 'Allow' grant control and no block action.

489
MCQhard

Refer to the exhibit. You are reviewing a Conditional Access policy in Azure AD. The policy requires MFA and a compliant device for all users and all cloud apps. Some users report that they are able to access apps without being prompted for MFA even though their devices are compliant. What is the most likely reason?

A.The policy does not include all cloud apps
B.The policy is set to 'Report-only' mode
C.The policy excludes specific locations
D.The policy does not include session controls to enforce MFA re-prompt
AnswerB

In report-only mode, policies are not enforced, so users are not prompted for MFA.

Why this answer

Option B is correct because a Conditional Access policy set to 'Report-only' mode evaluates the policy and logs results but does not enforce any controls, such as requiring MFA or a compliant device. Users can access apps without MFA prompts because the policy is not actively blocking or challenging them, even if their devices are compliant. This mode is used for testing before enabling enforcement.

Exam trap

The trap here is that candidates may overlook the 'Report-only' mode setting and assume the policy is enforcing controls, focusing instead on app scope or location exclusions, which are common red herrings in Conditional Access troubleshooting questions.

How to eliminate wrong answers

Option A is wrong because the policy explicitly states it includes 'all cloud apps,' so missing apps is not the issue. Option C is wrong because excluding specific locations would only bypass MFA for users from those locations, but the question states users report access without MFA even though devices are compliant, implying the issue is not location-based. Option D is wrong because session controls for MFA re-prompt are not required for initial MFA enforcement; the policy's grant controls (requiring MFA and compliant device) are sufficient to prompt MFA on first access, and the lack of re-prompt controls does not explain why MFA is never prompted.

490
MCQhard

A global organization uses Microsoft Sentinel for SIEM and Microsoft Defender for Cloud for cloud security posture management. The security team notices that critical alerts from Azure Active Directory Identity Protection are not triggering automated response playbooks in Sentinel. The team needs to ensure that all high-severity Identity Protection risk detections automatically create incidents in Sentinel and trigger a playbook to block the user. What should the team configure?

A.Enable the Identity Protection data connector and create a Microsoft Security incident creation rule for Identity Protection.
B.Enable the Azure Active Directory Identity Protection data connector in Sentinel.
C.Configure diagnostic settings on Azure AD to stream logs to Sentinel and create a playbook automation rule.
D.Configure the Identity Protection connector with the 'Create incidents' toggle enabled.
AnswerA

This ensures alerts are ingested and incidents are created automatically.

Why this answer

Option A is correct because to have Identity Protection risk detections automatically create incidents in Microsoft Sentinel and trigger a playbook, you must first enable the Identity Protection data connector (which brings the alerts into Sentinel) and then create a Microsoft Security incident creation rule specifically for Identity Protection. This rule ingests the alerts as security incidents, and you can attach an automation rule to run a playbook (e.g., to block the user) when a high-severity incident is created. Without the incident creation rule, the alerts would be ingested as raw events but not automatically turned into incidents.

Exam trap

The trap here is that candidates confuse simply enabling a data connector (which only ingests data) with the separate requirement of creating an incident creation rule to transform those alerts into actionable incidents, leading them to pick Option B or D.

How to eliminate wrong answers

Option B is wrong because simply enabling the Azure AD Identity Protection data connector only ingests the alerts into Sentinel as raw data; it does not automatically create incidents or trigger playbooks. Option C is wrong because configuring diagnostic settings on Azure AD streams sign-in and audit logs, not Identity Protection risk detections; Identity Protection alerts are not sent via diagnostic settings and require the dedicated connector. Option D is wrong because the Identity Protection connector does not have a 'Create incidents' toggle; incident creation is handled by a separate Microsoft Security incident creation rule, not by a toggle on the connector itself.

491
MCQhard

Refer to the exhibit. You are reviewing an ARM template snippet for an Azure Storage container. Which security best practice does this configuration enforce?

A.Disables anonymous public access to the container
B.Allows public access from the internet
C.Configures a firewall rule to restrict access to specific IPs
D.Enables encryption at rest for the container
AnswerA

Setting publicAccess to None disables anonymous access.

Why this answer

The ARM template snippet sets the `publicAccess` property of the container to `None`. This explicitly disables anonymous public access to the container, enforcing the security best practice of preventing unauthenticated access to Azure Storage data. By default, Azure Storage containers allow anonymous read access if enabled at the account level, but this configuration overrides that to block any public requests.

Exam trap

The trap here is that candidates may confuse the container-level `publicAccess` property with storage account-level firewall rules or encryption settings, leading them to select options that describe unrelated security features.

How to eliminate wrong answers

Option B is wrong because allowing public access from the internet is the opposite of the security best practice; the snippet disables public access, not enables it. Option C is wrong because the snippet does not include any `networkAcls` or `ipRules` properties; firewall rules are configured at the storage account level, not within a container resource definition. Option D is wrong because encryption at rest is enabled by default for Azure Storage and is not controlled by the `publicAccess` property; the snippet does not reference any encryption settings.

492
MCQmedium

Your organization uses Microsoft Sentinel to centralize security logs from multiple clouds. They need to ensure that logs from Amazon Web Services (AWS) are ingested and analyzed for threats. Which connector should you implement?

A.Microsoft Defender for Cloud
B.Azure Monitor Agent
C.AWS S3 connector
D.Azure Event Hubs
AnswerC

The AWS S3 connector ingests CloudTrail logs into Sentinel.

Why this answer

The AWS S3 connector is the correct choice because it is the native Microsoft Sentinel data connector designed specifically to ingest AWS CloudTrail logs (and other AWS service logs) from an S3 bucket. It uses an AWS Simple Queue Service (SQS) to poll for new log files, then streams them into Sentinel for analysis, enabling threat detection across multi-cloud environments.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Cloud (a security posture tool) with a log ingestion connector, or assume Azure Event Hubs is the default streaming solution for all external logs, overlooking the purpose-built AWS S3 connector that handles the specific S3-to-Sentinel pipeline.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection tool, not a log ingestion connector for AWS; it does not directly pull raw logs from S3 into Sentinel. Option B is wrong because Azure Monitor Agent (AMA) is designed to collect telemetry from Azure VMs and on-premises machines via Data Collection Rules, not from external cloud storage like AWS S3. Option D is wrong because Azure Event Hubs is a data streaming platform that can receive logs from external sources, but it is not a pre-built Sentinel connector for AWS; using it would require custom configuration and additional components to replicate the S3 connector's functionality.

493
Multi-Selectmedium

Your organization is designing a data protection strategy using Microsoft Purview. You need to classify and label all sensitive data stored in Azure SQL Database. The solution must automatically detect credit card numbers and apply a sensitivity label. Which three actions should you take? (Choose three.)

Select 3 answers
A.Enable Azure SQL Database auditing
B.Create a scan in Purview to classify sensitive data types
C.Register the Azure SQL Database as a data source in Microsoft Purview
D.Create a data loss prevention (DLP) policy in Purview
E.Create a sensitivity label with auto-labeling for credit card numbers and publish it
AnswersB, C, E

Scanning discovers sensitive data.

Why this answer

Options B, C, and D are correct because to automatically classify and label data in Azure SQL Database, you need to register the data source in Purview, scan it to discover sensitive data, and create an auto-labeling policy that applies the label. Option A is wrong because DLP policies are for data in use/motion, not for labeling. Option E is wrong because enabling auditing does not classify or label.

494
Multi-Selecthard

Your organization is deploying a new application on Azure Kubernetes Service (AKS). You need to secure container access to Azure resources using managed identities. Which THREE components are required? (Choose THREE.)

Select 3 answers
A.Pod identity (e.g., aad-pod-identity)
B.Azure AD pod-managed identity (or workload identity)
C.Azure Container Registry
D.Azure Key Vault for secret storage
E.Azure Firewall
AnswersA, B, D

Assigns identity to pods.

Why this answer

Option A, Option B, and Option D are correct. A pod identity is needed to assign an identity to pods, Azure Key Vault stores secrets, and Azure AD pod-managed identity (or workload identity) provides the identity. Option C is incorrect because Azure Container Registry is for storing images, not identity.

Option E is incorrect because Azure Firewall is for network security.

495
MCQmedium

A company uses Azure Firewall to inspect outbound traffic from a hub virtual network. They need to ensure that traffic from a spoke virtual network to a specific SaaS application (api.contoso.com) bypasses the firewall for performance reasons. What is the most efficient way to achieve this?

A.Configure an application rule in Azure Firewall with a 'Bypass' action for api.contoso.com.
B.Add a user-defined route (UDR) in the spoke virtual network's route table with destination api.contoso.com and next hop type 'Internet'.
C.Enable service endpoints for Microsoft.Storage in the spoke subnet.
D.Create a network rule in Azure Firewall to allow traffic to api.contoso.com and deny all other traffic.
AnswerB

This bypasses the firewall by routing traffic directly to the internet.

Why this answer

Option B is correct because adding a user-defined route (UDR) with destination api.contoso.com and next hop type 'Internet' in the spoke virtual network's route table forces traffic destined for that FQDN to bypass the Azure Firewall and go directly to the internet. This is the most efficient approach as it avoids firewall inspection for performance-sensitive traffic without requiring any firewall rule changes.

Exam trap

The trap here is that candidates assume Azure Firewall can be configured to 'bypass' itself via a rule action, but Azure Firewall rules only allow or deny traffic—they cannot redirect traffic away from the firewall; only UDRs can change the next hop to bypass the firewall entirely.

How to eliminate wrong answers

Option A is wrong because Azure Firewall application rules do not support a 'Bypass' action; they only support 'Allow' or 'Deny' actions, so you cannot configure a rule to selectively skip firewall inspection. Option C is wrong because service endpoints are designed for private access to Azure PaaS services (like Microsoft.Storage) over the Azure backbone, not for bypassing firewall inspection for a third-party SaaS application like api.contoso.com. Option D is wrong because creating a network rule to allow traffic to api.contoso.com still forces traffic through the firewall, which defeats the requirement to bypass it for performance reasons; network rules also cannot use FQDNs as destinations (they require IP addresses or CIDR ranges).

496
MCQhard

You are the security architect for a multinational corporation that uses Microsoft 365 E5 licenses. The company has deployed Microsoft Sentinel in a central Azure subscription, and all subsidiaries stream their logs to this workspace. The SOC team uses Microsoft 365 Defender to investigate incidents. Recently, the company experienced a sophisticated phishing campaign that bypassed Exchange Online Protection (EOP) and resulted in credential theft for several users. The SOC team manually created incidents in Sentinel for each compromised user. However, they want to automate the creation of Sentinel incidents from Microsoft 365 Defender alerts. Additionally, they want to ensure that when a user is confirmed compromised, a playbook automatically disables the user's account in Azure AD and resets their password. The SOC team has already deployed the Microsoft 365 Defender data connector in Sentinel and enabled streaming of alerts. However, no incidents are being created automatically from Defender alerts. You need to recommend a solution to automate incident creation and response. What should you do?

A.Configure the Microsoft 365 Defender connector to send alerts to a Logic App that creates incidents.
B.Create a Microsoft Security incident creation rule for Microsoft 365 Defender, and create an automation rule that triggers a playbook to disable the user and reset password.
C.Enable the Microsoft 365 Defender connector by selecting the 'Create incidents' checkbox.
D.Create an analytics rule that queries Microsoft 365 Defender alerts and creates incidents.
AnswerB

This automates incident creation from Defender alerts and triggers the playbook for response.

Why this answer

Option B is correct because it uses a Microsoft Security incident creation rule, which is the proper method to automatically generate Sentinel incidents from Microsoft 365 Defender alerts. The automation rule then triggers a playbook to disable the user in Azure AD and reset their password, fulfilling the automated response requirement. This approach aligns with Sentinel's native integration for Microsoft 365 Defender, where alerts are ingested via the data connector but incidents require a dedicated rule to be created.

Exam trap

The trap here is that candidates often confuse the 'Create incidents' checkbox on the data connector with the actual incident creation rule, assuming that enabling the checkbox alone will generate incidents, when in fact it only ingests alerts and requires a separate Microsoft Security incident creation rule to transform those alerts into incidents.

How to eliminate wrong answers

Option A is wrong because configuring the Microsoft 365 Defender connector to send alerts directly to a Logic App bypasses Sentinel's incident management pipeline, requiring custom development and not leveraging Sentinel's built-in incident creation and automation capabilities. Option C is wrong because the 'Create incidents' checkbox in the Microsoft 365 Defender connector enables the ingestion of alerts into Sentinel's raw data tables (e.g., SecurityAlert), but does not automatically create Sentinel incidents; incidents require a separate incident creation rule. Option D is wrong because an analytics rule that queries Microsoft 365 Defender alerts would create incidents based on scheduled queries, which is inefficient and duplicates effort, whereas the Microsoft Security incident creation rule is specifically designed to create incidents directly from security alerts streamed via the connector.

497
MCQhard

Your organization is planning to use Azure Bastion for secure RDP/SSH access to Azure VMs. You need to ensure that Bastion can reach the VMs in a spoke virtual network that is connected to a hub via VNet peering. The hub has an Azure Firewall. What is the minimal configuration required?

A.Assign a public IP address to each VM. Deploy Azure Bastion in the hub VNet.
B.Deploy Azure Bastion in the hub VNet. Ensure the spoke VNet is peered to the hub VNet.
C.Deploy Azure Bastion in the spoke VNet. Configure Azure Firewall to allow traffic from Bastion to the VMs.
D.Deploy Azure Bastion in the hub VNet. Ensure the spoke VNet has a route to the Bastion subnet.
AnswerB

Bastion in hub can connect to peered spoke VMs using private IPs.

Why this answer

Option D is correct because Azure Bastion does not require public IPs on VMs nor does it need to traverse the firewall; it uses private IPs and the Bastion host in the same or peered VNet. Option A is wrong because VMs do not need public IPs with Bastion. Option B is wrong because Bastion does not need to go through the firewall; it uses direct private IP connectivity.

Option C is wrong because Bastion does not need a public IP on the VM.

498
MCQeasy

Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You need to ensure that user passwords are synchronized securely and that password changes on-premises are reflected in the cloud quickly. Which tool should you configure?

A.Microsoft Entra Connect
B.Azure AD Connect
C.Active Directory Federation Services (AD FS)
D.Microsoft Identity Manager
AnswerA

Entra Connect synchronizes passwords securely.

Why this answer

Option B is correct because Azure AD Connect synchronizes identities and passwords with hash synchronization. Option A is wrong because Microsoft Entra Connect is the same as Azure AD Connect. Option C is wrong because AD FS is for federation, not password synchronization.

Option D is wrong because Microsoft Identity Manager is for identity governance, not synchronization.

499
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to automatically create incidents in Sentinel for high-severity alerts from Defender XDR. You also want to suppress low-severity alerts to reduce noise. What should you configure?

A.Configure the Microsoft Defender XDR connector to create incidents only for high severity.
B.Configure an automation rule to create incidents for all alerts.
C.Create a playbook that triggers on alerts and creates incidents.
D.Create a scheduled analytics rule that queries Defender XDR alerts with severity filter and creates incidents.
AnswerD

Scheduled rules can create incidents from alerts with severity filtering.

Why this answer

Option B is correct because you can create an analytics rule that filters by severity and maps alerts to incidents. Option A is wrong because automation rules can create incidents but are not the primary method for ingesting alerts. Option C is wrong because a playbook would be reactive.

Option D is wrong because the incident creation rule is not a thing.

500
MCQhard

Your enterprise uses Microsoft Defender for Cloud to secure a hybrid cloud environment spanning Azure and AWS. You need to design a solution that prioritizes remediation of the most critical vulnerabilities across both clouds based on Common Vulnerability Scoring System (CVSS) scores, exploitability, and business impact. Which Defender for Cloud feature should you use?

A.Security Explorer
B.Regulatory Compliance Dashboard
C.Secure Score
D.Adaptive Application Controls
AnswerA

Security Explorer enables querying and prioritizing vulnerabilities across clouds.

Why this answer

Security Explorer (now part of Microsoft Defender for Cloud's Cloud Security Explorer) provides a graph-based query interface that allows you to identify and prioritize vulnerabilities across Azure and AWS based on CVSS scores, exploitability, and business impact. It enables you to filter by multiple dimensions (e.g., internet exposure, data sensitivity, attack path) to pinpoint the most critical risks, directly addressing the requirement to prioritize remediation across both clouds.

Exam trap

The trap here is that candidates often confuse Secure Score with vulnerability prioritization, but Secure Score only measures compliance with security recommendations and does not factor in CVSS scores or exploitability to rank individual vulnerabilities.

How to eliminate wrong answers

Option B is wrong because the Regulatory Compliance Dashboard focuses on mapping your cloud environment to compliance standards (e.g., SOC 2, PCI DSS) and does not prioritize vulnerabilities by CVSS score, exploitability, or business impact. Option C is wrong because Secure Score provides an overall security posture percentage based on control recommendations, but it does not allow granular prioritization of individual vulnerabilities by CVSS or exploitability across multi-cloud environments. Option D is wrong because Adaptive Application Controls is a just-in-time and whitelisting feature for controlling which applications can run on Azure VMs, not a vulnerability prioritization tool.

501
MCQhard

Contoso is a financial services company migrating critical workloads to Azure. They must comply with PCI DSS and have a Security Operations Center (SOC) team that uses Microsoft Sentinel. The CISO wants to ensure that the security posture aligns with Microsoft's cybersecurity reference architecture (MCRA). You need to design a solution that includes the following requirements: 1) All Azure subscriptions must be managed under a single management group hierarchy with consistent policies. 2) The SOC must have a centralized view of security alerts across all resources, including on-premises servers and multi-cloud environments. 3) Privileged access to Azure resources must be protected using just-in-time (JIT) access and Privileged Identity Management (PIM). 4) Compliance with PCI DSS must be continuously monitored and reported. 5) The solution must minimize operational overhead. What should you include in the design?

A.Create separate management groups per business unit. Enable Microsoft Defender for Cloud on each subscription individually. Use Azure Policy to assign PCI DSS policies per subscription. Configure PIM at the tenant root management group. Use a third-party SIEM to aggregate alerts.
B.Deploy a single management group containing all subscriptions. Enable Microsoft Defender for Cloud with the 'PCI DSS v3.2.1' regulatory compliance dashboard on the management group. Configure Azure Policy to enforce security standards. Enable PIM and configure JIT VM access. Use Microsoft Sentinel as the SIEM, connecting it to Defender for Cloud and on-premises security sources.
C.Deploy a management group hierarchy with policies inherited. Use Microsoft Defender for Cloud's secure score to monitor compliance manually. Implement PIM without JIT. Use Microsoft Sentinel but only for cloud workloads.
D.Use a single management group with Azure Policy to enforce PCI DSS controls. Rely on Azure Monitor for security alerts. Do not enable Defender for Cloud to reduce costs. Use PIM for privileged roles. Connect on-premises logs to a Log Analytics workspace for the SOC.
AnswerB

Provides centralized management, continuous compliance monitoring, integrated PIM/JIT, and a single SIEM for the SOC.

Why this answer

Option A is correct because it provides a centralized management group structure for policy enforcement, uses Microsoft Defender for Cloud for continuous compliance monitoring and multicloud visibility, and integrates PIM and JIT for privileged access. Microsoft Sentinel can ingest alerts from Defender for Cloud. Option B is less effective because it lacks centralized policy management and uses separate Defender for Cloud instances.

Option C is wrong because it relies on Azure Policy alone without the compliance monitoring and threat detection capabilities of Defender for Cloud. Option D is wrong because it bypasses policy enforcement at the management group level and uses manual processes.

502
MCQmedium

Your organization is planning to deploy Microsoft Purview Information Protection to classify and protect sensitive data. You need to design a solution that automatically applies sensitivity labels to documents containing personally identifiable information (PII) when they are uploaded to SharePoint Online. Which configuration should you use?

A.Set a default sensitivity label for the SharePoint site
B.Use trainable classifiers to identify PII and apply labels
C.Create an auto-labeling policy that uses a sensitive info type for PII
D.Configure a manual labeling policy that prompts users to classify documents
AnswerC

Auto-labeling policies can automatically apply labels based on detection of sensitive information types like PII.

Why this answer

Option C is correct because Microsoft Purview auto-labeling policies can automatically apply sensitivity labels to documents containing PII when they are uploaded to SharePoint Online. By configuring a policy with a sensitive info type (e.g., U.S. Social Security Number) as the condition, the service scans content at rest and applies the label without user intervention, meeting the requirement for automatic classification.

Exam trap

The trap here is confusing trainable classifiers with sensitive info types; candidates often pick trainable classifiers because they sound like a smart AI solution, but they are designed for broader content categories, not specific PII patterns like SSNs or credit card numbers.

How to eliminate wrong answers

Option A is wrong because setting a default sensitivity label for a SharePoint site applies a label to all new documents in that site, but it does not automatically detect and label only those containing PII; it labels everything regardless of content. Option B is wrong because trainable classifiers are used for pattern-based content categorization (e.g., contracts or resumes) and are not designed to identify specific PII data types like credit card numbers or SSNs; sensitive info types are the correct mechanism for PII detection. Option D is wrong because a manual labeling policy requires users to classify documents themselves, which does not meet the requirement for automatic labeling upon upload.

503
MCQeasy

Your organization is migrating to Microsoft 365 and wants to implement a defense-in-depth strategy for email security. Which combination of Microsoft services should you use?

A.Microsoft Defender for Office 365 and Exchange Online Protection
B.Microsoft Purview Compliance Manager and Microsoft Defender for Cloud Apps
C.Microsoft Intune and Microsoft Entra ID
D.Microsoft Sentinel and Microsoft Defender for Identity
AnswerA

Defender for Office 365 provides advanced threat protection, and EOP provides baseline filtering.

Why this answer

Defense-in-depth for email security requires layered protection at the transport, filtering, and post-delivery stages. Exchange Online Protection (EOP) provides baseline anti-malware, anti-spam, and transport rules, while Microsoft Defender for Office 365 adds advanced threat protection like Safe Attachments, Safe Links, and anti-phishing policies that inspect URLs and attachments in real time. Together, they cover the full email threat chain from ingress to user interaction.

Exam trap

The trap here is that candidates confuse compliance or identity services with email security layers, forgetting that defense-in-depth for email specifically requires both transport-level (EOP) and post-delivery (Defender for Office 365) protections.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Compliance Manager focuses on compliance posture and risk assessments, not on email security filtering or threat detection. Option C is wrong because Microsoft Intune manages device compliance and application policies, and Microsoft Entra ID handles identity and access management; neither provides email transport or content inspection. Option D is wrong because Microsoft Sentinel is a SIEM for centralized security analytics and Microsoft Defender for Identity detects on-premises Active Directory attacks; they do not directly protect email transport or attachments.

504
MCQeasy

Your organization wants to implement a security baseline for Azure resources using built-in policies. Which Azure service should you use to assign policies that enforce compliance with security best practices?

A.Azure Blueprints
B.Microsoft Defender for Cloud
C.Azure Policy
D.Azure Role-Based Access Control (RBAC)
AnswerC

Azure Policy enforces compliance rules on Azure resources, aligning with security baselines.

Why this answer

Azure Policy is the correct service because it allows you to create, assign, and manage policies that enforce specific rules and effects on your Azure resources. These policies can be used to implement a security baseline by ensuring resources comply with built-in security best practices, such as requiring encryption or restricting resource types. Azure Policy evaluates resources against assigned policies and can automatically remediate non-compliant resources.

Exam trap

The trap here is that candidates often confuse Azure Policy with Microsoft Defender for Cloud, thinking Defender for Cloud is the tool for enforcing security baselines, but Defender for Cloud only recommends policies and monitors compliance, while Azure Policy is the actual service that enforces them.

How to eliminate wrong answers

Option A is wrong because Azure Blueprints is used to orchestrate the deployment of resource templates, policies, and role assignments as a repeatable set of artifacts, but it is not the service for directly assigning and enforcing individual policies; it can include Azure Policy definitions as part of a blueprint, but the core policy enforcement mechanism is Azure Policy itself. Option B is wrong because Microsoft Defender for Cloud provides security posture management, threat detection, and recommendations based on security benchmarks, but it does not directly assign or enforce policies; it can integrate with Azure Policy to apply regulatory compliance initiatives, but the assignment and enforcement of policies is done through Azure Policy. Option D is wrong because Azure Role-Based Access Control (RBAC) manages who has access to Azure resources and what actions they can perform, but it does not enforce compliance rules or security baselines on resource configurations; RBAC is about authorization, not about ensuring resources meet specific security standards.

505
MCQhard

You are designing a data classification strategy for Microsoft Purview. The compliance team requires that documents containing personally identifiable information (PII) like credit card numbers are automatically labeled and encrypted when stored in Microsoft SharePoint Online. The solution must use built-in sensitive information types. What should you include in the design?

A.Create a sensitivity label with auto-labeling for credit card numbers and enable encryption
B.Create a retention label and apply it automatically via a data loss prevention (DLP) policy
C.Use a trainable classifier to detect PII and apply a sensitivity label
D.Configure a manual sensitivity label policy for users to apply
AnswerA

This automatically labels and encrypts documents containing PII.

Why this answer

Option D is correct because a sensitivity label with auto-labeling for content matching a sensitive information type (like credit card number) and encryption can be applied to SharePoint documents automatically. Option A is wrong because retention labels do not enforce encryption. Option B is wrong because trainable classifiers require custom training.

Option C is wrong because manual labeling is not automatic.

506
MCQhard

A company uses Azure Cosmos DB with Microsoft Defender for Cloud to protect its NoSQL database. The security team wants to audit all data plane operations for compliance. Which diagnostic setting should they enable?

A.MongoRequests
B.PartitionKeyStatistics
C.QueryRuntimeStatistics
D.DataPlaneRequests
AnswerD

This log records all data plane operations including CRUD on items.

Why this answer

Option C is correct because DataPlaneRequests logs contain all data plane operations. Option A is wrong because QueryRuntimeStatistics logs query execution stats, not operations. Option B is wrong because MongoRequests logs MongoDB operations only.

Option D is wrong because PartitionKeyStatistics logs partition statistics.

507
Multi-Selecteasy

A company uses Microsoft Defender for Cloud to secure their Azure workloads. They need to ensure that all Azure SQL databases have threat detection enabled. Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Enable Microsoft Defender for Cloud's 'SQL servers on machines' plan
B.Enable Azure Defender for SQL at the subscription level
C.Configure SQL Vulnerability Assessment
D.Enable Advanced Threat Protection on each SQL server individually
E.Configure SQL auditing on each database
AnswersA, B

This plan enables threat detection for SQL servers, including Azure SQL databases

Why this answer

Enabling Azure Defender for SQL at the subscription level (Option A) automatically enables threat detection for all SQL databases. Option C is correct because Defender for Cloud can enable Microsoft Defender for SQL as a plan. Option B is wrong because enabling individual audit policies is not necessary for threat detection.

Option D is wrong because Advanced Threat Protection is part of the Azure SQL security settings, but the plan is enabled at the subscription level. Option E is wrong because vulnerability assessment is a separate feature.

508
Multi-Selecthard

A multinational corporation is designing a data classification strategy for Microsoft 365. They have the following requirements: (1) Documents containing financial data must be labeled as 'Confidential' automatically. (2) Labels must be applied based on content patterns, such as credit card numbers. (3) The solution must work across Exchange Online, SharePoint Online, and OneDrive for Business. Which two components are essential?

Select 2 answers
A.Azure Information Protection (AIP) unified labeling client
B.Sensitivity labels in Microsoft Purview Information Protection
C.Data Loss Prevention (DLP) policies in Microsoft 365 Security & Compliance Center
D.Retention policies in Microsoft 365 Compliance Center
E.Auto-labeling policies in Microsoft Purview Compliance Portal
AnswersB, E

Sensitivity labels are the core classification mechanism.

Why this answer

Sensitivity labels in Microsoft Purview Information Protection are the core technology for classifying and protecting data based on content patterns. They support automatic labeling via auto-labeling policies that scan for sensitive data types (e.g., credit card numbers) and can apply labels across Exchange Online, SharePoint Online, and OneDrive for Business. This directly meets all three requirements: automatic labeling, pattern-based detection, and cross-workload coverage.

Exam trap

Microsoft often tests the distinction between DLP policies (which enforce actions on sensitive data) and auto-labeling policies (which apply sensitivity labels based on content patterns), causing candidates to mistakenly select DLP policies when the requirement is for automatic labeling.

509
MCQmedium

A company is designing a microservices architecture on Azure Kubernetes Service (AKS). They need to secure communication between services using mutual TLS (mTLS). Which solution should they implement?

A.Azure Application Gateway
B.Azure Firewall
C.Azure API Management
D.Istio service mesh
AnswerD

Provides mTLS for microservices.

Why this answer

Istio service mesh is the correct solution because it provides a dedicated infrastructure layer for managing service-to-service communication, including automatic mutual TLS (mTLS) between microservices. Istio injects Envoy sidecar proxies into each pod, which handle encryption, authentication, and authorization without requiring application code changes. This enables zero-trust network security within the AKS cluster.

Exam trap

The trap here is that candidates often confuse ingress/egress security appliances (like Application Gateway or API Management) with internal service-to-service security, assuming a gateway can handle mTLS for east-west traffic when it is designed only for north-south traffic.

How to eliminate wrong answers

Option A is wrong because Azure Application Gateway is a Layer 7 load balancer and web application firewall (WAF) that operates at the ingress edge, not within the cluster for east-west traffic; it cannot enforce mTLS between individual microservices. Option B is wrong because Azure Firewall is a stateful network firewall that filters traffic at the network and application layers but does not provide service-level identity or mTLS capabilities for pod-to-pod communication. Option C is wrong because Azure API Management is an API gateway for managing external APIs and does not handle internal service-to-service mTLS within the AKS cluster; it lacks sidecar proxy injection and service mesh features.

510
Multi-Selecthard

You are designing a secure CI/CD pipeline for deploying infrastructure as code (ARM templates) to Azure. The solution must detect drift from the desired state and prevent deployment of non-compliant resources. Which THREE Azure services should you incorporate?

Select 3 answers
A.Azure Blueprints
B.Azure Monitor
C.Azure DevOps with policy checks in pipeline
D.Azure Policy
E.Azure Resource Graph
AnswersA, C, D

Defines the desired state of resources.

Why this answer

Correct answers: A, B, D. Azure Policy can evaluate compliance before deployment, Azure Blueprints (or its replacement, deployment stacks) define the desired state, and Azure DevOps pipelines can run pre-deployment checks. Option C is incorrect: Azure Resource Graph is for querying resources, not enforcing.

Option E is incorrect: Azure Monitor is for monitoring, not drift detection.

511
MCQmedium

An organization uses Microsoft Sentinel to monitor their hybrid infrastructure. They need to detect brute-force attacks against their on-premises Windows servers. Which data source should they connect to Sentinel?

A.Azure Activity Log
B.Windows Security Events via Azure Monitor Agent
C.DNS Events
D.Sysmon Events
AnswerB

Correct: Event ID 4625 logs failed logon attempts.

Why this answer

Windows Security Events from Event ID 4625 (failed logon) are the primary source for detecting brute-force attacks. Azure Activity Log is for resource management events. DNS events are for DNS queries.

Sysmon is for process activity, not logon failures.

512
Multi-Selectmedium

Which TWO Azure policies should you assign to enforce secure configuration of Azure SQL Database? (Select two.)

Select 2 answers
A.Ensure that 'Auditing' is set to 'On' for SQL Database
B.Ensure that 'TDE' is enabled for SQL Server VMs
C.Audit SQL Server level audit setting
D.Ensure that 'Firewall and virtual network settings' for SQL Database are configured
E.Ensure secure transfer to storage accounts is enabled
AnswersA, D

This policy enables auditing for Azure SQL Database.

Why this answer

Option A is correct because enabling Auditing on Azure SQL Database captures all database events and writes them to an audit log in your Azure storage account, Log Analytics workspace, or Event Hubs. This is a fundamental security control for compliance and forensic analysis, as it provides a record of who did what and when, which is essential for detecting and investigating unauthorized access or changes.

Exam trap

The trap here is that candidates confuse SQL Server VM policies (like TDE or SQL Server-level audit settings) with Azure SQL Database policies, or they mistakenly apply storage account policies to SQL Database, which is a separate Azure service with its own security controls.

513
MCQeasy

Your organization, Adatum, is migrating its on-premises applications to Azure. The applications include a legacy .NET Framework web app that uses Windows authentication and a modern ASP.NET Core API that uses OAuth 2.0. You need to design a secure solution for these applications using Azure App Service. The security requirements include: (1) enforce HTTPS only, (2) restrict access to the web app based on the user's corporate identity, (3) allow the API to access an Azure SQL Database using a managed identity. Which of the following is the correct design?

A.Configure the web app to use Windows authentication via Azure AD Domain Services, and the API to use SQL authentication with a managed identity.
B.Configure the web app to use Microsoft Entra ID authentication with a built-in policy, and the API to use a connection string with a username and password.
C.Configure the web app to require client certificates for authentication, and the API to use a connection string with SQL authentication.
D.Configure both apps to enforce HTTPS only, configure the web app to use Microsoft Entra ID authentication, and configure the API to use a system-assigned managed identity to access Azure SQL Database.
AnswerD

HTTPS enforcement, Entra ID authentication for user access, and managed identity for API database access meet all requirements.

Why this answer

Option D is correct because it meets all requirements: HTTPS only enforced, Microsoft Entra ID authentication for the web app, and managed identity for the API to access SQL Database. Option A is wrong because client certificates do not provide user-level authentication. Option B is wrong because the API should use managed identity, not connection strings.

Option C is wrong because SQL authentication is less secure and does not use managed identity.

514
MCQmedium

Your company uses Microsoft Intune to manage corporate devices. You need to design a compliance policy that requires devices to have a minimum OS version, be encrypted, and not be jailbroken or rooted. Additionally, you want to automatically block non-compliant devices from accessing corporate email. What should you configure?

A.Intune compliance policies and Conditional Access
B.Device configuration profiles and Azure AD join
C.App protection policies and Microsoft Defender for Endpoint
D.Device enrollment restrictions
AnswerA

Compliance policies evaluate device health; Conditional Access blocks non-compliant devices from accessing corporate resources.

Why this answer

Option C is correct because Intune compliance policies define device requirements (OS version, encryption, jailbreak status), and Conditional Access policies can block access to corporate resources like email for non-compliant devices. Option A is wrong because configuration profiles set settings but do not enforce access control. Option B is wrong because device enrollment restrictions limit which devices can enroll, not access after enrollment.

Option D is wrong because app protection policies protect data at the app level, not device-level compliance.

515
MCQeasy

Adventure Works is a startup that uses Microsoft 365 Business Premium. They have 20 employees and no cloud expertise. The CEO has been hearing about ransomware attacks on small businesses. They want to implement basic protection against ransomware using built-in Microsoft 365 features. They also want to ensure they can recover from an attack quickly. What should you recommend?

A.Purchase Azure Backup for all user devices. Configure backup policies to run daily. Use Microsoft Intune to enforce encryption. Implement Conditional Access to require MFA.
B.Enable Microsoft Defender for Office 365 to block malicious attachments and links. Configure Microsoft Defender for Business to enable controlled folder access and ransomware protection. Educate users on phishing. Use OneDrive Files Restore to recover from ransomware.
C.Use Microsoft Sentinel as a SIEM to detect ransomware patterns. Deploy Azure ATP for identity protection. Use Azure Policy to enforce backup.
D.Implement Azure Site Recovery for on-premises servers. Use Microsoft Defender for Cloud for threat detection. Deploy a third-party antivirus.
AnswerB

Uses built-in features, simple to configure, effective against ransomware.

Why this answer

Option B is correct because it leverages built-in Microsoft 365 Business Premium features to provide immediate ransomware protection without requiring cloud expertise. Microsoft Defender for Office 365 blocks malicious attachments and links at the email gateway, while Defender for Business provides endpoint protection with controlled folder access. OneDrive Files Restore enables self-service recovery of files from ransomware within the last 30 days, aligning with the startup's need for quick recovery without additional infrastructure.

Exam trap

The trap here is that candidates often over-engineer the solution by recommending enterprise-grade tools like Azure Backup or Sentinel, failing to recognize that Microsoft 365 Business Premium includes sufficient built-in capabilities for a small startup with no cloud expertise.

How to eliminate wrong answers

Option A is wrong because Azure Backup is not included in Microsoft 365 Business Premium and requires additional licensing and cloud expertise to configure; it also does not address ransomware prevention at the email or endpoint level. Option C is wrong because Microsoft Sentinel and Azure ATP are advanced security tools requiring significant cloud expertise and additional licensing, far beyond the scope of a 20-employee startup with no cloud expertise. Option D is wrong because Azure Site Recovery is designed for on-premises server disaster recovery, not for user devices or Microsoft 365 data, and deploying a third-party antivirus contradicts the requirement to use built-in Microsoft 365 features.

516
MCQhard

Contoso is a large enterprise with a complex Azure environment. They have multiple management groups, subscriptions, and a hub-spoke network topology. The security team wants to implement a consistent security baseline across all subscriptions using Azure Policy. They need to ensure that: 1) All resources must be deployed in approved regions only. 2) Network security groups must have specific rules to block high-risk ports. 3) All storage accounts must enforce HTTPS traffic. 4) The policies must be applied at the management group level to ensure inheritance. 5) Non-compliant resources must be automatically remediated where possible. What should you do?

A.Use Azure Policy Guest Configuration to enforce region and NSG rules. Assign policies at each subscription. Use Azure Automation runbooks for remediation.
B.Create custom Azure Policy definitions for the required configurations (allowed locations, NSG rule blocking ports, storage HTTPS). Assign the policies at the root management group. Enable 'deployIfNotExists' effect for automatic remediation of non-compliant resources. Use Azure Policy remediation tasks to fix existing non-compliant resources.
C.Use Azure Blueprints to define the environment. Include Azure Policy assignments in the blueprint. Assign blueprint to each management group. Remediate manually.
D.Create a custom script using Azure PowerShell to check compliance daily. Use Azure Logic Apps to send alerts for non-compliance. Have IT staff manually fix issues.
AnswerB

Automated enforcement and remediation at scale.

Why this answer

Option B is correct because it uses Azure Policy at the root management group to enforce inheritance across all subscriptions, with custom policy definitions for allowed locations, NSG rules blocking high-risk ports, and storage HTTPS. The 'deployIfNotExists' effect enables automatic remediation of non-compliant resources, and remediation tasks fix existing non-compliant resources, meeting all requirements without manual intervention.

Exam trap

The trap here is confusing Azure Policy's 'deployIfNotExists' effect with manual remediation or third-party automation, leading candidates to choose options that lack native, automatic, and inherited policy enforcement at the management group level.

How to eliminate wrong answers

Option A is wrong because Azure Policy Guest Configuration is designed for in-guest machine settings (e.g., OS configuration), not for enforcing region, NSG rules, or storage HTTPS; assigning policies at each subscription breaks inheritance, and Azure Automation runbooks are not the native remediation mechanism for Azure Policy. Option C is wrong because Azure Blueprints are used for orchestrating resource deployments (including policy assignments) but do not provide automatic remediation; manual remediation violates the requirement for automatic remediation where possible. Option D is wrong because a custom PowerShell script with Logic Apps alerts and manual fixes is not a scalable, automated, or policy-driven solution; it lacks inheritance, automatic remediation, and centralized enforcement at the management group level.

517
Multi-Selectmedium

Which THREE security controls should you implement to protect a web application against common OWASP Top 10 vulnerabilities?

Select 3 answers
A.Role-Based Access Control (RBAC)
B.Input validation on all user inputs
C.Content Security Policy (CSP) headers
D.Web Application Firewall (WAF)
E.Multi-factor authentication (MFA)
AnswersB, C, D

Input validation prevents injection attacks by sanitizing user input.

Why this answer

Options A, C, and D are correct. WAF protects against many OWASP threats, input validation prevents injection, and CSP mitigates XSS. Option B is wrong because RBAC manages access, not application layer attacks.

Option E is wrong because MFA is an identity control.

518
Matchingmedium

Match each Azure security capability to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

SIEM and SOAR

Cloud security posture management

Risk-based conditional access

Manage secrets, keys, and certificates

Mitigate distributed denial-of-service attacks

Why these pairings

These are core Azure security services with distinct functions.

519
MCQeasy

A company uses Microsoft Sentinel for SIEM. They need to ensure that security events from Azure Active Directory (now Microsoft Entra ID) are ingested into Sentinel. Which data connector should they enable?

A.Microsoft Entra ID connector
B.Office 365 connector
C.Azure Activity connector
D.Microsoft Defender XDR connector
AnswerA

This connector ingests sign-in and audit logs from Entra ID

Why this answer

The Microsoft Entra ID connector (Option B) is the correct data source for ingesting sign-in logs and audit logs from Entra ID. Option A is wrong because the Office 365 connector ingests data from Exchange, SharePoint, etc. Option C is wrong because the Azure Activity connector ingests subscription-level events.

Option D is wrong because the Microsoft Defender XDR connector ingests alerts from Defender products.

520
MCQmedium

You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy is intended to block sign-ins from high-risk users. However, some high-risk users are still able to sign in. What is the most likely reason?

A.The policy is not enforced because user risk is not being evaluated (e.g., missing licenses or risk policy)
B.The policy does not include all client app types
C.The policy is set to report-only mode
D.The policy does not include all locations
AnswerA

User risk evaluation requires Azure AD Premium P2 licenses and the risk policy to be configured. Without them, the condition never triggers.

Why this answer

Option C is correct because the policy only blocks based on user risk level, but if the user risk is not evaluated or the policy is not in report-only mode, it may not enforce. However, the exhibit shows the policy is enabled, but if the user risk level is not being calculated in real-time (e.g., due to licensing), it may not trigger. Option A is wrong because locations include all.

Option B is wrong because client app types include all. Option D is wrong because the policy is enabled.

521
MCQhard

You run the PowerShell command to retrieve the vulnerability assessment baseline for rule VA2108 on an Azure SQL Database. The command returns a baseline with multiple rows. What is the purpose of this baseline?

A.It configures the database to ignore performance issues related to rule VA2108.
B.It sets the baseline for all databases on the server for rule VA2108.
C.It automatically remediates the vulnerability identified by rule VA2108.
D.It defines the expected scan result for rule VA2108, so future scans do not flag the same findings.
AnswerD

Baselines suppress known safe findings.

Why this answer

Option D is correct because vulnerability assessment baselines define acceptable scan results for specific rules, so that future scans do not report the same findings as vulnerabilities. Option A is wrong because baselines do not fix vulnerabilities. Option B is wrong because the baseline is for a specific database, not all databases.

Option C is wrong because baselines are not about performance.

522
MCQeasy

Refer to the exhibit. A security analyst runs the following KQL query in Microsoft Sentinel. What is the purpose of this query?

A.List all accounts that have been locked out
B.Identify successful logins from multiple IP addresses
C.Detect brute-force attacks against Windows servers
D.Find users who logged in after hours
AnswerC

Correct: The query identifies multiple failed logon attempts from the same IP.

Why this answer

The query filters Windows Security Events for failed logon attempts (EventID 4625) in the last hour, groups by user account, computer, and IP address, and then shows only those with more than 10 failures. This is used to detect brute-force attacks.

523
Multi-Selecthard

A company is designing a data classification strategy for their Azure environment. They need to identify sensitive data stored in Azure SQL Database. Which TWO solutions should they consider?

Select 2 answers
A.Azure Information Protection
B.Azure SQL Data Discovery & Classification
C.Azure Purview
D.SQL Vulnerability Assessment
E.Azure Policy
AnswersB, D

Built-in classification for SQL DB.

Why this answer

Azure SQL Data Discovery & Classification is correct because it is a native feature of Azure SQL Database that automatically discovers, classifies, and labels sensitive columns (e.g., credit card numbers, PII) directly within the database engine. It provides a built-in dashboard for auditing and monitoring classification status, making it the primary tool for identifying sensitive data stored in Azure SQL Database.

Exam trap

The trap here is that candidates often confuse Azure Information Protection (AIP) with Azure SQL Data Discovery & Classification, assuming AIP can classify database columns, when in fact AIP is designed for unstructured data like documents and emails, not structured SQL data.

524
MCQhard

Your company is deploying a new line-of-business application in Azure that must comply with PCI DSS. The application uses Azure SQL Database. You need to design a solution to encrypt sensitive data at rest and in transit, and to audit access to sensitive columns. Which combination of Microsoft security capabilities should you recommend?

A.Dynamic Data Masking and Azure SQL Firewall rules
B.Transparent Data Encryption, Always Encrypted, and Azure SQL Auditing
C.Azure Policy and Microsoft Defender for Cloud
D.Azure Storage Service Encryption and Azure Key Vault
AnswerB

TDE encrypts the entire database at rest, Always Encrypted protects specific columns with client-side keys, and auditing logs access to sensitive data.

Why this answer

Option B is correct because Transparent Data Encryption (TDE) encrypts the SQL database at rest, Always Encrypted protects sensitive columns in transit and at rest by ensuring encryption keys are never exposed to the database engine, and Azure SQL Auditing logs all access to sensitive columns for compliance with PCI DSS requirements.

Exam trap

The trap here is that candidates often confuse Dynamic Data Masking with encryption, but masking does not protect data at rest or in transit and can be bypassed by privileged users, whereas Always Encrypted and TDE provide true encryption required by PCI DSS.

How to eliminate wrong answers

Option A is wrong because Dynamic Data Masking only obfuscates data at query time for unauthorized users but does not encrypt data at rest or in transit, and Azure SQL Firewall rules control network access but do not provide encryption or auditing. Option C is wrong because Azure Policy enforces compliance rules and Microsoft Defender for Cloud provides threat detection, but neither directly encrypts data at rest or in transit nor audits column-level access. Option D is wrong because Azure Storage Service Encryption applies only to Azure Blob and File storage, not to Azure SQL Database, and Azure Key Vault is a key management service that must be paired with an encryption mechanism like TDE or Always Encrypted to actually encrypt data.

525
Multi-Selectmedium

Your organization is designing a security solution for a new web application that will be deployed on Azure App Service. The application will access an Azure SQL Database and an Azure Storage account. The security requirements include: (1) use managed identities for authentication, (2) encrypt data at rest and in transit, (3) restrict network access to the database and storage account to only the App Service, and (4) use Azure Key Vault for secrets management. Which TWO of the following should you implement?

Select 2 answers
A.Configure the App Service to use a connection string with a storage account access key.
B.Configure private endpoints for the SQL Database and Storage account.
C.Configure the App Service to use a system-assigned managed identity.
D.Use shared access signatures (SAS) for the App Service to access the Storage account.
E.Configure service endpoints for the SQL Database and Storage account.
AnswersB, C

Private endpoints ensure that traffic stays within the Microsoft network and provides isolation.

Why this answer

Option A and Option D are correct. Managed identities allow the App Service to authenticate to other Azure services without credentials. Private endpoints provide network isolation.

Option B is wrong because connection strings with access keys negate the use of managed identities. Option C is wrong because service endpoints are less secure than private endpoints and do not provide the same level of isolation. Option E is wrong because SAS tokens are not recommended when managed identities are available.

Page 6

Page 7 of 13

Page 8