Microsoft Cybersecurity Architect (SC-100) — Questions 526600

969 questions total · 13pages · All types, answers revealed

Page 7

Page 8 of 13

Page 9
526
Multi-Selecthard

A company wants to implement hybrid identity with Microsoft Entra ID. Which TWO components are required for password hash synchronization? (Choose two.)

Select 2 answers
A.Microsoft Entra Connect
B.Microsoft Entra Domain Services
C.Password hash synchronization feature enabled in Entra Connect
D.Microsoft Entra ID Protection
E.Azure AD Application Proxy
AnswersA, C

Synchronization tool.

Why this answer

Microsoft Entra Connect is the on-premises tool that orchestrates synchronization between Active Directory and Microsoft Entra ID. It is required because password hash synchronization (PHS) is a feature within Entra Connect that reads password hashes from on-premises AD and syncs them to Entra ID, enabling seamless authentication without federated services.

Exam trap

The trap here is that candidates often confuse 'Microsoft Entra Domain Services' (a managed domain service) with 'Microsoft Entra Connect' (the sync tool), or they think enabling the feature alone is sufficient without the sync engine, but both the tool and the feature toggle are required.

527
MCQeasy

A manufacturing company wants to secure its IoT devices that run on Azure IoT Hub. They need to ensure that only authorized devices can connect and that firmware updates are signed. Which combination of Azure services should they use?

A.Azure IoT Hub Device Provisioning Service and Microsoft Defender for IoT
B.Microsoft Entra ID and Azure Policy
C.Azure Sphere and Azure Security Center
D.Microsoft Intune and Azure Automation
AnswerA

DPS ensures authorized provisioning, Defender for IoT monitors and validates firmware.

Why this answer

Option A is correct because Azure IoT Hub Device Provisioning Service (DPS) enables zero-touch, just-in-time provisioning of IoT devices while enforcing authentication via X.509 certificates or TPM attestation, ensuring only authorized devices connect. Microsoft Defender for IoT provides continuous threat monitoring and firmware integrity validation, including cryptographic signing verification for firmware updates, which aligns with the requirement for signed updates.

Exam trap

The trap here is that candidates may confuse Azure Sphere's built-in security features with the need for a separate provisioning and monitoring service, overlooking that Azure Sphere is a full-stack solution rather than a service that integrates with existing IoT Hub devices.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID (formerly Azure AD) is an identity and access management service for user and application identities, not for IoT device authentication or firmware signing; Azure Policy enforces compliance rules on Azure resources but does not handle device provisioning or firmware update signing. Option C is wrong because Azure Sphere is a complete IoT security solution with its own certified chips and OS, but it is a standalone platform, not a combination of services that integrates with existing Azure IoT Hub devices; Azure Security Center (now Microsoft Defender for Cloud) provides security posture management but does not handle device provisioning or firmware signing. Option D is wrong because Microsoft Intune is a mobile device management (MDM) service for managing user endpoints like phones and PCs, not IoT devices; Azure Automation is for automating cloud management tasks, not for device provisioning or firmware signing.

528
Drag & Dropmedium

Order the steps to implement a Microsoft Sentinel data connector for Azure Active Directory logs.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Azure AD connector setup requires selecting the connector, configuring log types, and connecting to start streaming.

529
MCQhard

A multinational company uses Microsoft Purview for data governance. They need to automatically classify sensitive data in Microsoft 365 and apply retention labels. The solution must use pattern-based detection for credit card numbers and support custom keywords. What should they configure?

A.Use a trainable classifier for credit card numbers.
B.Create a custom sensitive info type with a regex pattern and keyword list.
C.Configure a DLP policy with a rule for credit card numbers.
D.Create a retention label with auto-labeling policy.
AnswerB

Custom sensitive info types allow pattern-based detection and custom keywords.

Why this answer

Option D is correct because sensitive info types can be custom-defined with patterns and keywords. Option A is wrong because retention labels are applied after classification. Option B is wrong because trainable classifiers use machine learning, not fixed patterns.

Option C is wrong because DLP policies enforce actions but don't classify.

530
Multi-Selecthard

Which THREE of the following are best practices for designing a secure hybrid network architecture with Azure?

Select 3 answers
A.Use Azure Bastion for secure VM access without public IPs
B.Open all ports to a management subnet for ease of administration
C.Use ExpressRoute with Azure Firewall for traffic inspection
D.Use a single VPN gateway for all regions
E.Enable forced tunneling for all internet-bound traffic
AnswersA, C, E

Eliminates public IP exposure for management.

Why this answer

Option A is correct because using ExpressRoute with Azure Firewall provides secure, dedicated connectivity and inspection. Option B is correct because forcing tunneling ensures all internet-bound traffic goes through the firewall for inspection. Option C is correct because Azure Bastion eliminates the need for public IPs on VMs.

Option D is wrong because opening all ports to a management subnet violates least privilege. Option E is wrong because a single VPN gateway is a single point of failure.

531
MCQhard

Your organization uses Microsoft Sentinel for security operations. You need to design a solution to automatically respond to a confirmed compromise of a domain controller by isolating the affected VM. Which automation feature should you use?

A.Automation rules with a playbook
B.Analytics rules with incident creation
C.Hunting queries
D.Workbooks
AnswerA

Automation rules trigger playbooks for automated response actions.

Why this answer

Option A is correct because automation rules can trigger a playbook that runs a script to isolate the VM. Option B is wrong because analytics rules generate alerts but do not respond. Option C is wrong because workbooks visualize data.

Option D is wrong because hunting queries are for proactive searches.

532
Multi-Selectmedium

Which TWO Microsoft security solutions should be integrated to provide a comprehensive Zero Trust architecture that includes identity protection, endpoint detection, and response? (Select exactly two correct options.)

Select 2 answers
A.Microsoft 365 E5
B.Microsoft Defender XDR
C.Microsoft Entra ID
D.Microsoft Sentinel
E.Microsoft Purview
AnswersB, C

Provides endpoint detection and response across domains.

Why this answer

Microsoft Defender XDR (B) is correct because it provides unified endpoint detection and response (EDR) across devices, email, and identities, integrating signals from Microsoft Defender for Endpoint, Defender for Office 365, and Defender for Identity. Microsoft Entra ID (C) is correct because it delivers identity protection through Conditional Access, risk-based policies, and identity governance, forming the identity pillar of a Zero Trust architecture. Together, they cover identity protection and endpoint detection/response, two core Zero Trust components.

Exam trap

The trap here is that candidates often confuse Microsoft 365 E5 (a licensing bundle) with a specific security solution, or they mistakenly think Microsoft Sentinel (a SIEM) fulfills the endpoint detection requirement, when in fact Sentinel is for log analysis and not for real-time endpoint detection and response.

533
MCQmedium

Your organization is designing a solution to protect sensitive data in Microsoft SharePoint Online. You need to ensure that documents containing credit card numbers are automatically encrypted when shared with external users. What should you configure?

A.A Data Loss Prevention (DLP) policy that blocks sharing
B.Information Rights Management (IRM) for SharePoint
C.An auto-labeling policy for sensitivity labels with encryption
D.A retention policy with a hold
AnswerC

Auto-labeling applies labels with encryption based on sensitive content.

Why this answer

Option B is correct because auto-labeling in Microsoft Purview can apply sensitivity labels that enforce encryption based on sensitive data patterns. Option A is wrong because DLP policies can block or warn but not automatically encrypt. Option C is wrong because retention labels manage lifecycle.

Option D is wrong because IRM can protect but requires manual application or DLP integration, not automatic labeling.

534
Multi-Selecthard

A company is deploying Microsoft Entra ID Governance. They need to implement a least privilege access model for their Azure resources. Which TWO features should they use? (Choose two.)

Select 2 answers
A.Privileged Identity Management (PIM)
B.Identity Protection
C.Conditional Access policies
D.Microsoft Intune compliance policies
E.Entitlement Management
AnswersA, E

PIM provides just-in-time privileged access to Azure resources.

Why this answer

Privileged Identity Management (PIM) is correct because it provides just-in-time (JIT) privileged access to Azure resources, enabling time-bound and approval-based role activation. This directly supports a least privilege model by ensuring users only have elevated permissions when needed, reducing standing access.

Exam trap

The trap here is confusing Identity Protection (a risk-detection tool) or Conditional Access (an access-enforcement tool) with governance features that directly manage role assignments and time-bound access, leading candidates to overlook the two specific features designed for least privilege in Azure resources.

535
MCQeasy

A company uses Microsoft Sentinel and wants to use a built-in connector to ingest logs from Amazon Web Services (AWS). Which connector should they use?

A.ServiceNow connector
B.Azure Policy for AWS
C.Office 365 connector
D.Amazon Web Services S3 connector
AnswerD

This is the built-in connector for AWS logs.

Why this answer

The Amazon Web Services (AWS) S3 connector is the correct built-in connector in Microsoft Sentinel for ingesting logs from AWS. It works by configuring AWS to send logs (such as CloudTrail, VPC Flow Logs, or GuardDuty findings) to an S3 bucket, which Sentinel then polls via the S3 REST API using an IAM role for secure, cross-account access. This is the native, supported method for log ingestion from AWS into Sentinel.

Exam trap

The trap here is that candidates may confuse Azure Policy for AWS (which is a governance tool, not a log ingestion connector) with a valid data source, or assume that a generic connector like ServiceNow could be adapted for AWS log ingestion, when only the AWS S3 connector is the built-in, purpose-built option.

How to eliminate wrong answers

Option A is wrong because the ServiceNow connector is designed to ingest security incidents and IT service management data from ServiceNow, not logs from AWS. Option B is wrong because Azure Policy for AWS is a governance and compliance feature that applies Azure Policy definitions to AWS resources via Azure Arc, not a log ingestion connector for Sentinel. Option C is wrong because the Office 365 connector ingests audit logs and activity data from Microsoft 365 services, not from AWS.

536
MCQhard

You are designing a secure DevOps pipeline using GitHub Advanced Security and Microsoft Defender for Cloud. The development team uses a mix of Python and JavaScript. Which tool should you integrate to detect secrets (e.g., API keys) committed to the repository?

A.GitHub secret scanning
B.CodeQL code scanning
C.Dependabot alerts
D.Defender for Cloud DevOps security posture management
AnswerA

Secret scanning detects tokens, keys, and other secrets in repositories.

Why this answer

Option A is correct because GitHub secret scanning automatically detects secrets in repositories. Option B is wrong because Dependabot focuses on dependency vulnerabilities. Option C is wrong because CodeQL analyzes code for security vulnerabilities, not secrets.

Option D is wrong because Defender for Cloud’s DevOps security posture management does not replace secret scanning.

537
MCQmedium

A company is implementing a cloud security governance strategy. They need to ensure that all Azure resources are compliant with internal security policies before deployment. Which approach should they use?

A.Configure Azure Firewall to block non-compliant resources
B.Assign Azure Policy definitions with 'deny' effect at the subscription scope
C.Deploy resources using Azure Blueprints
D.Use Azure DevOps pipelines with manual approval gates
AnswerB

Azure Policy can deny non-compliant resource creation.

Why this answer

Azure Policy with the 'deny' effect is the correct approach because it proactively prevents the deployment of any resource that violates defined security policies at the subscription scope. This ensures compliance before deployment by evaluating the resource against policy rules during the creation or update operation, blocking the request if non-compliant. Unlike reactive measures, this enforces governance at the point of deployment without requiring post-deployment remediation.

Exam trap

The trap here is that candidates confuse Azure Policy with Azure Blueprints, thinking Blueprints enforce compliance, but Blueprints only package and deploy policies—the actual enforcement comes from the Policy definitions themselves.

How to eliminate wrong answers

Option A is wrong because Azure Firewall is a network security service that filters traffic at layers 3-7, not a governance tool that can evaluate or block resource deployments based on compliance policies. Option C is wrong because Azure Blueprints orchestrates the deployment of resource templates and policies but does not inherently enforce compliance; it relies on Azure Policy definitions within the blueprint for enforcement. Option D is wrong because Azure DevOps pipelines with manual approval gates add a human review step but do not automatically enforce compliance; they can be bypassed or delayed and do not prevent deployment of non-compliant resources at the Azure Resource Manager level.

538
Multi-Selecthard

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a unified security operations platform. Which THREE capabilities should you enable?

Select 3 answers
A.Azure Policy for security controls
B.Microsoft Purview Information Protection
C.Microsoft Defender XDR incident integration with Sentinel
D.Microsoft Sentinel SIEM
E.Microsoft Sentinel UEBA (User and Entity Behavior Analytics)
AnswersC, D, E

Integrating Defender XDR incidents into Sentinel provides a unified view.

Why this answer

Option C is correct because Microsoft Defender XDR incident integration with Sentinel creates a unified security operations platform by automatically synchronizing high-fidelity alerts and incidents from Defender XDR into Sentinel. This enables security teams to correlate endpoint, email, identity, and cloud app signals within a single SIEM, reducing alert fatigue and accelerating incident response through automated orchestration.

Exam trap

The trap here is that candidates may confuse Azure Policy (a compliance tool) or Purview Information Protection (a data protection tool) with core security operations capabilities, when the question specifically asks for capabilities that unify detection and response across a SIEM and XDR platform.

539
MCQmedium

Your company, Fabrikam, is a global financial services firm that handles sensitive customer data. You are designing a security solution for a new customer-facing web application that processes credit card transactions. The application will be deployed on Azure Kubernetes Service (AKS) and will use Azure SQL Database for data storage. Compliance requirements include PCI DSS and GDPR. You need to ensure that data at rest and in transit is encrypted, and that access to the database is tightly controlled. You plan to use Azure Key Vault for managing encryption keys. Which combination of actions should you implement?

A.Enable TDE with a customer-managed key in Azure Key Vault, use Always Encrypted for sensitive columns, enforce TLS 1.2, and use Azure AD managed identities for authentication with a firewall rule to allow only the AKS cluster's outbound IP.
B.Enable TDE with a customer-managed key stored in the application's configuration file, enforce TLS 1.2, and use Azure AD authentication.
C.Implement application-level encryption for credit card data, enforce TLS 1.2, and use Azure AD managed identities with no database firewall rules.
D.Enable Transparent Data Encryption (TDE) with a service-managed key, enforce TLS 1.0, and use SQL authentication.
AnswerA

This provides encryption at rest (TDE and Always Encrypted), encryption in transit (TLS 1.2), and secure access with managed identities and IP restrictions.

Why this answer

Option C is correct because it covers encryption in transit (TLS 1.2), encryption at rest (TDE and Always Encrypted), and access control with managed identities and firewall rules. Option A is wrong because TLS 1.0 is outdated and not PCI DSS compliant. Option B is wrong because Azure SQL Database does not support BYOK for TDE natively without Key Vault integration.

Option D is wrong because application-level encryption alone does not meet compliance requirements for data at rest.

540
MCQmedium

Refer to the exhibit. An administrator is deploying an Azure Firewall using the ARM template snippet. After deployment, traffic from the 10.0.0.0/16 subnet to www.microsoft.com on HTTPS is allowed. What is a potential security issue with this configuration?

A.The priority of 100 is too high and could override other rules
B.The firewall SKU tier should be Premium for better security
C.The source address range is too broad
D.Allowing HTTP (port 80) to *.microsoft.com is unnecessary and could be exploited
AnswerD

Correct: HTTP traffic is unencrypted and should not be needed for internal to Microsoft communication.

Why this answer

The rule allows HTTP (port 80) to *.microsoft.com, which is unnecessary and could allow unencrypted traffic. HTTPS (port 443) is sufficient. Allowing HTTP could expose traffic to interception.

Additionally, the rule allows all *.microsoft.com subdomains, which might be overly permissive, but the main issue is the inclusion of HTTP.

541
MCQhard

Your company uses Azure Firewall to secure outbound traffic from a hub virtual network that contains multiple spoke virtual networks. You need to implement a solution that allows traffic from specific spoke VMs to reach a specific external SaaS endpoint, while blocking all other outbound traffic. The SaaS endpoint uses a dynamic set of IP addresses that change frequently. What should you do?

A.Configure Azure Firewall network rules to allow traffic to the SaaS endpoint's current IP range.
B.Deploy Azure Firewall Manager and enable threat intelligence-based filtering.
C.Use Azure Firewall service tags to allow traffic to the SaaS endpoint.
D.Configure Azure Firewall application rules using FQDN tags to allow traffic to the SaaS endpoint.
AnswerD

FQDN tags allow filtering by domain name, handling dynamic IP changes automatically.

Why this answer

Option B is correct because using Azure Firewall with fully qualified domain name (FQDN) tags allows you to allow traffic to a specific SaaS endpoint by its FQDN, even if IP addresses change dynamically. Option A is wrong because network rules based on IP addresses cannot handle dynamic IP changes. Option C is wrong because service tags are used for Azure services, not external SaaS endpoints.

Option D is wrong because Azure Firewall Manager is for managing multiple firewalls, not for solving dynamic IP filtering.

542
MCQeasy

You are designing a network security solution for a multi-tier application hosted in Azure. The front-end web tier must be accessible from the internet, but the back-end database tier must only accept traffic from the front-end tier. Which Azure service should you use to enforce this restriction?

A.Azure Firewall
B.Network Security Groups (NSGs)
C.Azure Bastion
D.Application Gateway
AnswerB

NSGs filter traffic between subnets based on rules.

Why this answer

Option A is correct because Network Security Groups (NSGs) can be used to filter traffic between subnets. By applying an NSG to the database subnet with a rule allowing inbound traffic only from the front-end subnet's IP range, you restrict access. Option B is wrong because Azure Firewall is a managed firewall service, but for simple subnet-level filtering, NSGs are more appropriate and cost-effective.

Option C is wrong because Application Gateway is a layer 7 load balancer. Option D is wrong because Azure Bastion provides secure RDP/SSH access to VMs.

543
MCQeasy

Your company uses Microsoft Defender for Cloud to secure Azure workloads. You need to ensure that all storage accounts have the 'Secure transfer required' setting enabled. What should you use?

A.Azure role-based access control (RBAC)
B.Azure Blueprints
C.Microsoft Defender for Cloud regulatory compliance dashboard
D.Azure Policy
AnswerD

Azure Policy can audit or enforce the 'Secure transfer required' property on storage accounts.

Why this answer

Option A is correct because Azure Policy can audit and enforce the 'Secure transfer required' setting across all storage accounts. Option B is wrong because Defender for Cloud recommendations are not enforced automatically. Option C is wrong because Azure Blueprints are deprecated.

Option D is wrong because RBAC does not enforce resource configuration.

544
MCQmedium

A multinational corporation is designing a secure access solution for remote employees using company-managed devices. The solution must enforce device compliance before granting access to corporate resources, support single sign-on (SSO) for SaaS applications, and provide conditional access policies based on risk. Which combination of Microsoft security products should you recommend?

A.Microsoft Intune + Microsoft Entra ID + Microsoft Defender for Cloud Apps
B.Microsoft Intune + Microsoft Defender for Endpoint + Microsoft Sentinel
C.Microsoft Entra ID + Microsoft Defender for Cloud Apps + Microsoft Purview
D.Microsoft Configuration Manager + Microsoft Entra ID + Microsoft Defender for Identity
AnswerA

Intune manages device compliance, Entra ID handles SSO and conditional access, Defender for Cloud Apps enforces risk-based policies.

Why this answer

Microsoft Intune provides device compliance, Microsoft Entra ID provides SSO and conditional access, and Microsoft Defender for Cloud Apps provides risk-based access control. The other combinations miss key components.

545
MCQeasy

A company is designing a security operations strategy using Microsoft Sentinel. They want to prioritize triage of incidents that involve critical assets. The SOC manager suggests using the entity behavior analytics feature. Which capability of entity behavior analytics helps achieve this goal?

A.It combines multiple alerts into a single incident using Fusion.
B.It uses threat intelligence to correlate with known bad actors.
C.It profiles entities and assigns an anomaly score based on deviations from baseline behaviors.
D.It automatically groups incidents by severity and asset criticality.
AnswerC

This is the core of UEBA: creating baselines and scoring anomalies to identify risky entities.

Why this answer

Entity behavior analytics (UEBA) in Microsoft Sentinel profiles entities such as users, hosts, or applications by establishing baseline behaviors over time. It then assigns an anomaly score to deviations from that baseline, enabling SOC analysts to prioritize incidents involving critical assets based on unusual activity rather than static rules. This directly supports the goal of triaging incidents by highlighting anomalous behavior on high-value targets.

Exam trap

The trap here is that candidates confuse entity behavior analytics (UEBA) with Fusion or threat intelligence correlation, assuming any 'intelligent' feature must involve combining alerts or external threat data, rather than recognizing that UEBA is specifically about profiling internal entity behavior and scoring anomalies.

How to eliminate wrong answers

Option A is wrong because Fusion is a correlation engine that combines multiple alerts from different products into a single incident using machine learning, not entity behavior profiling or anomaly scoring. Option B is wrong because threat intelligence correlation with known bad actors is a separate capability (e.g., TI integration), not entity behavior analytics, which focuses on internal behavioral baselines rather than external threat feeds. Option D is wrong because automatic grouping by severity and asset criticality is a feature of incident classification or automation rules, not a function of entity behavior analytics, which provides per-entity anomaly scores rather than grouping incidents.

546
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a solution that automatically creates an incident in Sentinel when a Defender XDR alert fires. Which integration should you configure?

A.Azure Logic Apps with Defender XDR connector
B.Microsoft Power Automate flow triggered by Defender XDR alerts
C.Microsoft Defender XDR data connector in Sentinel
D.Microsoft Graph API subscription to Defender XDR alerts
AnswerC

The data connector ingests alerts and automatically creates incidents in Sentinel.

Why this answer

Option C is correct because the Microsoft Defender XDR connector in Sentinel allows alert streaming and incident creation. Option A is wrong because Microsoft Power Automate can be used but is not the primary integration. Option B is wrong because Logic Apps can automate but the connector is the standard method.

Option D is wrong because Microsoft Graph API is programmatic but not the designed integration.

547
MCQhard

Your organization, Contoso Ltd., is migrating its on-premises workloads to Azure. The environment includes 200 virtual machines (VMs) running Windows Server and 50 VMs running Linux. You are responsible for designing the security infrastructure. The company has the following requirements: 1) All VMs must be protected against malware. 2) Security updates must be applied automatically to Windows VMs within 24 hours of release. 3) Linux VMs must receive critical security patches within 48 hours. 4) A central dashboard must provide visibility into the security posture of all VMs. 5) All VMs must be onboarded to Microsoft Defender for Cloud to enable advanced threat protection. 6) The solution must minimize administrative overhead. You have implemented the following: - All VMs are enrolled in Microsoft Defender for Cloud with the enhanced security features enabled. - Azure Update Manager is configured to schedule updates. - Microsoft Defender for Endpoint is installed on all Windows VMs. However, after a month, the security team reports that: - 50 Windows VMs did not receive security updates within 24 hours. - 10 Linux VMs have not received any patches. - The central dashboard shows that 30 VMs are not reporting their security status. - A malware outbreak occurred on 5 Windows VMs that were not protected by Defender for Endpoint. You need to identify the most likely root cause and recommend a corrective action.

A.Onboard the VMs to Azure Arc and enable the Azure Update Manager on all VMs via Arc.
B.Implement Azure Policy to enforce that all VMs have the 'Deploy default Microsoft IaaS anti-malware extension for Windows' policy assigned and create a remediation task.
C.Configure Microsoft Entra Privileged Identity Management (PIM) to require approval for update deployments.
D.Review the network security groups (NSGs) and firewall rules to ensure outbound connectivity to the required Microsoft endpoints for Microsoft Defender for Endpoint and Windows Update.
AnswerD

Network connectivity is required for VMs to receive updates and communicate with Defender for Endpoint.

Why this answer

The correct answer is D because the symptoms—VMs missing updates, not reporting status, and lacking Defender for Endpoint protection—point to a connectivity failure. Microsoft Defender for Endpoint and Windows Update require outbound connectivity to specific Microsoft endpoints (e.g., *.endpoint.microsoft.com, *.update.microsoft.com). Without this, VMs cannot receive updates, report security posture, or download Defender definitions, directly explaining all reported issues.

Exam trap

The trap here is that candidates often focus on configuration or policy gaps (like missing extensions or update schedules) instead of recognizing that all symptoms—missing updates, no reporting, and unprotected VMs—stem from a single underlying network connectivity issue.

How to eliminate wrong answers

Option A is wrong because Azure Arc is used to manage non-Azure machines; all VMs are already in Azure, so onboarding to Arc adds unnecessary complexity and does not address the root cause of connectivity or missing Defender protection. Option B is wrong because the 'Deploy default Microsoft IaaS anti-malware extension for Windows' policy deploys the legacy Microsoft Antimalware extension, not Microsoft Defender for Endpoint, and does not solve the update or reporting failures. Option C is wrong because Microsoft Entra PIM controls privileged access and approval workflows for role assignments, not update deployment scheduling or connectivity; it does not fix missing patches or Defender protection.

548
MCQmedium

Your company uses Microsoft Sentinel for security operations. You need to design a solution that automatically remediates a detected threat by blocking a malicious IP address on Azure Firewall. Which Microsoft Sentinel feature should you use?

A.Analytics rules
B.Workbooks
C.SOAR playbooks
D.User and Entity Behavior Analytics (UEBA)
AnswerC

Automate response actions.

Why this answer

Option C is correct because Security Orchestration, Automation, and Response (SOAR) in Microsoft Sentinel uses playbooks to automate remediation actions like blocking IPs on Azure Firewall. Option A is wrong because analytics rules only generate alerts. Option B is wrong because workbooks visualize data.

Option D is wrong because UEBA analyzes behavior but does not automate remediation.

549
MCQhard

Refer to the exhibit. An administrator runs this Microsoft Graph PowerShell command to retrieve an access review policy. The review is set to run quarterly but no recurrence is shown in the output. The review has not started. What is the most likely cause?

A.The reviewer is a single user, which is not allowed.
B.The autoReviewEnabled setting is false, preventing the review from starting.
C.The recurrence property is null, so the review is not scheduled.
D.The scope query is for groups, but the review should be for users.
AnswerC

Recurrence must be set for scheduled reviews.

Why this answer

The output shows the recurrence property as null, which means the review is not configured with a recurrence schedule. Even though the administrator intended a quarterly review, without a valid recurrence object (including type, durationInDays, and startDate), the review will not be scheduled to run automatically. This is the most direct cause of the missing recurrence in the output.

Exam trap

The trap here is that candidates may confuse the autoReviewEnabled setting with scheduling or recurrence, or assume that a single-user reviewer is invalid, when in fact the absence of a properly defined recurrence object is the root cause.

How to eliminate wrong answers

Option A is wrong because a single user can be a reviewer in an access review; there is no restriction that prevents a single user from being assigned as a reviewer. Option B is wrong because autoReviewEnabled controls whether the review applies decisions automatically after the review duration ends, not whether the review starts or is scheduled. Option D is wrong because the scope query for groups is valid for access reviews that target group memberships; the review can be scoped to groups without requiring the scope to be for individual users.

550
MCQeasy

A company uses Microsoft Sentinel for security operations. The security team wants to automatically create an incident in Microsoft Sentinel when Microsoft Defender for Cloud detects a high-severity vulnerability on a virtual machine. What should the security team configure?

A.Create an automation rule in Microsoft Sentinel.
B.Create a playbook in Microsoft Sentinel.
C.Create a watchlist in Microsoft Sentinel.
D.Create an analytics rule with a rule template that maps to the Defender for Cloud alert.
AnswerD

Analytics rules generate incidents from alerts.

Why this answer

Option D is correct because Microsoft Sentinel can ingest high-severity vulnerability alerts from Microsoft Defender for Cloud via the SecurityAlert analytics rule template. When you enable this built-in rule template, Sentinel automatically creates an incident for each Defender for Cloud alert that matches the configured severity (e.g., High). This is the native, out-of-the-box method to convert Defender for Cloud alerts into Sentinel incidents without requiring custom logic or external orchestration.

Exam trap

The trap here is that candidates confuse automation rules (which act on existing incidents) with analytics rules (which generate incidents from raw data), leading them to pick Option A instead of D.

How to eliminate wrong answers

Option A is wrong because automation rules in Sentinel execute actions (e.g., assign owner, change status) on incidents that already exist; they cannot create incidents from external alerts. Option B is wrong because a playbook is a workflow of automated responses (e.g., sending an email, triggering a ticket) that runs after an incident is created, not a mechanism to generate the incident itself. Option C is wrong because a watchlist is a static reference table (e.g., list of high-value assets) used for correlation or enrichment in analytics rules; it does not create incidents from Defender for Cloud alerts.

551
MCQmedium

A financial services company is deploying a three-tier application on Azure. They need to ensure that the web tier can only communicate with the application tier, and the application tier can only communicate with the data tier. All tiers should use private IP addresses. What is the most secure way to implement this?

A.Deploy Azure Firewall and use application rules
B.Use Network Security Groups (NSGs) on each subnet
C.Use VNet peering with route tables
D.Use Azure Web Application Firewall (WAF)
AnswerA

Azure Firewall can filter based on FQDNs and IPs, providing secure inter-tier communication.

Why this answer

Azure Firewall with application rules (FQDN-based) provides the most secure and granular control for east-west traffic between tiers. It can inspect and filter traffic at Layer 7 (application layer) using TLS inspection, ensuring only allowed application protocols (e.g., HTTPS) and specific FQDNs are permitted, while blocking all other traffic. This meets the requirement for private IP communication and enforces a zero-trust model between tiers.

Exam trap

The trap here is that candidates often assume NSGs are sufficient for all internal traffic filtering, but they lack Layer 7 inspection and FQDN filtering, which are critical for a secure three-tier isolation in a zero-trust design.

How to eliminate wrong answers

Option B is wrong because Network Security Groups (NSGs) operate at Layer 3/4 (network/transport) and cannot perform application-layer inspection or FQDN filtering, making them insufficient for enforcing application-level restrictions between tiers. Option C is wrong because VNet peering with route tables only controls routing paths, not traffic filtering; it does not block or allow specific traffic between tiers, so it cannot enforce the required communication restrictions. Option D is wrong because Azure Web Application Firewall (WAF) is designed to protect inbound web traffic from the internet to the web tier, not to control east-west traffic between internal tiers (web-to-app or app-to-data).

552
MCQeasy

A company has a hybrid identity deployment using Azure AD Connect. They want to ensure that if a user's on-premises account is disabled, the corresponding Azure AD account is also disabled within 30 minutes. Which setting should they configure?

A.Enable password hash synchronization
B.Configure the synchronization interval for directory changes
C.Install Azure AD Application Proxy
D.Enable password writeback
AnswerB

Azure AD Connect syncs changes every 30 minutes by default.

Why this answer

Option B is correct because Azure AD Connect's default synchronization cycle for directory changes is 30 minutes. By configuring the synchronization interval (via the Azure AD Connect scheduler or PowerShell), you can ensure that disabled on-premises accounts are reflected in Azure AD within that timeframe. This setting directly controls how frequently Azure AD Connect processes and synchronizes changes from the on-premises Active Directory to Azure AD.

Exam trap

The trap here is that candidates confuse account status synchronization (which relies on the sync interval) with password-related features like password hash sync or writeback, assuming they also propagate account state changes.

How to eliminate wrong answers

Option A is wrong because password hash synchronization only synchronizes password hashes for authentication, not account status (enabled/disabled). Option C is wrong because Azure AD Application Proxy provides secure remote access to on-premises web applications and has no role in synchronizing user account states. Option D is wrong because password writeback enables password changes from Azure AD to on-premises AD, not the synchronization of account disabled status.

553
MCQmedium

A company is deploying Azure SQL Database with Azure Active Directory authentication for their application. They want to ensure that only specific Azure AD users can access the database, and that these users are authenticated at the database level. What should they do?

A.Create a server-level login for each user
B.Assign the Azure AD admin to the SQL server
C.Configure firewall rules to allow specific IPs
D.Create contained database users mapped to Azure AD identities
AnswerD

Contained users authenticate at the database level and are mapped to Azure AD users.

Why this answer

Option D is correct because contained database users in Azure SQL Database are authenticated directly at the database level using Azure AD identities, without requiring a server-level login. This allows you to grant access to specific Azure AD users or groups while enforcing authentication within the database itself, aligning with the requirement for database-level authentication.

Exam trap

The trap here is that candidates often confuse server-level Azure AD admin assignment (which enables Azure AD authentication at the server level) with the ability to control specific user access at the database level, leading them to select Option B instead of understanding that contained database users are required for granular, database-scoped authentication.

How to eliminate wrong answers

Option A is wrong because server-level logins are SQL Server authentication principals that exist at the server scope, not Azure AD identities, and they require a login to be created in the master database, which does not meet the requirement for Azure AD authentication at the database level. Option B is wrong because assigning an Azure AD admin to the SQL server grants that user or group full administrative access to the server, not the ability to restrict specific users at the database level; it is a prerequisite for Azure AD authentication but does not by itself control database-level access. Option C is wrong because firewall rules control network access by IP address, not user authentication; they are a separate security layer that allows or blocks connections from specific IP ranges but do not authenticate individual Azure AD users.

554
Multi-Selectmedium

Which TWO actions align with the Zero Trust principle of 'verify explicitly'? (Select two.)

Select 2 answers
A.Deploy a VPN for remote access
B.Use conditional access policies to evaluate user and device risk before granting access
C.Encrypt all data at rest
D.Require multifactor authentication for all users
E.Implement network segmentation to limit lateral movement
AnswersB, D

Conditional Access verifies explicitly by evaluating multiple signals.

Why this answer

Option B is correct because conditional access policies evaluate real-time signals such as user identity, device compliance, location, and risk level before granting access to resources. This aligns with the Zero Trust principle of 'verify explicitly' by requiring continuous validation of every access request rather than trusting based on network location alone.

Exam trap

Microsoft often tests the misconception that encryption or network segmentation are forms of verification, but they are actually data protection and containment controls, respectively, and do not satisfy the 'verify explicitly' requirement of Zero Trust.

555
MCQhard

You are designing a security solution for an Azure SQL Database that stores sensitive customer data. The solution must encrypt the database at rest and in transit, and also mask sensitive columns from non-privileged users. Which combination of features should you implement?

A.Transparent Data Encryption (TDE) and Dynamic Data Masking (DDM)
B.Always Encrypted and Row-Level Security
C.Always Encrypted and Dynamic Data Masking (DDM)
D.Cell-level encryption and row-level security
AnswerA

TDE encrypts at rest, DDM masks columns for non-privileged users.

Why this answer

Option B is correct because Transparent Data Encryption (TDE) encrypts the database at rest, and Dynamic Data Masking (DDM) masks sensitive columns. Option A is wrong because Always Encrypted encrypts columns at the client side, but does not encrypt the database at rest. Option C is wrong because Always Encrypted does not encrypt at rest fully, and TDE plus DDM is the correct combination.

Option D is wrong because cell-level encryption is complex and not native to Azure SQL.

556
Multi-Selecteasy

A company needs to ensure that only authorized users can access sensitive data in Microsoft SharePoint Online. Which TWO controls can be used? (Choose two.)

Select 2 answers
A.Sensitivity labels
B.Retention policies
C.Microsoft Entra ID Governance access reviews
D.Conditional Access policies
E.Data loss prevention policies
AnswersC, D

Review and certify access.

Why this answer

Options A and C are correct: Conditional Access policies restrict access based on conditions, and Microsoft Entra ID governance (access reviews) ensures authorized access. Option B is wrong because sensitivity labels are for classification and protection, not access control. Option D is wrong because retention policies are for data retention, not access.

Option E is wrong because DLP policies prevent data loss, not control access.

557
MCQeasy

Your organization is using Microsoft Sentinel to collect security logs from multiple sources, including Azure Activity Logs, Office 365 Audit Logs, and on-premises Windows Event Logs. You need to ensure that security incidents are automatically created when a user from a specific IP address attempts to access a sensitive application. You have already configured the data connectors. What should you create?

A.Create a workbook to visualize the access attempts.
B.Create a watchlist containing the IP address and use it in a query.
C.Create an analytics rule that triggers an incident when access from the IP is detected.
D.Create a playbook that runs when a specific event occurs.
AnswerC

Analytics rules create incidents based on queries.

Why this answer

Option D is correct because an analytics rule in Microsoft Sentinel can be configured to alert on specific activities (e.g., access from a certain IP). Option A is wrong because a watchlist is a data source, not an alerting mechanism. Option B is wrong because a playbook is a response action, not an alert trigger.

Option C is wrong because a workbook is a visualization tool.

558
MCQhard

Your organization uses Microsoft Sentinel to centralize security logs from multiple clouds. The security team needs a solution that automatically investigates low-fidelity alerts and creates incidents only when confirmed malicious. Which Microsoft Sentinel feature should you configure?

A.Automation rules with playbooks
B.Entity behavior analytics (UEBA) with automated investigation
C.Machine Learning (ML) based anomaly detection
D.Custom analytic rules
AnswerB

UEBA profiles entities and can trigger automated investigation for low-fidelity alerts.

Why this answer

Entity behavior analytics (UEBA) with automated investigation is the correct choice because it profiles normal user and entity behavior, then automatically investigates low-fidelity alerts by correlating them with historical baselines. When the investigation confirms malicious activity, it escalates to an incident, reducing noise and manual triage.

Exam trap

The trap here is that candidates often confuse automation rules (which respond after an incident) with the automated investigation capability (which runs before incident creation), leading them to choose Option A instead of B.

How to eliminate wrong answers

Option A is wrong because automation rules with playbooks are designed to trigger automated responses (e.g., blocking an IP) after an incident is created, not to perform the initial investigation and confirmation of low-fidelity alerts. Option C is wrong because ML-based anomaly detection identifies unusual patterns but does not include the automated investigation workflow that confirms maliciousness before incident creation. Option D is wrong because custom analytic rules create incidents directly from log queries without the built-in investigation and confirmation step that UEBA with automated investigation provides.

559
MCQhard

Refer to the exhibit. This is a risk alert from Microsoft Entra ID Identity Protection for user jdoe@contoso.com. You are designing an automated response using Microsoft Sentinel. Which condition should you use to trigger a high-severity incident?

A.If the user risk level is 'high'
B.If the sign-in risk level is 'high'
C.If the risk event types include 'leakedCredentials'
D.If the user risk level is 'medium'
AnswerA

The user risk level is 'high', indicating a compromised account.

Why this answer

Option D is correct because the alert has a user risk level of 'high', which indicates a compromised account. Option A is wrong because risk event types are 'unfamiliarFeatures' and 'atypicalTravel', not 'leakedCredentials'. Option B is wrong because the sign-in risk level is 'medium', not 'high'.

Option C is wrong because the user risk level is 'high', not 'medium'.

560
Multi-Selecteasy

Your organization is implementing a Zero Trust network architecture in Azure. Which TWO principles are foundational to Zero Trust?

Select 2 answers
A.Use network segmentation
B.Verify explicitly
C.Assume breach
D.Rely on perimeter security
E.Trust but verify
AnswersB, C

Always authenticate and authorize based on all available data points.

Why this answer

Option B is correct because 'Verify explicitly' is a core principle of Zero Trust, which mandates that every access request must be authenticated and authorized based on all available data points (e.g., user identity, device health, location) before granting access. This eliminates implicit trust based solely on network location, aligning with Azure's conditional access policies and Microsoft Entra ID authentication.

Exam trap

The trap here is that candidates often confuse network segmentation (a tactical control) with the strategic Zero Trust principle of 'Assume breach', or mistakenly think 'Trust but verify' is acceptable when the exam requires the explicit 'Verify explicitly' and 'Assume breach' as the two foundational pillars.

561
Multi-Selectmedium

Your organization is designing a Microsoft Sentinel workspace for a multi-region deployment. You need to optimize cost while ensuring that security data is available for investigation in the primary region. Which TWO actions should you take?

Select 2 answers
A.Use a single Sentinel workspace in the primary region and ingest data from all regions via diagnostic settings.
B.Enable Azure Monitor Agent (AMA) with data collection rules to filter logs.
C.Use Azure Lighthouse to manage multiple Sentinel workspaces from a single pane of glass.
D.Use Log Analytics clusters with dedicated clusters to reduce costs.
E.Deploy Sentinel workspaces in each region and use cross-workspace queries.
AnswersA, C

Centralized workspace reduces cost.

Why this answer

Option A is correct because using a single workspace across regions avoids duplicate data ingestion and cost. Option C is correct because using Azure Lighthouse allows centralized management across regions. Option B is wrong because multiple workspaces increase cost and management overhead.

Option D is wrong because it doesn't directly address cost optimization. Option E is wrong because separate workspaces increase cost.

562
MCQmedium

Refer to the exhibit. You are reviewing an ARM template that deploys a network security group (NSG) for a web application. The NSG allows inbound HTTP traffic from any source and then denies all other inbound traffic. However, after deployment, you find that HTTP traffic is being blocked. What is the most likely cause?

A.The AllowHTTP rule uses sourcePortRange '*' which conflicts with the DenyAll rule.
B.The NSG is not associated with the subnet or network interface where the web server is deployed.
C.The DenyAll rule has a higher priority than the AllowHTTP rule, so it takes precedence.
D.The DenyAll rule uses protocol '*' which blocks all traffic including HTTP.
AnswerB

An NSG must be associated with a subnet or NIC to take effect.

Why this answer

Option B is correct because an NSG only filters traffic when it is associated with a subnet or a network interface card (NIC). Without association, the NSG rules are never applied, so the web server's HTTP traffic is not affected by the AllowHTTP rule and is instead subject to the default platform behavior, which allows all inbound traffic. Since the question states HTTP traffic is being blocked, the most likely cause is that the NSG is not associated with the subnet or NIC, leaving the web server's traffic ungoverned by the intended rules.

Exam trap

The trap here is that candidates assume an NSG's rules are automatically applied to all resources in the same region or virtual network, when in fact the NSG must be explicitly associated with a subnet or NIC to take effect.

How to eliminate wrong answers

Option A is wrong because sourcePortRange '*' is the default wildcard that matches any source port and does not conflict with the DenyAll rule; port ranges are evaluated independently, and a wildcard source port does not cause blocking. Option C is wrong because the DenyAll rule must have a higher priority number (lower precedence) than the AllowHTTP rule to be effective; if the DenyAll rule had a higher priority (lower number), it would override the Allow rule, but the question implies the Allow rule is correctly prioritized, so this is not the cause. Option D is wrong because protocol '*' matches all protocols, including HTTP (TCP port 80), but the DenyAll rule is intended to block all traffic; the issue is not the protocol wildcard but the lack of NSG association, as the DenyAll rule would only block traffic if the NSG were applied.

563
MCQeasy

Your organization wants to use Microsoft Defender XDR to automatically investigate and respond to alerts. You need to ensure that the solution can autonomously remediate confirmed threats on endpoints, such as quarantining files and isolating devices. What should you enable?

A.Microsoft Defender for Identity
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Office 365
AnswerC

Defender for Endpoint provides automated investigation and remediation, including file quarantine and device isolation.

Why this answer

Option B is correct because Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can quarantine files and isolate devices. Option A is wrong because Microsoft Defender for Office 365 focuses on email and collaboration threats. Option C is wrong because Microsoft Defender for Cloud Apps is for SaaS app security.

Option D is wrong because Microsoft Defender for Identity is for on-premises AD threats.

564
MCQhard

Refer to the exhibit. You run the PowerShell script to apply an NSG to a subnet. However, connectivity tests show that the NSG rule is not being applied. What is the most likely reason?

A.The NSG was not associated to the subnet; Set-AzVirtualNetworkSubnetConfig does not associate the NSG.
B.The script is missing the Set-AzVirtualNetwork call after updating the subnet.
C.The rule priority 100 conflicts with an existing rule with lower priority.
D.The NSG should be associated to the network interface instead of the subnet.
AnswerB

The subnet configuration is updated locally, but the VNet is not updated, so the NSG association is not persisted.

Why this answer

Option D is correct because after modifying the subnet configuration with Set-AzVirtualNetworkSubnetConfig, you must apply the changes using Set-AzVirtualNetwork to update the VNet. Without that, the NSG association is not saved. Option A is wrong because the NSG is created and associated to the subnet, but the VNet update is missing.

Option B is wrong because the priority is valid. Option C is wrong because the NSG is applied to the subnet, not the NIC.

565
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Purview Information Protection?

Select 3 answers
A.Preventing data loss via DLP policies
B.Classifying data using trainable classifiers
C.Detecting risky user activities with Insider Risk Management
D.Automatically classifying and labeling data based on conditions
E.Applying sensitivity labels to documents and emails
AnswersB, D, E

Trainable classifiers can identify data patterns for classification.

Why this answer

Option B is correct because Microsoft Purview Information Protection includes trainable classifiers that use machine learning to intelligently identify sensitive content based on patterns and context, not just keywords. These classifiers can be trained with sample data to improve accuracy, enabling automated classification of documents and emails without requiring manual rule creation.

Exam trap

The trap here is that candidates confuse the overlapping capabilities of Microsoft Purview solutions—specifically, they attribute DLP enforcement (Option A) or Insider Risk Management (Option C) to Information Protection, when those belong to separate Purview modules.

566
MCQhard

Refer to the exhibit. You review a PowerShell script that configures an NSG rule. What is the likely security issue with this rule?

A.The source address prefix should be a specific IP range
B.The rule allows HTTPS instead of HTTP
C.The rule is outbound but should be inbound
D.The destination address prefix is 'VirtualNetwork' which allows traffic to all VMs
AnswerD

Should be a specific subnet or IP to restrict access.

Why this answer

Option D is correct: The rule allows HTTP (port 80) from the Internet to the VirtualNetwork address prefix, which effectively allows inbound traffic from any public IP to all VMs in the virtual network on port 80. This is overly permissive. Option A is wrong because the rule allows HTTP, not HTTPS.

Option B is wrong because the rule allows inbound, not outbound. Option C is wrong because the rule allows Internet, not a specific IP.

567
MCQmedium

Fabrikam is a healthcare organization that uses Microsoft 365 E5 and Azure. They have a hybrid identity environment with Active Directory on-premises synced to Microsoft Entra ID. The security team wants to implement a Zero Trust strategy following the 'verify explicitly' principle. They need to ensure that all access to Microsoft 365 services and Azure applications is conditionally enforced based on real-time risk signals. Additionally, they want to block legacy authentication protocols that do not support modern authentication. The solution must integrate with Microsoft Defender XDR and Microsoft Sentinel for threat intelligence. Which combination of technologies should you recommend?

A.Implement Azure AD Identity Governance with access reviews. Use Conditional Access to require hybrid Azure AD joined devices. Block legacy authentication by disabling protocols in Exchange Online. Use Azure Sentinel without Defender XDR.
B.Use Azure AD B2B for external users only. Configure Conditional Access with MFA for all users. Use Azure AD Identity Protection for risk. Block legacy authentication at the firewall level.
C.Deploy Microsoft Intune for mobile device management and require compliant devices. Use Conditional Access to block legacy protocols. Rely on Azure ATP (now Microsoft Defender for Identity) for risk signals.
D.Use Microsoft Entra Conditional Access policies with session controls from Microsoft Defender for Cloud Apps. Enable Microsoft Entra ID Protection to feed risk signals into Conditional Access. Block legacy authentication via a Conditional Access policy targeting 'Exchange Active Sync' and 'Other clients'. Integrate Microsoft Sentinel to ingest alerts from Defender XDR.
AnswerD

Directly addresses real-time risk, legacy auth blocking, and central SIEM integration.

Why this answer

Option D is correct because it directly implements the 'verify explicitly' principle by using Microsoft Entra ID Protection to feed real-time risk signals into Conditional Access policies, which then enforce session controls via Microsoft Defender for Cloud Apps. It blocks legacy authentication through a targeted Conditional Access policy (not just disabling protocols in Exchange Online or at the firewall), and integrates Microsoft Sentinel to ingest alerts from Defender XDR for centralized threat intelligence. This combination ensures all access to Microsoft 365 and Azure applications is conditionally enforced based on dynamic risk, while also addressing the requirement to block legacy protocols that lack modern authentication support.

Exam trap

The trap here is that candidates often think blocking legacy authentication must be done at the protocol level (e.g., disabling in Exchange Online or firewall) rather than using a Conditional Access policy, which is the recommended and more comprehensive method in a Zero Trust architecture.

How to eliminate wrong answers

Option A is wrong because it relies on disabling legacy protocols in Exchange Online (which is incomplete—does not block protocols like POP3/IMAP/SMTP across all services) and uses Azure Sentinel without Defender XDR, violating the requirement to integrate both. Option B is wrong because it blocks legacy authentication at the firewall level (which is not granular enough and does not address protocol-level blocking within Microsoft 365), and Azure AD B2B is only for external users, not the core Zero Trust strategy for internal access. Option C is wrong because it relies on Azure ATP (now Microsoft Defender for Identity) for risk signals, but the correct modern approach is Microsoft Entra ID Protection, which provides real-time risk detection and feeds directly into Conditional Access; also, Intune for compliant devices is not the primary mechanism for risk-based conditional access.

568
Multi-Selecthard

Your organization uses Microsoft Purview Information Protection and Microsoft Defender for Cloud Apps. You need to design a solution that automatically applies a 'Confidential' sensitivity label to documents that contain credit card numbers and are shared externally. The solution should also generate an alert when this occurs. Which two configurations should you implement? (Choose TWO.)

Select 2 answers
A.Configure a Microsoft Sentinel analytics rule that queries audit logs for external sharing of labeled documents and generates an incident.
B.Create a Conditional Access policy in Microsoft Entra ID that requires device compliance when accessing documents labeled 'Confidential'.
C.Configure a Microsoft Purview Data Loss Prevention (DLP) policy that blocks the sharing of documents containing credit card numbers.
D.Create a Microsoft Purview auto-labeling policy that includes the 'Credit Card Number' sensitive info type and specifies the 'Confidential' label.
E.Create a Microsoft Defender for Cloud Apps app governance policy that monitors file sharing and triggers an alert when a document with a 'Confidential' label is shared externally.
AnswersD, E

Auto-labeling policies can automatically apply labels based on content inspection.

Why this answer

Options A and B are correct because an auto-labeling policy in Microsoft Purview can scan for sensitive info types (credit card numbers) and apply labels; an app governance policy in Defender for Cloud Apps can detect sharing to external domains and trigger alerts. Option C (data loss prevention) is for blocking, not labeling. Option D (conditional access) controls access, not labeling.

Option E (Microsoft Sentinel analytics rule) could generate alerts but is not the primary mechanism for labeling.

569
MCQmedium

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Exchange Online. The compliance team wants to prevent users from sending emails containing Social Security numbers to external recipients. What should you configure?

A.Create a DLP policy with the condition 'Content contains sensitive info type' and action 'Block the message'
B.Configure a retention label for emails
C.Create a mail flow rule in Exchange admin center
D.Apply a sensitivity label to all emails
AnswerA

DLP policies can detect sensitive info types and block messages from being sent.

Why this answer

Option A is correct because a DLP policy can detect sensitive info types and block the email. Option B is wrong because sensitivity labels are for classification, not blocking. Option C is wrong because retention labels are for data retention.

Option D is wrong because mail flow rules (transport rules) can do similar but DLP is the recommended approach.

570
Multi-Selectmedium

A large enterprise is implementing Microsoft Defender for Cloud to improve their security posture. Which TWO actions should they take to prioritize and remediate security recommendations effectively? (Choose two.)

Select 2 answers
A.Assign each recommendation to a specific team member manually
B.Enable automatic remediation for high-priority recommendations
C.Review Secure Score and focus on recommendations that improve it most
D.Ignore recommendations with low severity to save time
E.Disable recommendations that generate security alerts
AnswersB, C

Automation ensures quick fixes for critical issues.

Why this answer

Option B is correct because Microsoft Defender for Cloud allows you to enable automatic remediation for high-priority recommendations, which automatically applies the necessary configuration changes (e.g., enabling encryption or installing endpoint protection) when a recommendation is triggered. This reduces manual effort and ensures critical security gaps are closed quickly. Option C is correct because the Secure Score aggregates all recommendations into a numerical score, and focusing on recommendations that provide the highest score improvement directly correlates to the most significant risk reduction, aligning with Microsoft's guidance for prioritization.

Exam trap

The trap here is that candidates often confuse 'automatic remediation' with 'manual assignment' (Option A) or incorrectly assume that low-severity recommendations can be safely ignored (Option D), when in fact Defender for Cloud's Secure Score treats all recommendations as contributing to the overall score, and ignoring them can lead to compliance failures and gradual score degradation.

571
Multi-Selecthard

A financial services company uses Microsoft Sentinel for SIEM. They need to detect potential data exfiltration from their Azure SQL Database. Which THREE data sources should they connect to Sentinel to achieve this? (Choose THREE.)

Select 3 answers
A.Microsoft Defender for Cloud alerts
B.Azure AD sign-in logs
C.Azure Network Watcher NSG flow logs
D.Azure SQL Database audit logs
E.Azure Activity Logs
AnswersC, D, E

Provide network traffic data to detect unusual data transfers.

Why this answer

Azure SQL Database audit logs contain query details; Azure Activity Logs provide resource management events; Network security group flow logs show network traffic patterns. Option A, Option B, and Option C are correct. Option D is wrong because Azure AD sign-in logs are for user authentication, not database operations.

Option E is wrong because Microsoft Defender for Cloud alerts may cover threats but not raw data exfiltration details.

572
MCQmedium

Your organization uses Microsoft Defender for Office 365 to protect against phishing attacks. The security team wants to implement a custom advanced phishing threshold policy that blocks suspicious emails more aggressively. Which policy type should they modify?

A.ATP policy
B.Safe Attachments policy
C.Safe Links policy
D.Anti-phishing policy
AnswerD

Anti-phishing policies have advanced threshold settings.

Why this answer

The Anti-phishing policy in Microsoft Defender for Office 365 includes the Advanced Phishing Threshold (APT) settings that allow administrators to control the aggressiveness of phishing detection. By modifying the anti-phishing policy, you can set the phishing threshold to 'Aggressive' or 'Most Aggressive,' which applies more stringent machine learning models to block suspicious emails earlier. This is the correct policy type because it directly governs the phishing threshold level, not attachment or link scanning.

Exam trap

The trap here is that candidates confuse the outdated 'ATP policy' term with the modern anti-phishing policy, or they mistakenly think Safe Attachments or Safe Links control phishing thresholds, when in fact only the anti-phishing policy contains the Advanced Phishing Threshold settings.

How to eliminate wrong answers

Option A is wrong because 'ATP policy' is an outdated term; Microsoft Defender for Office 365 no longer uses 'ATP' as a policy name—it has been rebranded, and the correct policy for phishing thresholds is the anti-phishing policy. Option B is wrong because Safe Attachments policy controls the scanning of email attachments for malware, not the phishing threshold or aggressiveness of phishing detection. Option C is wrong because Safe Links policy protects users from malicious URLs in emails and Office documents, but it does not control the phishing threshold level or the aggressiveness of email filtering.

573
MCQmedium

Your organization uses Microsoft Purview Information Protection to label sensitive documents. You need to ensure that documents containing personally identifiable information (PII) are automatically labeled when saved in SharePoint Online. What should you configure?

A.Create a retention label with auto-labeling rule.
B.Publish a sensitivity label with auto-labeling for SharePoint.
C.Configure an auto-labeling policy for sensitivity labels targeting SharePoint.
D.Set up a DLP policy to detect PII and apply a label.
AnswerC

Auto-labeling policies can automatically apply sensitivity labels to documents in SharePoint.

Why this answer

Option C is correct because auto-labeling policies can scan content in SharePoint and apply labels automatically. Option A is wrong because sensitivity labels require manual application or client-side auto-labeling. Option B is wrong because retention labels are for retention, not sensitivity.

Option D is wrong because DLP policies enforce actions but don't label.

574
Multi-Selectmedium

Which TWO of the following are key components of a Zero Trust architecture according to Microsoft? (Choose two.)

Select 2 answers
A.Trust but verify
B.Implicit trust for internal traffic
C.Use least privilege access
D.Verify explicitly
E.Rely on a strong perimeter
AnswersC, D

Limit user access with just-in-time and just-enough-access.

Why this answer

In Microsoft's Zero Trust model, 'least privilege access' (Option C) is a core principle that ensures users and devices are granted only the minimum permissions necessary to perform their tasks, reducing the attack surface. This is enforced through technologies like Azure AD Conditional Access and Privileged Identity Management (PIM), which dynamically limit access based on risk and context.

Exam trap

The trap here is that candidates often confuse 'trust but verify' (a legacy model) with Zero Trust's 'never trust, always verify' principle, leading them to incorrectly select Option A as a key component.

575
MCQhard

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure resources. The compliance team wants to ensure that all storage accounts have secure transfer required enabled. Which action should you take in Defender for Cloud?

A.Configure the regulatory compliance dashboard
B.Review the secure score
C.Implement the 'Secure transfer to storage accounts should be enabled' recommendation
D.Enable the 'Cloud Security Posture Management' plan
AnswerC

Implementing the recommendation applies the required setting via Azure Policy.

Why this answer

The correct action is to implement the 'Secure transfer to storage accounts should be enabled' recommendation because Microsoft Defender for Cloud provides built-in security recommendations that map to specific controls. This recommendation directly checks whether the 'Secure transfer required' property is enabled on each storage account, and if not, it provides remediation steps to enforce HTTPS-only traffic, which aligns with the compliance team's requirement.

Exam trap

The trap here is that candidates confuse viewing compliance or score metrics (options A and B) with taking direct action to enforce a specific security control, or they mistakenly think enabling a higher-level plan (option D) automatically applies all underlying recommendations.

How to eliminate wrong answers

Option A is wrong because the regulatory compliance dashboard is used to view compliance posture against standards (e.g., PCI DSS, ISO 27001) and track progress, but it does not directly enforce or implement a specific security setting like secure transfer required. Option B is wrong because the secure score is a numerical summary of your overall security posture based on implemented recommendations; reviewing it shows the score impact but does not itself enable the secure transfer setting. Option D is wrong because enabling the 'Cloud Security Posture Management' plan is a prerequisite for receiving certain recommendations and advanced features, but it does not directly implement the 'Secure transfer to storage accounts should be enabled' recommendation; it only enables the capability to assess and recommend.

576
MCQmedium

A company deploys a line-of-business application on Azure App Service. The application uses a managed identity to access Azure SQL Database. Security policy requires that the database connection string must not contain credentials. How should the connection string be configured?

A.Store the connection string in App Service application settings with the password encrypted by App Service
B.Store the connection string with username and password in Key Vault and reference it in App Settings
C.Use a managed identity and set the connection string to use Active Directory Managed Identity authentication without credentials
D.Store the connection string as a secret in Azure Key Vault and use a Key Vault reference in App Settings
AnswerC

Managed identity allows the App Service to authenticate to Azure SQL without storing any credentials in the connection string

Why this answer

Using a managed identity, the connection string can be set to use 'Authentication=Active Directory Managed Identity' without any username or password. Option A is wrong because the connection string should not include credentials. Option B is wrong because Key Vault references are used for secrets, but managed identity itself avoids the need for a secret.

Option D is wrong because connection strings are not stored in App Service as secrets.

577
MCQeasy

Your organization is using Microsoft Sentinel for security information and event management (SIEM). You need to ensure that data from Azure Activity Logs is ingested into Sentinel. What should you configure?

A.Configure a Log Analytics workspace to collect Activity Logs
B.Use Azure Policy to stream Activity Logs to Sentinel
C.Enable Azure Monitor to forward Activity Logs to Sentinel
D.Connect Azure Activity Logs via the Microsoft Sentinel data connector
AnswerD

This is the standard method to ingest Activity Logs.

Why this answer

Option D is correct because you can connect Azure Activity Logs as a data connector in Microsoft Sentinel. Option A is wrong because Log Analytics workspace is the underlying storage, but the connection is made via data connectors. Option B is wrong because Azure Policy can enforce configuration but not directly ingest logs.

Option C is wrong because Azure Monitor is a broader service; the specific connector is needed.

578
MCQhard

Your organization uses Microsoft Purview and needs to automatically apply a retention label to all documents containing personally identifiable information (PII) in SharePoint Online. What should you configure?

A.Auto-labeling policy
B.Data loss prevention (DLP) policy
C.Service-side sensitivity label
D.Trainable classifier
AnswerA

Auto-labeling policies can automatically apply retention labels based on sensitive info types, such as PII.

Why this answer

Auto-labeling policies in Microsoft Purview can automatically apply sensitivity labels or retention labels based on sensitive info types. Option C is correct. Option A is wrong because data loss prevention (DLP) policies prevent sharing, they do not apply labels.

Option B is wrong because trainable classifiers require custom training. Option D is wrong because service-side sensitivity labels apply labels based on the label of the parent site or document library.

579
MCQmedium

Your company plans to use Microsoft Sentinel to manage security incidents. You need to design a solution that reduces alert fatigue by grouping related alerts into incidents. Which feature should you enable?

A.Analytics rule with alert grouping enabled
B.Watchlists to filter noisy alerts
C.Automation rules that trigger on alert creation
D.Playbooks that run on alert creation
AnswerA

Alert grouping in analytics rules combines related alerts into incidents.

Why this answer

Sentinel's analytics rules use alert grouping to combine related alerts into a single incident. Option A is correct. Option B is incorrect because automation rules trigger actions but don't group alerts.

Option C is incorrect because watchlists are for reference data. Option D is incorrect because playbooks automate responses, not grouping.

580
Multi-Selectmedium

Which TWO Microsoft security solutions can help enforce Zero Trust principles by verifying identity and device health before granting access to resources?

Select 2 answers
A.Microsoft Intune
B.Microsoft Purview
C.Microsoft Entra ID Conditional Access
D.Microsoft Defender for Cloud Apps
E.Microsoft Sentinel
AnswersA, C

Intune ensures devices are compliant and healthy, supporting conditional access.

Why this answer

Microsoft Entra ID Conditional Access verifies identity and enforces policies. Microsoft Intune manages device compliance and health. Both are used together for Zero Trust access.

Option C is wrong because Microsoft Defender for Cloud Apps focuses on cloud app security. Option D is wrong because Microsoft Sentinel is a SIEM. Option E is wrong because Microsoft Purview is for data governance.

581
Multi-Selecthard

Which THREE components are required to implement a secure Azure DevOps CI/CD pipeline that scans for secrets in code? (Choose three.)

Select 3 answers
A.Azure Artifacts to store packages.
B.GitHub Advanced Security for secret scanning.
C.Credential Scanner in Azure DevOps.
D.Azure Boards for tracking security issues.
E.Azure Key Vault to store secrets used in pipelines.
AnswersB, C, E

It scans repositories for secrets.

Why this answer

Option B is correct because GitHub Advanced Security includes secret scanning for code repositories. Option C is correct because Azure Key Vault can store secrets accessed during pipeline execution. Option D is correct because Credential Scanner is a Microsoft security tool that is integrated into Azure DevOps for scanning secrets.

Option A is wrong because Azure Artifacts is a package management solution. Option E is wrong because Azure Boards is for work item tracking.

582
MCQhard

Your organization uses Microsoft Defender for Cloud to secure multi-cloud resources. You need to ensure that security recommendations are automatically remediated for non-compliant resources without manual intervention. What should you configure?

A.Azure Policy initiatives with remediation tasks
B.Set a Secure Score target and alert on changes
C.Use Quick Fix remediation for security recommendations and enable automation
D.Enable automatic provisioning of Log Analytics agent
AnswerC

Quick Fix allows one-click remediation, and automation can trigger it automatically.

Why this answer

Option D is correct because Quick Fix remediation combined with automation can auto-remediate recommendations. Option A is incorrect because Azure Policy can enforce but requires additional setup. Option B is incorrect because Defender for Cloud's automatic provisioning is for agents.

Option C is incorrect because Secure Score does not remediate.

583
Matchingmedium

Match each Azure policy effect to its behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevents resource creation or update

Creates a warning event in activity log

Adds fields to resource during creation

Changes existing resource properties

Deploys a resource if it does not exist

Why these pairings

These are common Azure Policy effects used for governance.

584
MCQhard

Your organization has a Microsoft 365 E5 subscription and uses Microsoft Entra ID for identity. You need to implement a solution to secure privileged access to Azure resources, requiring just-in-time access and approval workflows. What should you configure?

A.Microsoft Defender for Identity
B.Azure AD administrative units
C.Microsoft Entra Conditional Access
D.Microsoft Entra Privileged Identity Management (PIM)
AnswerD

PIM enables just-in-time role activation with approval.

Why this answer

Option A is correct because Microsoft Entra Privileged Identity Management (PIM) provides just-in-time access and approval workflows for Azure roles. Option B is wrong because Conditional Access controls access based on conditions, not just-in-time role activation. Option C is wrong because Azure AD (now Entra ID) roles are managed by PIM.

Option D is wrong because Microsoft Defender for Identity identifies threats to on-premises Active Directory.

585
Multi-Selecteasy

Your organization wants to implement a defense-in-depth strategy for Azure virtual machines. Which THREE of the following should you include?

Select 3 answers
A.Azure Disk Encryption for OS and data disks
B.Azure Firewall to inspect all traffic to the VMs
C.Microsoft Defender for Cloud with vulnerability assessment and just-in-time VM access
D.Azure Bastion to provide secure RDP and SSH access
E.Network security groups (NSGs) to filter traffic to and from the VMs
AnswersA, C, E

Encryption at rest protects data if disks are compromised.

Why this answer

Azure Disk Encryption (ADE) uses BitLocker for Windows and DM-Crypt for Linux to encrypt OS and data disks at rest, protecting against unauthorized access to the physical disk. This is a foundational layer of defense-in-depth, ensuring that if an attacker gains access to the disk, the data remains unreadable without the encryption keys stored in Azure Key Vault.

Exam trap

The trap here is that candidates often include Azure Firewall or Azure Bastion as core defense-in-depth components, but the question asks for the three most essential layers; Azure Firewall is redundant with NSGs for basic VM traffic filtering, and Bastion is a secure access method, not a protective layer for the VM itself.

586
MCQeasy

Your organization is implementing a security baseline for Windows 11 devices using Microsoft Intune. You need to ensure that BitLocker encryption is enabled on all devices and that recovery keys are stored in Microsoft Entra ID. Which policy type should you configure?

A.Device configuration profile for administrative templates.
B.Endpoint security policy for disk encryption.
C.Update rings for Windows 10 and later.
D.Compliance policy for device encryption.
AnswerB

Endpoint security policies include BitLocker configuration and key storage settings.

Why this answer

Option A is correct because Endpoint security policies in Intune include BitLocker settings that can enforce encryption and store recovery keys in Entra ID. Option B is wrong because Device configuration policies are for general settings, not for BitLocker specifically. Option C is wrong because Compliance policies can check for encryption but do not configure it.

Option D is wrong because Update rings are for Windows Update settings.

587
Multi-Selectmedium

Which TWO should you implement to protect privileged accounts in Microsoft Entra ID?

Select 2 answers
A.Microsoft Purview Data Loss Prevention
B.Conditional Access policies requiring MFA for privileged roles
C.Microsoft Defender for Cloud security score
D.Microsoft Defender Vulnerability Management
E.Microsoft Entra Privileged Identity Management (PIM)
AnswersB, E

Adds authentication step for privileged access.

Why this answer

Option B is correct because Conditional Access policies can enforce multifactor authentication (MFA) specifically for users assigned to privileged roles in Microsoft Entra ID. This directly protects those accounts by requiring a second authentication factor, reducing the risk of credential theft or reuse. It is a core identity security control recommended by Microsoft for privileged access.

Exam trap

The trap here is that candidates often confuse a measurement or monitoring tool (like security score or vulnerability management) with an actual security control that directly protects privileged accounts, leading them to select options that are only indirectly related.

588
MCQhard

Refer to the exhibit. You are auditing an Azure subscription. The Azure Policy assignment above is targeting a resource group. The policy definition ID corresponds to a built-in policy that audits if SQL databases have transparent data encryption (TDE) enabled. What is the effect of this policy assignment?

A.The policy automatically enables TDE on non-compliant SQL databases.
B.The policy is only reported as audit, not enforced.
C.The policy applies to all resources in the management group.
D.The policy audits SQL databases for TDE and marks non-compliant resources.
AnswerD

Default enforcement audits and enforces.

Why this answer

Option B is correct. The policy assignment has enforcementMode set to 'Default', which means it will audit and enforce the policy (e.g., mark non-compliant resources). If enforcementMode were 'DoNotEnforce', it would only audit.

Option A is wrong because enforcementMode is not set to DoNotEnforce. Option C is wrong because the policy does not automatically enable TDE; it only audits. Option D is wrong because the scope is a resource group, not an entire management group.

589
MCQhard

You are designing a security solution for a multinational organization that uses Microsoft Entra ID. They have a hybrid identity environment with Active Directory on-premises. The security team requires that all administrative actions in Microsoft Entra ID are logged and monitored in real-time with alerts for critical changes. Which two data sources should you stream to Microsoft Sentinel?

A.Microsoft Entra ID Sign-in Logs
B.Microsoft Entra ID Audit Logs
C.Azure Activity Log
D.Microsoft Entra ID Provisioning Logs
AnswerA, B

Sign-in logs provide real-time authentication activity.

Why this answer

Microsoft Entra ID Audit Logs contain records of all administrative changes and configuration modifications within the tenant, such as user role assignments, group membership updates, and application permission grants. Streaming these logs to Microsoft Sentinel enables real-time monitoring and alerting for critical administrative actions, meeting the security team's requirement for logging and alerting on all administrative actions.

Exam trap

The trap here is that candidates often confuse Azure Activity Log (which covers Azure resource operations) with Microsoft Entra ID Audit Logs (which cover directory administrative actions), leading them to select Azure Activity Log instead of the correct Entra ID Audit Logs.

How to eliminate wrong answers

Option C (Azure Activity Log) is wrong because it captures control-plane operations on Azure resources (e.g., creating a VM or modifying a network security group), not administrative actions within Microsoft Entra ID itself. Option D (Microsoft Entra ID Provisioning Logs) is wrong because it records synchronization activities between Entra ID and third-party applications (e.g., ServiceNow or SAP), not administrative changes to the Entra ID directory.

590
Multi-Selectmedium

A company is designing a data classification strategy using Microsoft Purview. They need to automatically classify and protect sensitive data stored in Azure Blob Storage. Which TWO capabilities should they use? (Choose TWO.)

Select 2 answers
A.Sensitivity labels
B.Data Loss Prevention (DLP) policies
C.Information Barriers
D.Microsoft Purview Data Map
E.Azure Policy
AnswersA, D

Sensitivity labels can be applied to Azure Blob to enforce protection like encryption.

Why this answer

Microsoft Purview Data Map provides auto-discovery and classification of data assets, and Sensitivity labels can apply protection. Option A and Option C are correct. Option B is wrong because DLP policies are for endpoint and Microsoft 365, not for Azure Blob.

Option D is wrong because Information Barriers are for restricting communication, not classification. Option E is wrong because Azure Policy is for governance, not data classification.

591
MCQmedium

The exhibit shows a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

A.Find alerts that were not investigated
B.Analyze entities associated with alerts
C.Identify the most frequent high-severity alerts over the past week
D.Correlate alerts by time and alert name
AnswerC

Summarizes counts and orders by highest count.

Why this answer

The query uses `summarize` with `count()` and `top 5 by count_ desc` to rank alert names by frequency, filtered to `AlertSeverity == 'High'` and `TimeGenerated > ago(7d)`. This directly identifies the most common high-severity alerts over the past week, making option C correct.

Exam trap

The trap here is that candidates may misinterpret the `bin(TimeGenerated, 1h)` as correlating alerts by time and name (option D), but the query only aggregates counts per alert name, not correlating alerts across different time windows or names.

How to eliminate wrong answers

Option A is wrong because the query does not include any field or filter related to investigation status (e.g., `Status == 'New'` or `InvestigationState`), so it cannot find alerts that were not investigated. Option B is wrong because the query only aggregates `AlertName` and does not expand or analyze entity fields (e.g., `Entities`, `Account`, `IP`), so it cannot analyze entities associated with alerts. Option D is wrong because the query does not group or correlate by both time and alert name; it uses `bin(TimeGenerated, 1h)` only for time bucketing but does not correlate alerts across time windows or alert names—it simply counts occurrences per alert name.

592
MCQmedium

Your organization uses Microsoft Purview to protect sensitive data. You need to create a sensitivity label that automatically encrypts documents containing credit card numbers when they are shared externally. Which configuration should you use?

A.Create a trainable classifier to detect credit cards
B.Create an auto-labeling policy that applies a label with encryption for external sharing
C.Create a default label policy for SharePoint
D.Create a manual sensitivity label that users apply
AnswerB

Automatically detects credit card numbers and applies encryption when shared externally.

Why this answer

Auto-labeling in Purview can be configured to apply a sensitivity label based on sensitive info types like credit card numbers. The label should have encryption enabled for external sharing. The other options describe different scenarios: manual labeling, default labeling, or classification without encryption.

593
Multi-Selectmedium

Your company is developing a web application that stores sensitive customer data in Azure SQL Database. The data must be encrypted at rest and in transit. Additionally, you need to ensure that only the application can access the database, not individual administrators. Which two technologies should you implement? (Choose two.)

Select 1 answer
A.Azure Key Vault
B.Azure Information Protection
C.Dynamic Data Masking
D.Always Encrypted
E.Transparent Data Encryption (TDE)
AnswersA

AKV stores encryption keys but is not the encryption mechanism itself.

Why this answer

Option A is correct: Transparent Data Encryption (TDE) encrypts data at rest. Option C is correct: Always Encrypted protects data in transit and during processing by keeping encryption keys client-side, preventing administrators from seeing plaintext. Option B is wrong: Azure Information Protection is for labeling and classification, not database encryption.

Option D is wrong: Dynamic Data Masking obfuscates data but does not encrypt it. Option E is wrong: Azure Key Vault is used to store keys but is not the encryption mechanism itself.

594
MCQmedium

Your organization uses Microsoft Intune and Microsoft Defender for Endpoint. You need to design a solution that automatically remediates non-compliant devices by running a remediation script. Which Intune component should you use?

A.Remediation policy in Microsoft Intune
B.Device compliance policy
C.App protection policy
D.Device configuration profile
AnswerA

Remediation policies automatically run scripts to fix non-compliance.

Why this answer

Option D is correct because Intune remediation policies (part of device management) allow you to automatically run scripts to fix non-compliant settings. Option A (compliance policy) sets rules but does not run scripts. Option B (configuration profile) deploys settings.

Option C (app protection policy) is for app data.

595
Multi-Selectmedium

You need to design a compliance solution using Microsoft Purview that automatically detects and protects credit card numbers in emails and documents. Which TWO features should you include? (Choose two.)

Select 2 answers
A.Data Loss Prevention (DLP) policies to detect and block credit card numbers.
B.Retention labels to retain credit card data for a specified period.
C.Auto-labeling policies to apply sensitivity labels to credit card data.
D.Trainable classifiers to identify credit card numbers.
E.eDiscovery to search for credit card numbers.
AnswersA, C

DLP can detect sensitive data and enforce protective actions.

Why this answer

Option A is correct because DLP policies can detect sensitive data and enforce actions. Option B is correct because auto-labeling can apply sensitivity labels. Option C is wrong because retention labels are for retention, not protection.

Option D is wrong because trainable classifiers are for pattern detection, but DLP and auto-labeling are more direct. Option E is wrong because eDiscovery is for search and legal hold.

596
Multi-Selecthard

A company is using Microsoft Defender for Cloud to secure their Azure environment. They have enabled the 'Defender for Cloud's integrated workload protection' plan for Azure SQL Database. Which TWO of the following security features are included in this plan?

Select 2 answers
A.Microsoft Purview Information Protection
B.Azure Policy
C.Vulnerability assessment
D.Transparent Data Encryption (TDE)
E.Advanced Threat Protection (ATP)
AnswersC, E

Defender for SQL includes vulnerability assessment capabilities.

Why this answer

Option A and D are correct. Option A: Vulnerability assessment is included in the Defender for SQL plan. Option D: Advanced Threat Protection (ATP) is included.

Option B: Azure SQL Database always encrypts data at rest with TDE by default, but it is not a specific feature of the Defender plan. Option C: Information Protection is a Microsoft Purview feature, not Defender for Cloud. Option E: Azure Policy is a separate governance tool.

597
MCQhard

Refer to the exhibit. An Azure policy is defined as shown. Which resources will be audited?

A.All Azure resources that are not compliant
B.All virtual machines with unmanaged disks
C.Virtual machines with Standard_LRS managed disks
D.Virtual machines with Premium_LRS managed disks and disk size 1024 GB
AnswerC

Standard_LRS is not Premium_LRS, so it matches the notEquals condition.

Why this answer

The Azure policy definition in the exhibit uses the 'auditIfNotExists' effect with a condition that checks if the 'Microsoft.Compute/virtualMachines' resource type has a 'Microsoft.Compute/disks' resource of type 'Standard_LRS' associated. This means the policy audits virtual machines that do NOT have a managed disk of type Standard_LRS, effectively auditing VMs with unmanaged disks or other managed disk SKUs. Option C is correct because the policy specifically targets virtual machines with Standard_LRS managed disks for audit, as the condition evaluates to true when the disk type is Standard_LRS, triggering the audit effect.

Exam trap

Microsoft often tests the nuance of 'auditIfNotExists' vs. 'audit' effects, where candidates mistakenly think the policy audits all non-compliant resources or unmanaged disks, but the policy actually audits only when the specified condition (Standard_LRS disk exists) is true, not when it is false.

How to eliminate wrong answers

Option A is wrong because the policy is scoped to virtual machines and their associated disks, not all Azure resources; it does not audit general non-compliance across resource types. Option B is wrong because the policy audits virtual machines that have Standard_LRS managed disks, not unmanaged disks; unmanaged disks would not match the 'Microsoft.Compute/disks' resource type with a managed disk SKU, so they would not trigger the audit. Option D is wrong because the policy does not include a condition on disk size; it only checks for the presence of a Standard_LRS managed disk, so a Premium_LRS disk of any size would not be audited.

598
MCQmedium

Refer to the exhibit. You are reviewing a conditional access policy JSON in Microsoft Entra ID. The policy is enabled but users with the Global Administrator role are not being prompted for MFA. What is the most likely reason?

A.The policy does not include any users except by role.
B.The policy does not include any applications.
C.The grant control requires a compliant device instead of MFA.
D.The policy state is disabled.
AnswerA

The policy includes users by role but missing the 'includeUsers' array; without specifying users, no users are targeted.

Why this answer

Option A is correct because the policy is scoped to 'All users' but the 'Include' filter is set to 'All users' while the 'Exclude' filter includes 'Global Administrator' role. Since the policy excludes Global Administrators, they are not subject to the MFA grant control, even though the policy is enabled. The JSON snippet shows the policy is enabled and includes all users by default, but the exclusion of the Global Administrator role overrides the inclusion, so they are never evaluated for MFA.

Exam trap

The trap here is that candidates assume 'All users' includes all users regardless of role, but they overlook that the exclusion of specific roles or users can completely bypass the policy, and the exam tests whether you understand that exclusion rules override inclusion rules in Conditional Access policies.

How to eliminate wrong answers

Option B is wrong because the policy does not need to include any specific applications; if no applications are selected, the policy applies to all applications by default, which would still trigger MFA for included users. Option C is wrong because the grant control in the policy explicitly requires MFA ('mfa' in the grantControls), not a compliant device, so that does not explain why Global Administrators are not prompted. Option D is wrong because the policy state is set to 'enabled' (as shown in the JSON), so it is active and should enforce MFA for users who are not excluded.

599
MCQmedium

Your company uses Microsoft Defender for Cloud to manage security across multiple subscriptions. You need to ensure that all subscriptions have at least one Defender plan enabled, and you want to enforce this centrally using Azure Policy. What is the best approach?

A.Use the Defender for Cloud continuous export feature to send compliance data to a Log Analytics workspace and create alerts.
B.Create an Azure Policy that denies creation of subscriptions that do not have Defender plans enabled.
C.Use Azure Blueprints to assign Defender plans to all subscriptions.
D.Create an Azure Policy that audits subscriptions without any Defender plans and then use a remediation task to enable the required plans.
AnswerD

Policy with remediation can enforce the configuration.

Why this answer

Option C is correct because Azure Policy can audit if a subscription has no Defender plans enabled, and then use a remediation task to enable the plans. Option A is wrong because Azure Policy cannot directly enable plans without a remediation task. Option B is wrong because Defender for Cloud's continuous export is for security alerts, not policy enforcement.

Option D is wrong because Azure Blueprints are being deprecated in favor of Azure Policy and deployment stacks.

600
MCQmedium

Your organization is using Microsoft Defender for Cloud to secure applications running on Azure. You need to ensure that all Azure Storage accounts have secure transfer required enabled. What is the BEST way to enforce this?

A.Create a custom recommendation in Microsoft Defender for Cloud to alert when storage accounts do not have secure transfer required.
B.Use Azure Blueprints to apply the setting to all subscriptions.
C.Assign an Azure Policy initiative that includes the built-in policy 'Secure transfer to storage accounts should be enabled' with a 'Deny' effect.
D.Grant the 'Storage Account Contributor' role to a security group that will manually enable the setting.
AnswerC

Azure Policy with Deny effect prevents creation of non-compliant storage accounts.

Why this answer

Option B is correct because Azure Policy can audit and enforce compliance at scale. Option A is wrong because while Defender for Cloud can detect the issue, it does not automatically enforce. Option C is wrong because Azure Blueprints is deprecated; Azure Policy is the correct tool.

Option D is wrong because RBAC controls permissions, not configuration.

Page 7

Page 8 of 13

Page 9