Microsoft Cybersecurity Architect (SC-100) — Questions 601675

969 questions total · 13pages · All types, answers revealed

Page 8

Page 9 of 13

Page 10
601
MCQhard

A company is designing a secure hybrid network architecture. They have an on-premises network connected to Azure via ExpressRoute and a site-to-site VPN as backup. They want to ensure that traffic from Azure to on-premises always uses ExpressRoute when available, but automatically fails over to VPN if ExpressRoute goes down. Which configuration should they implement?

A.Configure the VPN to have a lower BGP weight than ExpressRoute.
B.Use both connections in active-active mode with BGP and rely on ECMP.
C.Disable BGP on the VPN connection and use static routes with a higher metric for the VPN.
D.Configure BGP on both connections and assign a higher local preference (e.g., 200) to routes learned via ExpressRoute.
AnswerD

Higher local preference makes ExpressRoute routes preferred; if ExpressRoute fails, VPN routes will be used.

Why this answer

Option D is correct because BGP local preference is an attribute used to influence outbound traffic from an AS. By assigning a higher local preference (e.g., 200) to routes learned via ExpressRoute, Azure will prefer those routes over VPN routes (which default to local preference 100). This ensures that traffic from Azure to on-premises uses ExpressRoute when available, and automatically fails over to the VPN if the ExpressRoute BGP session drops, as the VPN routes will then be selected.

Exam trap

The trap here is that candidates often confuse BGP weight (Cisco-proprietary, local to a router) with local preference (standard, AS-wide), and incorrectly assume that lowering weight on the VPN would achieve the same result as raising local preference on ExpressRoute, but Azure does not support Cisco weight and local preference is the correct attribute for influencing outbound traffic from Azure to on-premises.

How to eliminate wrong answers

Option A is wrong because BGP weight is a Cisco-proprietary attribute that influences inbound traffic on a single router, not outbound traffic from Azure; Azure does not use Cisco weight, and lowering VPN weight would not reliably force ExpressRoute preference. Option B is wrong because active-active mode with ECMP would load-balance traffic across both connections simultaneously, not provide a primary/backup failover where ExpressRoute is always preferred. Option C is wrong because disabling BGP on the VPN connection and using static routes with a higher metric would work for simple failover, but it prevents dynamic route propagation and failover detection; BGP provides faster convergence and automatic route withdrawal, which is critical for reliable failover.

602
MCQeasy

Your organization uses Microsoft Purview to map and classify data across Azure, on-premises, and multi-cloud sources. You need to ensure that sensitive data assets are automatically discovered and classified. Which Microsoft Purview component should you configure?

A.Data Map scanning
B.Data Sharing
C.Data Catalog
D.Data Estate Insights
AnswerA

Automatically discovers and classifies.

Why this answer

Option A is correct because Microsoft Purview Data Map scans and classifies data across sources. Option B is wrong because Data Catalog is the inventory, not scanning. Option C is wrong because Data Sharing is for sharing data.

Option D is wrong because Data Estate Insights provides monitoring, not scanning.

603
MCQmedium

Your organization is implementing a secure DevOps pipeline for a critical application. You need to design a solution that scans container images for vulnerabilities before they are deployed to production. Which Azure service should you integrate into the pipeline?

A.Azure Key Vault
B.Azure Policy
C.Microsoft Defender for Cloud
D.Azure Security Center
AnswerC

Defender for Cloud provides vulnerability scanning for container images in ACR.

Why this answer

Microsoft Defender for Cloud (formerly Azure Security Center) provides integrated vulnerability assessment for container images stored in Azure Container Registry (ACR). When integrated into a DevOps pipeline, Defender for Cloud can scan images on push or on demand, using the Qualys scanner to detect CVEs and generate detailed security reports. This allows the pipeline to block or flag vulnerable images before they reach production, directly addressing the requirement for pre-deployment vulnerability scanning.

Exam trap

The trap here is that candidates may confuse the old name 'Azure Security Center' with the current service 'Microsoft Defender for Cloud', or assume that Azure Policy can perform vulnerability scanning when it only enforces configuration compliance, not image-level security analysis.

How to eliminate wrong answers

Option A is wrong because Azure Key Vault is a secrets management service for storing keys, certificates, and passwords, not a container image vulnerability scanner. Option B is wrong because Azure Policy enforces compliance rules on Azure resources (e.g., requiring ACR to use private endpoints) but does not perform runtime or image-level vulnerability scanning. Option D is wrong because Azure Security Center was the previous name for what is now Microsoft Defender for Cloud; the current service name is Defender for Cloud, and the exam expects the updated terminology.

604
MCQhard

Your company uses Microsoft Entra ID for identity management. You need to implement a solution that allows external partners to access a specific application using their own identity providers, while ensuring that their accounts are automatically deprovisioned when removed from their home organization. Which feature should you use?

A.B2B direct federation
B.Entitlement management with connected organizations
C.Self-service sign-up
D.Identity Governance access reviews
AnswerB

Automates lifecycle management.

Why this answer

Option C is correct because Entitlement management with connected organizations allows external users to be provisioned and deprovisioned automatically based on lifecycle. Option A is wrong because B2B direct federation does not enforce deprovisioning. Option B is wrong because self-service sign-up does not manage deprovisioning.

Option D is wrong because Identity Governance includes access reviews but does not automatically deprovision.

605
Multi-Selectmedium

Which THREE components are required to implement a Microsoft Sentinel solution that collects security logs from a multi-cloud environment including AWS and Azure? (Choose three.)

Select 3 answers
A.Log Analytics workspace
B.Microsoft Sentinel solution
C.Azure Monitor Agent (AMA)
D.AWS S3 data connector
E.Azure Arc
AnswersA, C, D

Sentinel is built on Log Analytics workspaces.

Why this answer

Option A is correct because Log Analytics workspace is the data store for Sentinel. Option B is correct because the Azure Monitor Agent (AMA) collects logs from Azure VMs. Option D is correct because a data connector for AWS (e.g., AWS CloudTrail) is needed to ingest logs.

Option C is not required because Sentinel itself is the SIEM, not a separate component. Option E is not required because Azure Arc is optional for non-Azure servers but not required for AWS logs.

606
MCQmedium

Your organization plans to use Microsoft Defender for Cloud to protect hybrid workloads across Azure and on-premises servers. You need to ensure that security policies are consistently applied and that compliance status is monitored centrally. What should you configure?

A.Implement Azure Security Benchmark recommendations manually.
B.Create Azure Policy initiatives and assign them to management groups and subscriptions.
C.Configure security policies directly in Microsoft Defender for Cloud.
D.Deploy Azure Blueprints to assign policies to management groups.
AnswerB

Azure Policy enforces rules and effects across resources, including hybrid via Arc.

Why this answer

Option B is correct because Azure Policy allows defining and enforcing security policies across Azure and hybrid environments via Arc-enabled servers. Option A is incorrect because Azure Blueprints are deprecated in favor of deployment stacks. Option C is incorrect because Defender for Cloud's security policies are built on Azure Policy.

Option D is incorrect because Azure Security Benchmark is a set of guidelines, not a configuration mechanism.

607
MCQmedium

Your organization uses Microsoft Entra ID and plans to implement a Zero Trust security model. You need to ensure that all access requests to corporate applications are continuously evaluated based on user risk, device compliance, and location. Which Microsoft Entra ID feature should you configure?

A.Identity Governance
B.Privileged Identity Management (PIM)
C.Identity Protection
D.Conditional Access
AnswerD

Conditional Access enforces policies based on user, device, and location signals.

Why this answer

Conditional Access is the correct feature because it enables real-time policy evaluation of access requests based on signals such as user risk (from Identity Protection), device compliance (via Microsoft Intune), and location (IP address ranges or named locations). This aligns directly with the Zero Trust principle of 'never trust, always verify' by continuously re-evaluating each access attempt rather than relying on static permissions.

Exam trap

The trap here is that candidates often confuse Identity Protection (which only detects risk) with Conditional Access (which enforces policies based on that risk), leading them to select Option C instead of D.

How to eliminate wrong answers

Option A is wrong because Identity Governance focuses on managing user lifecycle, access reviews, and entitlement management, not on real-time risk-based access evaluation. Option B is wrong because Privileged Identity Management (PIM) provides just-in-time privileged role activation and approval workflows, but it does not evaluate device compliance or location for general application access. Option C is wrong because Identity Protection detects and reports user and sign-in risks (e.g., leaked credentials, anonymous IP addresses) but does not enforce access decisions itself; it requires integration with Conditional Access to block or require MFA based on those risks.

608
MCQmedium

You are designing a solution for a multi-national corporation that uses Microsoft Purview to govern data across Azure SQL Database, Azure Data Lake Storage, and Microsoft 365. The data classification labels must be automatically applied based on sensitive data types such as credit card numbers and passport numbers. Which Microsoft Purview capability should you use?

A.Microsoft Purview Data Loss Prevention (DLP) policies
B.Microsoft Purview Audit
C.Microsoft Purview Information Protection
D.Microsoft Purview Data Map with automatic classification
AnswerD

Data Map can scan multiple data sources and automatically apply sensitivity labels based on sensitive data types.

Why this answer

Option B is correct because Microsoft Purview Data Map with automatic classification scanning can scan data sources and apply sensitivity labels based on built-in or custom data types. Option A is wrong because Information Protection is for labeling and protection in Microsoft 365, not for scanning data sources. Option C is wrong because DLP policies are for preventing data loss, not for automatic classification.

Option D is wrong because Audit is for logging activities.

609
MCQhard

Your organization uses Microsoft Defender for Cloud Apps to protect SaaS applications. You need to configure a policy that blocks downloads of files tagged as 'Highly Confidential' from SharePoint Online and triggers an automated investigation. Which policy type should you use?

A.Session policy
B.App discovery policy
C.Access policy
D.Anomaly detection policy
AnswerC

Can block downloads based on sensitivity labels.

Why this answer

Option C is correct because an access policy in Defender for Cloud Apps can enforce real-time controls like blocking downloads based on sensitivity labels. Option A is wrong because session policy controls user sessions but does not natively block downloads by label. Option B is wrong because app discovery policy discovers shadow IT, not controls access.

Option D is wrong because anomaly detection policy detects unusual behavior but does not block downloads.

610
Multi-Selecteasy

Which TWO of the following are features of Azure DDoS Protection?

Select 2 answers
A.Cost protection for scaled resources during an attack
B.Web application firewall (WAF) capabilities
C.Site-to-site VPN connectivity
D.SSL termination and offloading
E.Adaptive tuning and mitigation of DDoS attacks
AnswersA, E

Provides cost protection for auto-scaling.

Why this answer

Option B is correct because DDoS Protection provides adaptive tuning and mitigation. Option D is correct because it offers cost protection for scaled resources during an attack. Option A is wrong because DDoS Protection does not provide a web application firewall (WAF is separate).

Option C is wrong because DDoS Protection does not provide SSL termination. Option E is wrong because DDoS Protection is not a VPN service.

611
Multi-Selecthard

Which THREE capabilities are part of Microsoft Purview's insider risk management solution? (Choose three.)

Select 3 answers
A.Communication compliance policies for monitoring emails.
B.Forensic evidence capturing user activity on devices.
C.Data Loss Prevention policies that block sensitive data.
D.Policy templates for data theft by departing users.
E.Indicators that detect unauthorized data exfiltration.
AnswersB, D, E

Forensic evidence is part of insider risk management.

Why this answer

Options A, C, and E are correct. Option A is correct because indicators for data leaks are core. Option C is correct because forensic evidence captures user activity.

Option E is correct because policy templates exist for data theft. Option B is incorrect because DLP is separate. Option D is incorrect because communication compliance is a different solution.

612
MCQmedium

A company, Fabrikam, has a hybrid identity environment with on-premises Active Directory synchronized to Azure AD using Azure AD Connect. They have implemented a Zero Trust strategy that includes requiring multi-factor authentication (MFA) for all users accessing cloud applications. They use Conditional Access policies to enforce MFA. Recently, they noticed that users who authenticate from the on-premises network are not being prompted for MFA when accessing cloud apps, even though the Conditional Access policy is configured to require MFA for all users. The network location is not excluded in the policy. The Conditional Access policy is enabled and in 'Enforce' mode. The users' devices are not domain-joined. What is the most likely reason for this behavior?

A.Azure AD Connect is not configured for Pass-through Authentication
B.The Conditional Access policy does not include session controls
C.The Conditional Access policy is not targeting the correct user group
D.Users are using legacy authentication protocols that do not support MFA
AnswerD

Legacy authentication protocols like POP, IMAP, SMTP do not support MFA and can bypass Conditional Access policies if not blocked.

Why this answer

The most likely reason is that users are using legacy authentication protocols (e.g., POP3, IMAP, SMTP, or older Office clients) that do not support modern authentication and thus cannot enforce MFA via Conditional Access. Even though the policy requires MFA, legacy protocols bypass the Conditional Access engine entirely, allowing authentication without MFA prompts.

Exam trap

The trap here is that candidates often focus on policy configuration (e.g., user targeting, session controls) or authentication methods, but the real issue is that legacy protocols completely bypass Conditional Access, making MFA enforcement impossible regardless of policy settings.

How to eliminate wrong answers

Option A is wrong because Pass-through Authentication is an authentication method (not related to MFA enforcement) and does not affect whether Conditional Access policies prompt for MFA; the issue is about protocol support, not authentication flow. Option B is wrong because session controls (e.g., app-enforced restrictions, sign-in frequency) are optional and not required for MFA enforcement; the core MFA requirement is a grant control, not a session control. Option C is wrong because the scenario states the policy targets 'all users' and is in 'Enforce' mode, so user group targeting is not the issue; the problem is protocol-level bypass.

613
Multi-Selectmedium

Your organization is implementing Microsoft Intune for mobile device management. You need to design a solution that ensures corporate data on mobile devices is protected if the device is lost or stolen. Which TWO actions should you configure?

Select 2 answers
A.Enforce a minimum PIN length on devices
B.Configure a compliance policy that requires device encryption
C.Deploy a selective wipe policy that removes corporate data
D.Require app protection policies (MAM) for all apps
E.Enable jailbreak detection in a device compliance policy
AnswersB, C

Encryption protects data if the device is physically accessed.

Why this answer

Option B is correct because a compliance policy requiring device encryption ensures that if a device is lost or stolen, the data stored on it is unreadable without the decryption key. Intune compliance policies evaluate encryption status (e.g., BitLocker on Windows, FileVault on macOS, or device encryption on iOS/Android) and mark noncompliant devices for conditional access blocking, preventing unauthorized access to corporate data.

Exam trap

The trap here is that candidates often confuse device-level encryption (compliance policy) with app-level protection (MAM) or access controls (PIN, jailbreak detection), failing to recognize that only encryption and selective wipe directly address data protection on a lost or stolen device.

614
Multi-Selectmedium

Your organization is designing a data protection strategy for Microsoft 365 using Microsoft Purview. You need to protect sensitive data from being shared externally via email. Which TWO capabilities should you include?

Select 2 answers
A.Sensitivity labels with encryption for emails and attachments
B.Retention labels and policies
C.Data Loss Prevention (DLP) policies
D.Microsoft Purview Message Encryption
E.Privileged Access Management (PAM)
AnswersA, C

Encryption prevents unauthorized users from reading the content, even if shared.

Why this answer

Options A and D are correct. Sensitivity labels with encryption prevent unauthorized sharing, and Data Loss Prevention (DLP) policies detect and block sharing of sensitive data. Option B is wrong because message encryption protects at rest/in transit but doesn't prevent sharing.

Option C is wrong because retention labels manage data lifecycle, not sharing. Option E is wrong because Privileged Access Management controls administrative access, not end-user sharing.

615
MCQhard

Your organization, Contoso Ltd., is a multinational financial services company that handles sensitive customer financial data. They are migrating a critical loan origination application from on-premises to Azure Kubernetes Service (AKS). The application uses SQL Server on Azure VMs for data storage. Compliance requirements mandate encryption at rest and in transit, and data classification labels must be applied automatically to all financial documents stored in Azure Blob Storage. The security team wants to use Microsoft Defender for Cloud to monitor for misconfigurations and threats. You need to design a security solution for the application and data that meets these requirements. Which of the following actions should you take first?

A.Use Microsoft Entra Application Proxy to publish the loan origination application for remote access.
B.Deploy Azure Front Door with WAF policies in front of the loan origination application.
C.Configure Azure VPN Gateway to allow site-to-site VPN connections from employee home offices.
D.Deploy Microsoft Entra Domain Services to extend the on-premises domain to Azure for authentication.
AnswerA

Microsoft Entra Application Proxy provides secure remote access to on-premises web applications without a VPN, and it integrates with conditional access policies for additional security.

Why this answer

Option C is correct because Entra ID Application Proxy is designed for secure remote access to on-premises applications without a VPN, and it supports conditional access policies for the loan origination application. Option A is wrong because Azure Front Door is a global load balancer and CDN, not a secure remote access solution. Option B is wrong because Azure VPN Gateway creates site-to-site VPN, not per-user remote access.

Option D is wrong because Microsoft Entra Domain Services provides domain services but not remote application access.

616
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that devices that are not compliant with your organization's security policies are blocked from accessing corporate resources. Which Intune feature should you configure?

A.App protection policies
B.Device configuration profiles
C.Compliance policies
D.Enrollment restrictions
AnswerC

Compliance policies define conditions for device compliance; combined with Conditional Access, non-compliant devices are blocked.

Why this answer

Compliance policies in Microsoft Intune define the rules and settings that devices must meet to be considered compliant (e.g., requiring a minimum OS version, encryption, or a healthy device health attestation). When a device is marked as non-compliant, Intune can automatically block access to corporate resources such as Exchange Online, SharePoint, or VPN by integrating with Conditional Access in Microsoft Entra ID. This is the correct feature because it directly evaluates device compliance and enforces access control.

Exam trap

The trap here is that candidates confuse device configuration profiles (which apply settings) with compliance policies (which evaluate settings and enforce access), leading them to select Option B when the question specifically asks about blocking access based on non-compliance.

How to eliminate wrong answers

Option A is wrong because App protection policies (MAM) manage how data is accessed and shared within apps on devices that may not be enrolled in Intune, but they do not block device-level access to corporate resources based on device compliance. Option B is wrong because Device configuration profiles push settings (e.g., Wi-Fi, VPN, email) to devices but do not evaluate or enforce compliance; they are separate from the compliance evaluation and conditional access workflow. Option D is wrong because Enrollment restrictions control which devices can enroll in Intune (e.g., by platform or OS version), but they do not block access for devices that are already enrolled and become non-compliant after enrollment.

617
Drag & Dropmedium

Order the steps to perform a disaster recovery failover of an Azure VM to a secondary region using Azure Site Recovery.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Failover involves selecting VM, recovery point, initiating, and committing.

618
MCQmedium

A company uses Microsoft Defender for Cloud Apps to protect SaaS applications. The security team receives alerts about suspicious file downloads from a specific user. They want to automatically block the user's account when the risk score exceeds 80. What should they configure?

A.Configure Conditional Access app control
B.Create a session policy
C.Create an access policy
D.Create an app governance policy
AnswerC

Access policies can automatically block a user when the risk score exceeds a threshold.

Why this answer

Option B is correct because an access policy in Defender for Cloud Apps can automatically block a user based on risk score. Option A is wrong because session policies control real-time monitoring, not blocking. Option C is wrong because app governance policies manage consent and permissions.

Option D is wrong because Conditional Access app control is for session-level controls.

619
MCQhard

Your company is implementing Microsoft Copilot for Security to assist the security operations team. You need to ensure that prompts and responses from Copilot do not expose sensitive internal information to unauthorized users. Which configuration should you apply?

A.Enable RBAC and data boundary controls in Copilot for Security settings
B.Use a third-party AI gateway to sanitize prompts
C.Disable Copilot for Security for all users
D.Train users to avoid entering sensitive information in prompts
AnswerA

RBAC restricts access to authorized users, and data boundaries keep data within the tenant.

Why this answer

Enabling role-based access control (RBAC) and data boundary controls in Copilot for Security settings is correct because it restricts access to prompts and responses based on user roles and ensures data stays within your tenant. Option B (Disable Copilot for Security for all users) would block the feature entirely. Option C (Use a third-party AI gateway) is unnecessary.

Option D (Train users to avoid sensitive data) is not a technical control.

620
MCQmedium

Refer to the exhibit. You are reviewing an Azure Policy definition. What does this policy do?

A.Audits virtual machines that have a network interface
B.Deletes virtual machines that do not have a network interface
C.Denies creation of virtual machines that have a network interface
D.Denies creation of virtual machines that do not have a network interface attached
AnswerD

The condition checks for existence of NIC.

Why this answer

Option C is correct because the policy denies the creation of a virtual machine if the networkProfile.networkInterfaces field does not exist, meaning no NIC is attached. Option A is wrong because it denies creation, not deletes. Option B is wrong because it checks for NIC existence, not specific settings.

Option D is wrong because it checks at creation time.

621
MCQmedium

Your organization uses Microsoft Purview to govern sensitive data. You need to design a solution that automatically detects and protects credit card numbers in emails and documents stored in Microsoft 365. The solution should also provide data loss prevention (DLP) policy tips to users when they try to share such data externally. What should you configure?

A.Sensitivity labels with auto-classification
B.Microsoft Purview Data Loss Prevention policies
C.Microsoft 365 compliance center
D.Microsoft Information Protection unified labeling
AnswerB

DLP policies can detect sensitive data and display policy tips to users when they attempt to share it externally.

Why this answer

Option A is correct because Microsoft Purview DLP policies can detect sensitive info types (e.g., credit card numbers) and show policy tips to users. Option B is wrong because sensitivity labels are for classification and protection but do not provide real-time DLP policy tips. Option C is wrong because Microsoft Information Protection (MIP) unified labeling is part of Purview but not specifically for DLP tips.

Option D is wrong because Microsoft 365 compliance center is the portal, not a specific feature.

622
Multi-Selectmedium

Which TWO actions should you take to secure an Azure Kubernetes Service (AKS) cluster using Microsoft Defender for Cloud?

Select 2 answers
A.Apply built-in Azure Policy initiatives for AKS
B.Enable private cluster mode
C.Configure Network Security Groups (NSGs) on AKS subnets
D.Enable Microsoft Defender for Containers
E.Deploy Azure Firewall in the AKS virtual network
AnswersA, D

Azure Policy ensures cluster compliance with security best practices.

Why this answer

Options A and D are correct because enabling Defender for Containers provides threat detection, and Azure Policy with built-in AKS policies ensures compliance. Option B is wrong because AKS does not support NSGs; network policies are used. Option C is wrong because Azure Firewall is not required for AKS security.

Option E is wrong because private clusters limit public access but are not a Defender feature.

623
MCQeasy

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only compliant devices can access Exchange Online. Which Microsoft Entra ID feature should you use?

A.Azure AD device registration
B.Conditional Access with the 'Require device to be marked as compliant' grant
C.Multi-factor authentication
D.Intune device compliance policy
AnswerB

Enforces compliance before access to Exchange Online.

Why this answer

Conditional Access policies in Entra ID can require that devices be marked as compliant with Intune compliance policies before granting access to cloud apps like Exchange Online. The other options are not correct: Device Compliance is a policy in Intune, not an Entra feature; MFA is authentication; and Azure AD Join is for device identity.

624
Multi-Selecthard

Your organization is using Microsoft Sentinel to detect advanced threats. You need to ensure that alerts from Microsoft Defender XDR are automatically synchronized with Sentinel and that incidents are created. Which THREE components are required?

Select 3 answers
A.Entity behavior analytics (UEBA)
B.Microsoft Defender XDR data connector
C.Automation rule to trigger playbook
D.Analytic rule to create incidents from alerts
E.Automation rule to set incident severity
AnswersB, D, E

Data connector ingests alerts and incidents from Defender XDR.

Why this answer

The Microsoft Defender XDR data connector (Option B) is required because it is the specific integration point that ingests alerts and raw signals from Microsoft 365 Defender into Microsoft Sentinel. Without this connector, there is no automated synchronization of Defender XDR alerts into the Sentinel workspace.

Exam trap

The trap here is that candidates often confuse the data connector (which brings in the raw alerts) with the analytic rule (which creates incidents from those alerts), and mistakenly think that UEBA or a playbook automation rule is mandatory for the synchronization process.

625
MCQmedium

Refer to the exhibit. You are reviewing a conditional access policy in Microsoft Entra ID. The policy is enabled but users report they can still sign in from high-risk sessions. What is the most likely reason?

A.The policy is not applied to all cloud apps.
B.The policy is in report-only mode.
C.The grant control operator is set to 'OR' instead of 'AND' with multiple controls.
D.The policy excludes guest users by default.
AnswerC

With 'OR' and only 'block', it still blocks if risk conditions are met, but real-time risk evaluation may not be immediate.

Why this answer

Option A is correct because the policy uses 'OR' for grant controls, meaning only one condition must be met. 'Block' is the only control, but risk levels must be evaluated. If risk levels are not computed in real-time, the policy may not trigger. Option B is incorrect because the policy includes guest users.

Option C is incorrect because 'All' apps includes all. Option D is incorrect because state is enabled.

626
MCQhard

You are a security architect for a large enterprise that is migrating to Microsoft 365. The organization has 50,000 users across multiple regions. They have recently experienced a ransomware attack that encrypted files on SharePoint Online and OneDrive for Business. The security team wants to implement a comprehensive protection strategy. Requirements: 1. Automatically detect and block ransomware-like behavior in real-time. 2. Provide users with self-service recovery of files encrypted by ransomware. 3. Ensure that all files in SharePoint and OneDrive are scanned for malware upon upload. 4. Minimize administrative overhead. Which combination of Microsoft 365 security features should you recommend?

A.Use Microsoft Entra ID Protection to detect compromised accounts and automatically block access.
B.Enable Microsoft Endpoint DLP and configure file policies to block encrypted files.
C.Enable Microsoft Defender for Office 365 to scan files on upload and use version history and recycle bin for recovery.
D.Configure Microsoft Purview auto-labeling to apply a 'Ransomware' label and then block all labeled files.
AnswerC

Defender for Office 365 provides malware scanning and ransomware detection; version history allows self-recovery.

Why this answer

Option C is correct because Microsoft Defender for Office 365 provides real-time scanning of files uploaded to SharePoint and OneDrive, detecting and blocking known malware. Combined with version history and the recycle bin, users can self-recover files encrypted by ransomware without administrative intervention, satisfying all requirements with minimal overhead.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Office 365 with Microsoft Defender for Cloud Apps or Microsoft Purview, but only Defender for Office 365 provides both upload scanning and native version history/recycle bin recovery for SharePoint and OneDrive.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection detects compromised accounts and can block access, but it does not scan files for malware upon upload, nor does it provide self-service recovery of encrypted files. Option B is wrong because Microsoft Endpoint DLP focuses on preventing data loss via policies (e.g., blocking sensitive data sharing), not on detecting ransomware behavior or scanning files for malware in real-time. Option D is wrong because Microsoft Purview auto-labeling applies labels based on content, but it cannot block files in real-time based on ransomware behavior, and it does not provide file scanning or self-service recovery.

627
MCQmedium

Your organization uses Microsoft Defender for Cloud to protect Azure workloads. You need to ensure that all Azure SQL Databases have Threat Detection enabled and Advanced Threat Protection notifications are sent to the security team. What should you do?

A.Enable Advanced Threat Protection on the SQL Server and configure email notifications for all databases.
B.Create an Azure Policy to audit Threat Detection settings and remediate non-compliant databases.
C.Enable Threat Detection on each individual Azure SQL Database and set the email recipients in the server's diagnostic settings.
D.Configure Microsoft Sentinel to monitor Azure SQL Databases and trigger alerts.
AnswerA

This enables Threat Detection on all databases and sends alerts to security team.

Why this answer

Option C is correct because the SQL Server's Defender for Cloud settings include an option to enable Advanced Threat Protection for all databases and configure email notifications. Option A is wrong because Azure Policy can enforce settings but doesn't configure notifications directly. Option B is wrong because Microsoft Sentinel setup is not required for this.

Option D is wrong because enabling at the database level is less efficient and doesn't cover new databases.

628
Multi-Selecthard

You are designing a secure access strategy for Azure App Service web applications. The requirements are: use Azure AD for authentication, restrict access to specific IP ranges, and require multi-factor authentication (MFA) for all users. Which two components should you configure? (Choose two.)

Select 2 answers
A.Apply a network security group (NSG) to the App Service subnet
B.Configure Azure App Service authentication with Microsoft Entra ID
C.Create a Conditional Access policy in Microsoft Entra ID that requires MFA and restricts IP ranges
D.Deploy Azure Firewall to filter inbound traffic
E.Register the application in Microsoft Entra ID
AnswersB, C

This enables Azure AD as the identity provider.

Why this answer

Options B and C are correct because Azure App Service authentication can be configured to use Azure AD, and Conditional Access policies can enforce MFA and IP restrictions. Option A is wrong because app registration is part of the setup but not a direct component for access control. Option D is wrong because network security groups are for virtual networks, not App Service.

Option E is wrong because Azure Firewall is for network traffic, not user authentication.

629
MCQhard

Refer to the exhibit. You are designing a security solution for Azure SQL Database. The exhibit shows an Azure Policy definition. When this policy is assigned, which problem might occur?

A.The policy will fail because the audit settings resource name 'default' is invalid.
B.The remediation deployment will fail because the storage account key is missing.
C.The existenceCondition will never evaluate to true because the field name is misspelled.
D.The policy will only audit non-compliant servers without remediation.
AnswerB

When enabling auditing to a storage account, the access key or managed identity must be provided.

Why this answer

Option C is correct because the template uses a parameter for storageEndpoint but does not specify a storageAccountAccessKey or use a managed identity, so the audit logs cannot be written to the storage account. Option A is wrong because 'default' is the correct name for the audit settings child resource. Option B is wrong because the policy uses DeployIfNotExists, not AuditIfNotExists.

Option D is wrong because the existenceCondition checks for 'Enabled', which is correct.

630
Multi-Selecthard

Your company is deploying Microsoft Defender XDR. You need to design a solution that uses advanced hunting to proactively search for threats. Which THREE data sources should be included in the advanced hunting schema to enable comprehensive threat hunting across endpoints, identities, and cloud apps?

Select 3 answers
A.EmailEvents
B.AzureActivity
C.CloudAppEvents
D.IdentityInfo
E.DeviceEvents
AnswersC, D, E

Captures events from Microsoft Defender for Cloud Apps, covering SaaS app activity.

Why this answer

Options A, B, and D are correct because they represent key data sources in Defender XDR advanced hunting. Option A: IdentityInfo provides identity context. Option B: DeviceEvents captures endpoint activities.

Option D: CloudAppEvents provides cloud app activity. Option C is wrong because EmailEvents is part of Defender for Office 365 but not a core advanced hunting table in Defender XDR; it is available in Microsoft 365 Defender advanced hunting but the question asks for core sources. Option E is wrong because AzureActivity is not part of Defender XDR schema; it is in Azure Monitor.

631
Multi-Selectmedium

A company is designing a security operations center (SOC) using Microsoft Sentinel. Which TWO of the following are best practices for managing incident response in Sentinel?

Select 2 answers
A.Create multiple Sentinel workspaces for each incident type.
B.Use automation rules and playbooks to automate common response actions.
C.Manually classify all incidents to ensure accuracy.
D.Use a single data connector for all log sources.
E.Tag incidents with severity and status for better tracking.
AnswersB, E

Increases efficiency and consistency.

Why this answer

Option B is correct because automation rules and playbooks in Microsoft Sentinel allow you to automate common incident response actions, such as triggering investigations, sending notifications, or running remediation scripts. This reduces manual effort, ensures consistent response, and accelerates mean time to respond (MTTR), which is a core best practice for SOC operations.

Exam trap

The trap here is that candidates often confuse 'automation' with 'manual classification' or 'single workspace design', not realizing that Sentinel's strength lies in centralized correlation and automated response, not fragmentation or manual overhead.

632
Multi-Selecteasy

Which TWO are best practices for securing Microsoft Entra ID?

Select 2 answers
A.Use a Conditional Access policy to require MFA for all users
B.Disable sign-in logs to reduce storage costs
C.Enable security defaults for all tenants
D.Allow users to create Microsoft 365 groups without approval
E.Assign Global Administrator to all users for simplicity
AnswersA, C

This is a strong security baseline.

Why this answer

Option A is correct because requiring MFA via Conditional Access is a foundational security control that mitigates the risk of credential theft. Conditional Access policies allow granular enforcement based on user, location, device, and risk signals, making them more flexible than security defaults while still ensuring MFA is applied to all users.

Exam trap

Microsoft often tests the misconception that security defaults are always the best choice for all tenants, but the exam expects you to recognize that Conditional Access policies offer more granular control and are the recommended approach for production environments, while security defaults are a simplified baseline for smaller or less complex tenants.

633
MCQhard

Your organization is implementing a zero-trust security model. You need to design a solution that continuously verifies user identity, device compliance, and access context before granting access to corporate resources. The solution should also support risk-based policies. Which Microsoft security capability should be at the core of this design?

A.Microsoft Defender for Identity
B.Microsoft Entra ID Conditional Access
C.Microsoft Sentinel
D.Microsoft Intune
AnswerB

Conditional Access is the central policy engine that incorporates user, device, location, and risk signals to enforce zero-trust access.

Why this answer

Option C is correct because Microsoft Entra ID Conditional Access is the core policy engine that evaluates signals (user, device, location, risk) to enforce access decisions. Option A is wrong because Microsoft Defender for Identity is a threat detection solution for on-premises AD, not a policy engine. Option B is wrong because Microsoft Intune manages devices but does not enforce conditional access policies.

Option D is wrong because Microsoft Sentinel is a SIEM/SOAR, not an access control engine.

634
MCQeasy

A company uses Azure Front Door to load balance traffic across two origin servers in different Azure regions. They notice that failover is not working when one origin becomes unhealthy. What is the most likely cause?

A.Both origins are in the same region.
B.Caching is enabled on the Front Door profile.
C.Session affinity is enabled.
D.The health probe path is set to an incorrect endpoint on the origin servers.
AnswerD

An incorrect health probe path can cause Front Door to consider the origin healthy when it is not, or vice versa.

Why this answer

The most likely cause is that the health probe path is set to an incorrect endpoint on the origin servers. Azure Front Door uses health probes to determine the health of each origin; if the probe path does not return a 200 OK status (e.g., it points to a missing page or a resource that doesn't exist), Front Door will mark that origin as unhealthy and stop routing traffic to it. Since failover is not occurring, the healthy origin is not being detected as healthy, or the unhealthy origin is not being detected as unhealthy, which directly prevents proper failover.

Exam trap

The trap here is that candidates often assume failover issues are caused by regional or caching settings, but the real culprit is almost always a misconfigured health probe path that prevents Front Door from accurately assessing origin health.

How to eliminate wrong answers

Option A is wrong because both origins being in the same region would not prevent failover; Azure Front Door can still load balance and failover between origins in the same region as long as they are configured as separate backends. Option B is wrong because caching on Front Door does not affect health probe logic or failover behavior; caching only stores responses to improve performance, not influence routing decisions. Option C is wrong because session affinity (sticky sessions) only ensures a client is routed to the same backend for the duration of a session; it does not disable failover—if the backend becomes unhealthy, Front Door will still failover to a healthy backend, though the session may be lost.

635
MCQeasy

A company uses Azure SQL Database and needs to implement column-level encryption for a column containing social security numbers (SSNs). The encryption must use a customer-managed key stored in Azure Key Vault. The application queries this column using parameterized queries. Which technology should be used?

A.Dynamic Data Masking (DDM)
B.Row-Level Security (RLS)
C.Transparent Data Encryption (TDE) with customer-managed keys
D.Always Encrypted with secure enclaves
AnswerD

Always Encrypted provides column-level encryption and supports rich queries with secure enclaves.

Why this answer

Always Encrypted with secure enclaves is the correct choice because it enables client-side encryption of specific columns (like SSNs) using a customer-managed key stored in Azure Key Vault, while still allowing rich computations (e.g., equality, pattern matching) on the encrypted data within a secure enclave. This meets the requirement for column-level encryption with customer-managed keys and supports parameterized queries without exposing plaintext to the database engine.

Exam trap

The trap here is that candidates often confuse Transparent Data Encryption (TDE) with column-level encryption, mistakenly believing TDE protects data from the database engine or privileged users, whereas TDE only protects data at rest on disk and does not prevent in-memory exposure.

How to eliminate wrong answers

Option A is wrong because Dynamic Data Masking (DDM) only obfuscates data at query results time for unauthorized users, but does not encrypt the data at rest or in transit, and the underlying plaintext remains accessible to the database engine. Option B is wrong because Row-Level Security (RLS) controls access to rows based on user predicates but does not encrypt individual columns or protect data from the database engine itself. Option C is wrong because Transparent Data Encryption (TDE) encrypts the entire database at rest, not individual columns, and does not prevent the database engine or privileged users from seeing plaintext data in memory or during query execution.

636
MCQmedium

Your organization uses Microsoft Intune for mobile device management and Microsoft Entra ID for identity. You are designing a solution to ensure that only devices that are compliant with security policies can access corporate resources. The requirements are: 1) Devices must have a minimum OS version. 2) Devices must have encryption enabled. 3) Devices must not be jailbroken or rooted. 4) Access to corporate apps must be blocked if the device is non-compliant. 5) The solution should automatically remediate non-compliant devices when possible. You need to recommend the minimum configuration. What should you do?

A.Configure Microsoft Purview Compliance Manager to assess compliance and block access.
B.Create an app protection policy in Intune that requires minimum OS and encryption.
C.Create a device compliance policy in Intune with the required settings, and create a Conditional Access policy that requires compliant devices.
D.Create a device configuration policy in Intune for the settings, and use Azure AD Identity Protection to block access.
AnswerC

Compliance policies define requirements; Conditional Access enforces them.

Why this answer

Option A is correct because Intune compliance policies define the requirements, and Conditional Access enforces access. Automatic remediation can be configured in compliance policies for some settings. Option B is incorrect because app protection policies do not enforce device-level compliance.

Option C is incorrect because configuration policies do not enforce compliance. Option D is incorrect because only using Compliance Manager does not enforce access.

637
MCQmedium

You are designing a Zero Trust architecture for a company that uses Microsoft Entra ID and Microsoft Intune. The security team wants to enforce device compliance before granting access to cloud apps. Which policy should you implement?

A.Microsoft Entra Identity Protection user risk policy
B.Microsoft Defender for Cloud Apps session policy
C.Microsoft Entra Conditional Access policy requiring compliant device
D.Azure AD Identity Protection sign-in risk policy
AnswerC

Directly enforces device compliance before access.

Why this answer

Option C is correct because Microsoft Entra Conditional Access policies can require that devices are marked as compliant by Microsoft Intune before granting access to cloud apps. This directly enforces device compliance as a condition for access, which is a core Zero Trust principle of verifying every access request based on device health.

Exam trap

The trap here is that candidates confuse risk-based policies (Identity Protection) with device compliance policies, assuming any policy that checks 'risk' or 'session' can enforce device health, but only Conditional Access with the compliant device grant control directly ties Intune compliance to access decisions.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Identity Protection user risk policy evaluates the likelihood that a user's identity has been compromised, not the compliance state of the device. Option B is wrong because Microsoft Defender for Cloud Apps session policy controls app behavior in real-time (e.g., blocking downloads) but does not enforce device compliance before access is granted. Option D is wrong because Azure AD Identity Protection sign-in risk policy assesses the risk of the authentication attempt (e.g., from an anonymous IP), not the device's compliance with security policies.

638
Multi-Selecthard

Which THREE components are essential for implementing a successful SIEM strategy using Microsoft Sentinel?

Select 3 answers
A.Automation rules
B.Workbooks
C.Analytics rules
D.Watchlists
E.Data connectors
AnswersA, C, E

Automation rules enable response orchestration, essential for SOAR capabilities.

Why this answer

Automation rules are essential because they allow you to centrally manage and automate incident response actions, such as assigning incidents, running playbooks, or triggering suppression logic, based on specific conditions. Without automation rules, your SOC would have to manually handle every alert, which is not scalable for a successful SIEM strategy.

Exam trap

The trap here is that candidates often confuse 'nice-to-have' features like Workbooks and Watchlists with 'essential' components, but Microsoft defines the three pillars of a successful SIEM strategy as data ingestion (connectors), detection (analytics rules), and automated response (automation rules).

639
MCQhard

Your organization is implementing a data loss prevention (DLP) strategy using Microsoft Purview. The compliance team needs to automatically classify and label sensitive data in Microsoft 365, Azure SQL Database, and Amazon S3. Which Purview feature should you use?

A.Microsoft Purview Data Map
B.Microsoft Purview Information Protection
C.Microsoft Purview Records Management
D.Microsoft Defender for Cloud Apps
AnswerA

Data Map scans and classifies data across on-prem, Azure, and other clouds.

Why this answer

Microsoft Purview Data Map is the correct choice because it provides unified data governance across hybrid and multi-cloud environments, including Microsoft 365, Azure SQL Database, and Amazon S3. It automatically scans, classifies, and labels sensitive data using built-in classifiers and sensitivity labels, enabling consistent DLP policies across these disparate data sources.

Exam trap

The trap here is that candidates often confuse the scanning and classification capabilities of Microsoft Purview Data Map with the labeling and protection features of Microsoft Purview Information Protection, but the Data Map is the service that actually discovers and classifies data across multiple clouds, while Information Protection applies the labels after classification.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Information Protection focuses on applying sensitivity labels and encryption to data within Microsoft 365 and Azure, but it does not natively scan or classify data in Amazon S3. Option C is wrong because Microsoft Purview Records Management is designed for managing retention, disposition, and legal hold of records, not for automatic classification and labeling of sensitive data across multi-cloud sources. Option D is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides threat protection and visibility for cloud apps, but it does not perform automatic data classification and labeling across Microsoft 365, Azure SQL, and Amazon S3 as a primary function.

640
MCQhard

You have created a custom Azure RBAC role named 'Custom SQL DB Reader' as shown in the exhibit. You assign this role to a user. The user reports they cannot read data from an Azure SQL Database. What is the most likely cause?

A.The Azure SQL Database is not configured to support Azure AD authentication
B.The role does not include 'Microsoft.Sql/servers/databases/read' action
C.The assignableScopes does not include the resource group
D.The role does not include any dataActions
AnswerA

RBAC data actions require the database to have Azure AD authentication enabled. Without it, the user cannot authenticate using their Azure AD identity.

Why this answer

Option D is correct because the role includes dataActions for read, but Azure SQL Database uses SQL authentication or Azure AD authentication; RBAC dataActions are only effective if the user authenticates via Azure AD and the database is configured to support Azure AD authentication. Option A is wrong because the role includes Microsoft.Sql/servers/databases/read action. Option B is wrong because dataActions are present.

Option C is wrong because assignableScopes includes the subscription.

641
MCQeasy

You are designing a secure infrastructure for an e-commerce platform hosted on Azure. The platform must meet PCI DSS compliance. Which Azure service should you use to centrally manage and monitor security policies across subscriptions?

A.Azure Policy
B.Azure Firewall
C.Microsoft Defender for Cloud
D.Azure Blueprints
AnswerA

Azure Policy provides centralized policy management and compliance assessment across Azure subscriptions.

Why this answer

Option A is correct because Azure Policy allows you to enforce compliance rules across subscriptions. Option B is wrong because Azure Blueprints is deprecated; Azure Policy is the current recommendation. Option C is wrong because Azure Firewall is a network security appliance, not a policy management tool.

Option D is wrong because Azure Security Center is now part of Defender for Cloud, which uses policies but the core policy engine is Azure Policy.

642
MCQmedium

A company wants to use Microsoft Defender XDR to detect and respond to advanced persistent threats (APTs). They have deployed Defender for Endpoint, Defender for Office 365, and Defender for Identity. What additional step is critical to correlate signals across these products?

A.Enable the Microsoft Defender XDR unified experience in the portal
B.Configure Microsoft Defender for Cloud servers plan
C.Assign Microsoft 365 E5 licenses to all users
D.Deploy Microsoft Defender for Office 365 Safe Links
AnswerA

Correlates alerts and incidents across all Defender products.

Why this answer

Enabling the Microsoft Defender XDR unified experience in the portal is critical because it aggregates and correlates signals from Defender for Endpoint, Defender for Office 365, and Defender for Identity into a single incident queue and unified alert timeline. Without this step, each product operates in isolation, preventing cross-product detection of multi-stage APT attacks that span endpoints, email, and identity. The unified experience activates the Microsoft 365 Defender portal's correlation engine, which uses machine learning to link related alerts across domains into a single incident.

Exam trap

The trap here is that candidates often assume that simply having the licenses and deploying the products is sufficient for cross-product correlation, but Microsoft explicitly requires enabling the unified experience in the portal to activate the correlation engine and unified incident queue.

How to eliminate wrong answers

Option B is wrong because configuring the Microsoft Defender for Cloud servers plan is focused on securing cloud workloads (VMs, containers) and does not enable cross-product signal correlation for APT detection across endpoints, email, and identity. Option C is wrong because while Microsoft 365 E5 licenses include the necessary products, simply assigning licenses does not activate the unified correlation engine; the unified experience must be explicitly enabled in the portal. Option D is wrong because deploying Safe Links is a specific email security policy within Defender for Office 365 that protects against malicious URLs, but it does not correlate signals across different Defender products.

643
MCQeasy

Refer to the exhibit. You are reviewing an Azure Policy definition for GDPR compliance. The policy is intended to audit storage accounts that do not have encryption enabled. However, the policy is not evaluating correctly. What is the most likely reason?

A.The field 'type' should be 'Microsoft.Storage/storageAccounts/encryption'
B.The policy type should be 'Custom'
C.The effect should be 'Audit' instead of 'auditIfNotExists'
D.The policy mode should be 'All' instead of 'Indexed'
AnswerC

Storage account encryption is a property of the account itself, not a separate resource. 'auditIfNotExists' is used for child resources; 'Audit' with a condition on the encryption field would be correct.

Why this answer

Option B is correct because the effect 'auditIfNotExists' requires a resource to audit if a dependent resource does not exist. However, storage account encryption is a property of the storage account itself, not a separate resource. The policy should use 'Audit' effect with a condition that checks if encryption is disabled.

Option A is wrong because 'Indexed' mode is appropriate for storage accounts. Option C is wrong because the policy is built-in but the snippet shows custom properties. Option D is wrong because the field type is correct.

644
MCQeasy

A company uses Azure Firewall to protect their virtual network. They need to allow outbound HTTPS traffic to a specific external website while blocking all other outbound traffic. What should they configure?

A.Add an Application Rule with the destination FQDN of the website.
B.Add a Network Rule with the destination IP address and port 443.
C.Add a Threat Intelligence rule to allow the website's domain.
D.Add a DNAT Rule to translate the traffic to the website's IP.
AnswerA

Application Rules use FQDNs to allow outbound HTTP/HTTPS.

Why this answer

Option A is correct because Application Rules filter outbound traffic based on FQDN (e.g., *.contoso.com). Option B is wrong because Network Rules filter based on IP addresses/ports, not FQDNs. Option C is wrong because DNAT rules are for inbound traffic.

Option D is wrong because Threat Intelligence rules block known malicious IPs/FQDNs, not allow specific ones.

645
MCQeasy

You are designing a solution for a healthcare organization that needs to share patient health information (PHI) with a partner organization. The partner must be able to query the data but should not be able to modify it. Both organizations use Microsoft Entra ID. What should you use?

A.Azure Active Directory B2C (now part of Entra) to allow the partner to authenticate and access data via a custom API.
B.Microsoft Entra entitlement management with an access package that grants read-only access to a SharePoint Online site.
C.Microsoft Purview Information Protection to label the data and allow the partner to decrypt it.
D.Azure DevOps for sharing the data in a repository with read-only permissions.
AnswerB

Entitlement management enables you to govern external access with access packages that include SharePoint Online sites with read-only permissions.

Why this answer

Option A is correct because Microsoft Entra entitlement management allows you to create access packages that grant external users read-only access to SharePoint Online or other resources. Option B is wrong because Azure AD B2C is for customer identity. Option C is wrong because Microsoft Purview Information Protection is for classification and labeling, not for external sharing with read-only access.

Option D is wrong because Azure DevOps is for development collaboration.

646
MCQhard

Your organization is designing a hybrid identity infrastructure with Microsoft Entra ID. You need to ensure that users can access on-premises applications using passwordless authentication and that the solution minimizes latency for authentication requests. What should you implement?

A.Join the on-premises servers to Microsoft Entra Domain Services and use passwordless authentication.
B.Use Microsoft Entra application proxy to publish the on-premises applications and enable passwordless authentication.
C.Install Web Application Proxy (WAP) on-premises and integrate with Microsoft Entra ID for passwordless.
D.Deploy a VPN and use Microsoft Entra ID with passwordless sign-in.
AnswerB

Entra application proxy publishes on-prem apps with SSO and passwordless support, minimizing latency by proxying through Entra ID.

Why this answer

Option C is correct because Microsoft Entra application proxy provides secure remote access to on-premises web applications without requiring a VPN, and it can leverage passwordless authentication through Microsoft Entra ID. Option A is wrong because VPN introduces latency and does not inherently support passwordless. Option B is wrong because Microsoft Entra Domain Services is for domain-joined VMs, not for publishing apps.

Option D is wrong because Web Application Proxy is a legacy on-premises component that does not integrate with passwordless.

647
Multi-Selectmedium

Which THREE of the following are best practices for securing Azure Kubernetes Service (AKS) clusters? (Choose three.)

Select 3 answers
A.Enable Azure Policy for AKS to enforce pod security
B.Use managed identities for pod authentication
C.Store secrets in ConfigMaps
D.Enable network policies to restrict pod traffic
E.Disable Kubernetes RBAC to simplify management
AnswersA, B, D

Azure Policy can enforce security standards.

Why this answer

Option A (enable Azure Policy for AKS), Option C (use managed identities), and Option D (enable network policies) are best practices. Option B is incorrect because RBAC should be enabled, not disabled. Option E is incorrect because secrets should be stored in Azure Key Vault, not in plain text.

648
MCQhard

Refer to the exhibit. You are evaluating a custom Azure Policy definition for storage accounts. The policy is assigned with effect set to 'Deny'. An administrator attempts to create a new storage account with network rules configured to allow all traffic (defaultAction set to Allow). What will happen?

A.The storage account creation is denied.
B.The storage account is created, and the network rules are automatically changed to deny all traffic.
C.The storage account is created, and an audit event is generated.
D.The storage account is created successfully, and no action is taken.
AnswerA

The policy checks if defaultAction is not 'Deny' and then applies the Deny effect, blocking creation.

Why this answer

Option B is correct because the policy denies creation when networkAcls.defaultAction is not 'Deny'. Option A is wrong because the policy denies, not audits. Option C is wrong because the policy does not modify the resource.

Option D is wrong because the policy explicitly denies.

649
MCQeasy

Your organization uses Microsoft Defender for Cloud to manage the security posture of Azure resources. You need to receive alerts when a virtual machine is deployed without just-in-time (JIT) access enabled. What should you do?

A.Create a custom alert rule in Microsoft Sentinel
B.Configure JIT access on the VM and monitor via activity logs
C.Enable JIT access on all VMs
D.Use the built-in Defender for Cloud recommendation for JIT access
AnswerD

The recommendation alerts on non-compliance.

Why this answer

The correct answer is D because Microsoft Defender for Cloud provides a built-in security recommendation specifically for just-in-time (JIT) VM access. This recommendation continuously assesses your VMs and generates an alert when a VM is deployed without JIT enabled, without requiring custom rules or manual configuration. It directly addresses the requirement to receive alerts for non-compliant VMs.

Exam trap

The trap here is that candidates often overcomplicate the solution by thinking they need a custom alert rule in Sentinel (Option A) or manual monitoring (Option B), when Defender for Cloud's built-in recommendation already provides the required alerting capability without additional tools.

How to eliminate wrong answers

Option A is wrong because creating a custom alert rule in Microsoft Sentinel is unnecessary and adds complexity; Defender for Cloud already has a native recommendation for JIT access that can trigger alerts without Sentinel. Option B is wrong because configuring JIT access on the VM and monitoring via activity logs only addresses the VM after it is configured, not alerting when a VM is deployed without JIT; it also requires manual setup and does not provide automated alerts for new deployments. Option C is wrong because enabling JIT access on all VMs is a remediation action, not a method to receive alerts; it does not generate alerts for VMs that are deployed without JIT.

650
MCQhard

You are the security architect for a multinational corporation that uses Azure Active Directory (Azure AD) and Microsoft 365. The company has recently experienced a security incident where a compromised user account was used to access sensitive data from a legacy application that does not support modern authentication. To mitigate this risk, you have been asked to recommend a set of security best practices and priorities. The environment includes 50,000 users, 200 applications (many legacy), and a hybrid identity setup with Active Directory Domain Services (AD DS) synchronized to Azure AD via Azure AD Connect. The security team wants to reduce the attack surface, enforce least privilege, and improve identity protection. Current issues include: (1) many users have standing admin privileges on workstations, (2) legacy apps use shared service accounts with weak passwords, (3) Conditional Access policies are not applied consistently, and (4) there is no process for reviewing privileged role assignments. Which course of action should you recommend as the highest priority?

A.Migrate legacy applications to support modern authentication and use Azure AD Application Proxy
B.Implement Azure AD Privileged Identity Management (PIM) for just-in-time access and role approval workflows
C.Deploy Azure AD Password Protection and enforce banned password lists
D.Implement Conditional Access policies to block legacy authentication and require MFA for all users
AnswerB

Directly reduces standing admin privileges and adds review.

Why this answer

Option B is correct because implementing Azure AD Privileged Identity Management (PIM) directly addresses the highest-priority risk: the lack of oversight and control over privileged role assignments. With 50,000 users and many standing admin privileges on workstations, PIM enables just-in-time (JIT) activation, approval workflows, and time-bound roles, which drastically reduces the attack surface by eliminating permanent privileged access. This is the most critical first step because unmanaged privileged accounts are the primary vector for lateral movement and data exfiltration, as demonstrated in the incident.

Exam trap

The trap here is that candidates often prioritize blocking legacy authentication (Option D) or password policies (Option C) because they seem directly related to the incident, but the highest priority in a hybrid environment with 50,000 users is eliminating standing privileged access through PIM, which is the root cause of the attack surface expansion.

How to eliminate wrong answers

Option A is wrong because migrating legacy applications to support modern authentication and using Azure AD Application Proxy is a long-term architectural change that does not address the immediate, highest-priority risk of unmanaged privileged role assignments; it also does not mitigate the standing admin privileges on workstations or the shared service account issue. Option C is wrong because deploying Azure AD Password Protection and enforcing banned password lists, while useful, only addresses weak passwords for shared service accounts and does not solve the core problem of standing admin privileges, inconsistent Conditional Access, or lack of privileged role review. Option D is wrong because implementing Conditional Access policies to block legacy authentication and require MFA for all users is important but does not directly address the lack of privileged role assignment review or the standing admin privileges on workstations; it also cannot enforce JIT access or approval workflows for privileged roles.

651
Matchingmedium

Match each Zero Trust principle to its implementation in Azure.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Use Conditional Access and MFA

Implement Just-In-Time (JIT) and PIM

Segment networks and use micro-perimeters

Monitor with Azure Sentinel and Defender

Use playbooks and automated remediation

Why these pairings

These align with the Microsoft Zero Trust model.

652
Multi-Selectmedium

Your organization is designing a security strategy for Microsoft 365 Copilot. You need to ensure that Copilot does not generate responses based on sensitive data that users are not authorized to access. Which TWO configurations should you implement?

Select 2 answers
A.Set up Information Barriers to prevent Copilot from accessing data across departments.
B.Configure Data Loss Prevention (DLP) policies to block sensitive data from being used in prompts.
C.Implement Conditional Access policies to restrict Copilot access based on user, device, and location.
D.Enable Purview Audit to monitor Copilot interactions.
E.Use sensitivity labels to classify and protect data; Copilot respects labels.
AnswersC, E

Conditional Access can restrict who can use Copilot.

Why this answer

Conditional Access policies (C) are correct because they enforce access controls at the authentication layer, ensuring that only authorized users from compliant devices and trusted locations can interact with Copilot. Sensitivity labels (E) are correct because Microsoft 365 Copilot respects sensitivity labels on documents and emails, preventing it from generating responses that include content from labeled sensitive data unless the user has the appropriate permissions. Together, these two controls address both who can access Copilot and what data Copilot can use in its responses.

Exam trap

The trap here is that candidates often confuse Data Loss Prevention (DLP) with access control, mistakenly thinking DLP can block Copilot from using sensitive data internally, when in fact DLP only applies to data sharing and exfiltration, not to Copilot's internal data retrieval and response generation.

653
MCQmedium

A company uses Microsoft Purview to classify data and enforce retention policies. They need to automatically apply a retention label to all documents containing credit card numbers. Which approach should they use?

A.Configure an auto-labeling policy with a sensitive info type
B.Use a trainable classifier
C.Create a manual labeling policy for users
D.Use a default label for SharePoint libraries
AnswerA

Auto-labeling applies labels based on content.

Why this answer

Option A is correct because Microsoft Purview auto-labeling policies can automatically apply retention labels to documents based on sensitive info types (SITs), such as credit card numbers. This approach uses pattern matching to detect the credit card number format and applies the label without user intervention, meeting the requirement for automatic enforcement.

Exam trap

The trap here is that candidates may confuse trainable classifiers with sensitive info types, thinking that 'intelligent' classification is always better, but SITs are the correct choice for specific, pattern-based data like credit card numbers.

How to eliminate wrong answers

Option B is wrong because trainable classifiers are designed to identify content based on context and patterns (e.g., contracts or resumes), not specific sensitive data like credit card numbers, which are better matched by SITs. Option C is wrong because manual labeling policies require users to apply labels themselves, contradicting the requirement for automatic application. Option D is wrong because a default label for SharePoint libraries applies a label to all documents in the library regardless of content, not selectively to those containing credit card numbers.

654
MCQhard

You are a security architect for a large financial services company. The company has a hybrid identity infrastructure with on-premises Active Directory and Microsoft Entra ID (Azure AD). They have recently suffered a password spray attack that compromised several accounts. Management wants to implement a Zero Trust security model and has mandated the following requirements: 1. All user authentication must be protected by phishing-resistant MFA. 2. Legacy authentication protocols must be blocked. 3. All sign-in risks must be detected and automatically remediated. The current environment includes: - Microsoft 365 E5 licenses for all users. - Microsoft Entra ID P2 licenses. - On-premises Active Directory with password hash sync. - Azure AD Application Proxy for publishing on-premises apps. - A third-party VPN solution for remote access. You need to design a solution that meets the requirements. What should you do?

A.Enable Azure AD MFA with phone call for all users. Use Conditional Access to block legacy authentication. Use Identity Protection to detect risks and require MFA again.
B.Enable Azure AD MFA with the Microsoft Authenticator app (OATH TOTP). Use Conditional Access to block legacy authentication and require MFA. Configure Identity Protection to alert on risky sign-ins.
C.Deploy FIDO2 security keys to all users. Configure Conditional Access to block legacy authentication. Use Identity Protection to detect risks and send alerts to the SOC.
D.Deploy Windows Hello for Business for all users. Configure Conditional Access policies to block legacy authentication and require MFA for all cloud apps. Use Entra ID Protection to detect risky sign-ins and automatically require password change or block access.
AnswerD

Windows Hello for Business is phishing-resistant; Conditional Access blocks legacy auth and enforces MFA; Identity Protection handles risk detection and remediation.

Why this answer

Option A is correct because Windows Hello for Business is a phishing-resistant MFA method. Entra ID Conditional Access can block legacy authentication and enforce risk-based policies. Entra ID Protection detects sign-in risks and can automatically block or require password change.

Option B is wrong because the Authenticator app (OATH TOTP) is not phishing-resistant (vulnerable to MFA fatigue). Option C is wrong because FIDO2 security keys are phishing-resistant but they are hardware tokens, not the recommended for all users; also the scenario doesn't mention hardware deployment. Option D is wrong because Azure AD MFA with phone call is not phishing-resistant.

655
MCQmedium

You are designing a CI/CD pipeline for a containerized application using Azure DevOps. You need to ensure that container images are scanned for vulnerabilities before being deployed to production. Which service should you integrate?

A.Azure Policy
B.Azure Key Vault
C.Microsoft Defender for Cloud
D.Azure Monitor
AnswerC

Defender for Cloud scans container images for vulnerabilities.

Why this answer

Option B is correct because Microsoft Defender for Cloud (formerly Azure Security Center) can scan container images in Azure Container Registry for vulnerabilities. Option A is wrong because Azure Policy can enforce compliance but not scan images. Option C is wrong because Azure Key Vault is for secrets.

Option D is wrong because Azure Monitor is for monitoring, not scanning.

656
Drag & Dropmedium

Order the steps to configure a Conditional Access policy requiring MFA for all users.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Conditional Access policy creation involves assignments for users and apps, then access controls like MFA.

657
MCQhard

A multinational corporation is implementing a privileged access strategy. They need to ensure that all users with permanent administrative roles sign in using phishing-resistant authentication methods. Which Microsoft Entra ID feature should they enforce?

A.Privileged Identity Management (PIM) with access reviews
B.Multifactor authentication (MFA) with Conditional Access
C.Authentication Strengths in Conditional Access
D.Conditional Access policies requiring MFA for all admins
AnswerC

Allows requiring specific authentication methods like FIDO2.

Why this answer

Authentication Strengths in Conditional Access allows organizations to enforce specific authentication methods, such as FIDO2 security keys or certificate-based authentication, which are phishing-resistant. This directly meets the requirement to ensure users with permanent administrative roles use phishing-resistant methods, unlike general MFA policies that may allow weaker methods like SMS or OTP.

Exam trap

The trap here is that candidates confuse general MFA enforcement with the ability to enforce specific authentication method types, assuming any MFA policy is sufficient for phishing resistance, whereas Authentication Strengths provides granular control over which methods are allowed.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) with access reviews manages just-in-time access and recertification, not the enforcement of specific authentication methods. Option B is wrong because standard MFA with Conditional Access can enforce MFA but does not restrict to phishing-resistant methods; it may allow SMS, voice, or OATH tokens that are vulnerable to phishing. Option D is wrong because a Conditional Access policy requiring MFA for all admins is too broad and does not specify phishing-resistant methods; it could still permit weaker MFA factors.

658
MCQmedium

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. What is the primary purpose of this query?

A.Identify accounts that have experienced more than 10 failed login attempts from the same IP address within an hour
B.Identify IP addresses that have successfully brute-forced an account
C.Identify users who have logged in from multiple IPs in a short time
D.Identify accounts that have been disabled due to multiple failures
AnswerA

The query does exactly that.

Why this answer

The KQL query uses the `summarize` operator to count failed logon events (EventID 4625) grouped by account and IP address, then filters for counts greater than 10 within a 1-hour time window. This directly identifies accounts that have experienced more than 10 failed login attempts from the same IP address within an hour, which is a classic indicator of a brute-force attack targeting a specific account.

Exam trap

Microsoft often tests the distinction between identifying brute-force attempts (failed logins) and confirming successful brute-force attacks (failed logins followed by a successful login), so candidates may incorrectly choose Option B without checking for a successful logon event.

How to eliminate wrong answers

Option B is wrong because the query does not check for a subsequent successful login (EventID 4624) after the failures, so it cannot confirm that a brute-force attack succeeded. Option C is wrong because the query groups by both account and IP address, not by users logging in from multiple IPs; it focuses on failures from a single IP. Option D is wrong because the query does not query for account lockout events (EventID 4740) or disabled account status; it only counts failed logon attempts.

659
MCQhard

A company uses Azure Security Center and Azure Sentinel. They want to prioritize remediation of vulnerabilities based on risk. Which metric should they use to rank vulnerabilities?

A.Common Vulnerability Scoring System (CVSS) score
B.Azure Secure Score impact
C.Compliance status from Azure Policy
D.Number of security alerts triggered
AnswerB

Secure Score reflects the risk and remediation priority.

Why this answer

Azure Secure Score impact is the correct metric because it directly reflects the risk-based prioritization of security recommendations within Azure Security Center. Each recommendation has a Secure Score impact value that indicates how much your overall security posture improves when remediated, allowing you to prioritize actions that reduce the most risk. This aligns with the scenario's goal of ranking vulnerabilities by risk, as Secure Score impact is calculated using factors like exploitability, threat intelligence, and potential business impact.

Exam trap

The trap here is that candidates often assume CVSS score is the definitive risk metric, but Azure Security Center uses Secure Score impact to incorporate environmental and threat intelligence factors, making it the correct choice for risk-based prioritization in Azure.

How to eliminate wrong answers

Option A is wrong because the Common Vulnerability Scoring System (CVSS) score is a generic, vendor-agnostic metric that does not account for your specific Azure environment, threat landscape, or the actual exploitability of the vulnerability in your context. Option C is wrong because compliance status from Azure Policy indicates whether resources meet regulatory or organizational standards, not the risk level of individual vulnerabilities; it is a binary pass/fail indicator, not a prioritization metric. Option D is wrong because the number of security alerts triggered measures the volume of detected threats, not the severity or risk of underlying vulnerabilities; a vulnerability might have no alerts yet still pose high risk if exploited.

660
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Defender for Cloud automation resource. You want the automation to trigger a playbook in Microsoft Sentinel when a high-severity security assessment is found. Based on the exhibit, what is the missing configuration?

A.The severity filter should be 'Low' to capture all assessments
B.The action type should be 'LogicApp' instead of 'EventHub'
C.The eventSource should be 'Alerts' instead of 'Assessments'
D.The API version should be '2020-01-01'
AnswerB

To invoke a playbook in Sentinel, the automation action must be of type 'LogicApp' with the playbook's callback URL.

Why this answer

Option B is correct because the exhibit shows the automation sends to EventHub, but to trigger a Sentinel playbook, the action type should be 'LogicApp' with the playbook's trigger URL. Option A is wrong because the source is already set to Assessments. Option C is wrong because the severity filter is correctly set to High.

Option D is wrong because the API version is not the issue; the action type is wrong.

661
MCQmedium

Your organization uses Microsoft Sentinel and wants to correlate security events from multiple sources to detect multi-stage attacks. What should you create?

A.Scheduled query rule
B.NRT rule
C.Anomaly rule
D.Fusion rule
AnswerD

Fusion rules use ML to correlate alerts from multiple sources and detect multi-stage attacks.

Why this answer

Fusion rules in Microsoft Sentinel are specifically designed to correlate security events from multiple sources and detect multi-stage attacks by combining alerts from different detection technologies into a single incident. This matches the requirement to correlate events across sources for complex attack chains, unlike other rule types that focus on single-source or single-event detection.

Exam trap

The trap here is that candidates often confuse scheduled query rules or NRT rules as the primary tool for correlation, but those require manual KQL logic to join data across sources, whereas Fusion provides automated, built-in multi-source correlation for multi-stage attacks.

How to eliminate wrong answers

Option A is wrong because scheduled query rules run queries at regular intervals against a single data source or table, and they cannot natively correlate events from multiple disparate sources to detect multi-stage attacks. Option B is wrong because NRT (Near-Real-Time) rules provide low-latency detection but still operate on a single query against one or more tables, lacking the built-in multi-source correlation logic of Fusion. Option C is wrong because anomaly rules use machine learning to detect deviations from baseline behavior on a single data source, not to correlate events across multiple sources for multi-stage attack detection.

662
MCQmedium

Your company is designing a hybrid identity solution using Microsoft Entra ID. You need to ensure that users can access on-premises applications using modern authentication methods. The solution must support multi-factor authentication and Conditional Access policies. What should you implement?

A.Microsoft Entra Connect
B.Microsoft Entra application proxy
C.Azure AD Domain Services
D.Microsoft Intune
AnswerB

Microsoft Entra application proxy publishes on-premises apps to external users with modern authentication.

Why this answer

Option B is correct because Microsoft Entra application proxy provides secure remote access to on-premises web applications without requiring a VPN. It supports modern authentication, MFA, and Conditional Access. Option A is wrong because Microsoft Entra Connect is for directory synchronization, not application publishing.

Option C is wrong because Azure AD Domain Services provides domain services like LDAP, not application proxy. Option D is wrong because Microsoft Intune is for device management, not application access.

663
MCQmedium

Your organization, Fabrikam Inc., uses Microsoft Intune for device management and Microsoft Entra ID for identity. You need to design a solution to ensure that only compliant and healthy devices can access corporate resources. The solution must require that devices are either enrolled in Intune and compliant, or joined to Azure AD with a health attestation. Additionally, you need to block access from devices that are rooted or jailbroken. You have the following requirements: 1) Enforce conditional access policies to check device compliance and health. 2) Use Microsoft Defender for Endpoint integration for device health signals. 3) Provide a fallback option for unmanaged devices to access only web apps via browser with app protection policies. Which combination of actions should you take?

A.Configure conditional access to require MFA for all devices, and use device filters to exclude non-compliant devices.
B.Configure conditional access to require device compliance, and enable device health attestation via Intune.
C.Configure conditional access to block access from unknown locations, and require device enrollment for all users.
D.Configure conditional access policies: one requiring device compliance or Azure AD joined with health attestation, and another for unmanaged devices requiring app protection policies.
AnswerD

This meets all requirements.

Why this answer

Option B is correct because it covers all requirements: conditional access policies for compliance/health, Defender for Endpoint integration for health signals, and app protection policies for unmanaged devices. Option A is incorrect because it uses MFA only, not device compliance. Option C is incorrect because it relies on device compliance only, not health attestation.

Option D is incorrect because it uses location-based policy, which does not address device health.

664
MCQmedium

A company is designing a security solution for their hybrid infrastructure that includes on-premises servers and Azure virtual machines. They need to ensure that all administrative access to servers is just-in-time (JIT) and just-enough-administration (JEA). Which Azure service should they use?

A.Azure Bastion
B.Microsoft Entra ID Privileged Identity Management
C.Azure Policy
D.Microsoft Defender for Cloud
AnswerD

Correct: Provides JIT VM access and JEA via Azure Arc.

Why this answer

Microsoft Defender for Cloud provides JIT VM access and JEA capabilities through Azure Arc for on-premises servers, making it the correct choice. Azure AD Privileged Identity Management (PIM) is for user roles, not server access. Azure Bastion provides secure RDP/SSH access but not JIT.

Azure Policy is for compliance, not JIT access.

665
MCQhard

Refer to the exhibit. You are reviewing an Azure Policy definition that is assigned to a subscription. What is the primary effect of this policy?

A.It modifies the OS disk to use a specific disk encryption set.
B.It deploys a disk encryption set to each virtual machine.
C.It denies creation of virtual machines without the specified disk encryption set.
D.It audits virtual machines that do not use the specified disk encryption set.
AnswerA

The policy adds/replaces the diskEncryptionSet.id field on the OS disk.

Why this answer

The policy uses the 'modify' effect to add or replace the disk encryption set ID on any virtual machine's OS disk managed disk. This ensures VMs use a specific encryption set. 'deployIfNotExists' would deploy a resource, 'audit' would only log, 'deny' would block creation.

666
MCQeasy

A company is planning their Zero Trust data protection strategy. They want to classify and protect sensitive data stored in SharePoint Online. Which Microsoft tool should they use?

A.Microsoft Intune
B.Microsoft Defender for Cloud Apps
C.Microsoft Purview Information Protection
D.Azure Policy
AnswerC

Purview Information Protection provides data classification and labeling.

Why this answer

Microsoft Purview Information Protection (formerly Microsoft Information Protection) is the correct tool because it provides integrated classification, labeling, and protection for sensitive data across Microsoft 365 services, including SharePoint Online. It uses sensitivity labels that can automatically apply encryption, rights management, and visual markings (headers/footers) to documents based on policy conditions, directly supporting the Zero Trust principle of 'assume breach' by protecting data at rest and in transit.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps (a CASB for monitoring and controlling cloud app usage) with the data classification and labeling capabilities of Microsoft Purview Information Protection, because both tools can handle sensitive data but serve fundamentally different roles in a Zero Trust strategy.

How to eliminate wrong answers

Option A is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) tool focused on managing devices and apps, not on classifying or protecting data within SharePoint Online documents. Option B is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that provides visibility, threat detection, and access controls for cloud apps, but it does not natively classify or label sensitive data within SharePoint Online; it can discover sensitive data via integration with Purview but is not the primary tool for classification. Option D is wrong because Azure Policy is used to enforce compliance and governance rules on Azure resources (e.g., resource types, locations, tags) and does not apply sensitivity labels or encryption to SharePoint Online documents.

667
MCQhard

Refer to the exhibit. You are reviewing a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

A.List all administrator accounts that logged in
B.Identify failed logon attempts across all computers
C.Find the most common event IDs across all computers
D.Count security events per user, per computer, per event type in the last hour
AnswerD

The query groups by Account, Computer, and EventID to count each combination.

Why this answer

The query filters SecurityEvent for user accounts in the last hour, then summarizes the count of events by Account, Computer, and EventID. Option A is correct. Option B is incorrect because it does not filter for failed logins.

Option C is incorrect because it does not filter for admin accounts. Option D is incorrect because it does not filter for specific event IDs.

668
MCQhard

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. The query returns a list of users and IP addresses with failed sign-ins due to 'User Account Disabled' (ResultType 50057). The analyst wants to create a scheduled analytics rule that generates an incident when a user exceeds 5 such failures from the same IP in an hour. Which setting is missing from the query to meet the requirement?

A.Add a 'let' statement to define the threshold.
B.Add a 'project' to select columns.
C.Add a 'bin' or 'bin_at' to group by time windows.
D.Add a 'where' clause to filter by ResultType.
AnswerC

Without binning, the count is over the entire 1-hour window, but for scheduled rules, you need to bin to avoid double-counting across runs.

Why this answer

The query currently returns all failed sign-ins due to 'User Account Disabled' but does not aggregate them into time-based windows. To meet the requirement of generating an incident when a user exceeds 5 failures from the same IP in an hour, the query must group the results into 1-hour time buckets using 'bin' or 'bin_at' on the timestamp column, then count the failures per user and IP per bucket, and filter for counts greater than 5. Without this time-windowing, the query cannot enforce the 'in an hour' condition.

Exam trap

Microsoft often tests the candidate's understanding that time-based analytics rules require explicit time-windowing in the query (via bin or bin_at) rather than relying on the rule's run frequency or lookback period alone.

How to eliminate wrong answers

Option A is wrong because a 'let' statement defines a variable or threshold, but the threshold (5 failures) can be applied directly in a 'where' clause after aggregation; the missing piece is time-based grouping, not variable definition. Option B is wrong because 'project' selects or renames columns, which is useful for output but does not affect the aggregation or time-windowing required to count failures per hour. Option D is wrong because the query already filters by ResultType 50057 using a 'where' clause; adding another 'where' for ResultType would be redundant and does not address the missing time-window grouping.

669
MCQhard

An organization uses Microsoft Purview Information Protection. They want to automatically apply a sensitivity label to documents containing credit card numbers. Which policy should they configure?

A.Retention policy
B.Sensitivity label policy
C.Auto-labeling policy
D.Data loss prevention policy
AnswerC

Auto-labeling policies can automatically label documents containing sensitive data like credit cards.

Why this answer

Auto-labeling policies in Microsoft Purview Information Protection automatically apply sensitivity labels to documents and emails that match specified conditions, such as the presence of credit card numbers. This policy uses sensitive information types (e.g., Credit Card Number) to scan content and apply the label without user intervention, meeting the requirement for automatic labeling.

Exam trap

The trap here is confusing sensitivity label policies (which require user action or default labeling) with auto-labeling policies (which automatically scan and apply labels based on sensitive data patterns), leading candidates to choose option B incorrectly.

How to eliminate wrong answers

Option A is wrong because retention policies manage how long content is kept or deleted, not the application of sensitivity labels. Option B is wrong because sensitivity label policies publish labels for manual or default application by users, but they do not automatically scan for sensitive data like credit card numbers. Option D is wrong because data loss prevention (DLP) policies detect and block sharing of sensitive data, but they do not apply sensitivity labels to content.

670
MCQmedium

You are designing a secure CI/CD pipeline for Azure using GitHub Actions. You need to ensure that secrets (e.g., Azure service principal credentials) are stored securely and accessed only by authorized actions. What should you use?

A.Use GitHub Actions secrets to store the credentials.
B.Use Azure AD managed identities for GitHub Actions.
C.Store secrets in Azure Key Vault and access them using a service principal secret stored in GitHub.
D.Store secrets as environment variables in the GitHub repository.
AnswerA

Secrets are encrypted and scoped.

Why this answer

Option B is correct because GitHub Actions secrets are encrypted and can be scoped to repositories or environments. Option A is wrong because storing secrets in code is insecure. Option C is wrong because Key Vault can be accessed from GitHub Actions via a secret, but the primary secure storage for GitHub is secrets.

Option D is wrong because managed identities are not directly usable in GitHub Actions without a secret to authenticate.

671
MCQeasy

Your organization uses Microsoft Sentinel. You need to design a solution that automatically responds to a detected ransomware incident by isolating the affected device in Microsoft Defender for Endpoint. Which tool should you use to create the automated response?

A.Create a workbook in Microsoft Sentinel.
B.Create a playbook in Microsoft Sentinel using Azure Logic Apps.
C.Create an automation rule in Microsoft Sentinel.
D.Create a hunting query in Microsoft Sentinel.
AnswerB

Playbooks contain the logic to execute automated responses like device isolation.

Why this answer

Option C is correct because a playbook in Microsoft Sentinel (based on Azure Logic Apps) can automate responses like device isolation. Option A (automation rule) triggers the playbook but does not contain the logic. Option B (hunting query) is for detection.

Option D (workbook) is for visualization.

672
MCQmedium

Your company uses Microsoft 365 Copilot for Security. You need to ensure that only users in the 'SecurityAnalysts' group can access the Copilot for Security portal. All other users should not see the portal in their Microsoft 365 app launcher. What should you configure?

A.Remove the Copilot for Security license from all users and assign only to the group.
B.Create a Conditional Access policy to block access to Copilot for Security for users not in the group.
C.Configure an Entra ID administrative unit to restrict access.
D.In the Copilot for Security settings, restrict access to the 'SecurityAnalysts' group.
AnswerD

Copilot for Security allows restricting access to specific security groups.

Why this answer

Option D is correct because Copilot for Security has a licensing and access control that can be restricted to specific groups. Option A is incorrect because Conditional Access controls sign-in but does not hide the app launcher. Option B is incorrect because SharePoint permissions are irrelevant.

Option C is incorrect because Entra ID groups can be used for licensing assignment, which controls visibility.

673
MCQeasy

Your organization is a small business with 200 users using Microsoft 365 Business Premium. You need to secure user identities against common attacks like phishing and password spray. The solution must be easy to deploy and manage with minimal overhead. Requirements: (1) Enable multi-factor authentication (MFA) for all users, (2) Block legacy authentication protocols, (3) Detect and block risky sign-ins, (4) Provide security recommendations to users, (5) Integrate with Microsoft Defender for Office 365 for email protection. Which Microsoft security service should you primarily use?

A.Microsoft Purview Insider Risk Management
B.Microsoft Entra ID P2
C.Microsoft Entra ID P1 with Conditional Access and Identity Protection
D.Microsoft Defender for Cloud
AnswerC

P1 provides MFA, blocking legacy auth, and risk detection; easy to deploy.

Why this answer

Option B is correct because Microsoft Entra ID P1 (included in Business Premium) provides Conditional Access for MFA and blocking legacy authentication, Identity Protection for risky sign-ins, and security defaults for easy deployment. Option A is wrong because Entra ID P2 is overkill for small business. Option C is wrong because Microsoft Defender for Cloud is for cloud workloads.

Option D is wrong because Microsoft Purview is for data governance.

674
Multi-Selecthard

You are designing a secure data exfiltration protection solution for Azure Storage accounts. You need to prevent data from being copied to unauthorized external locations. Which THREE controls should you implement?

Select 3 answers
A.Enable Microsoft Defender for Storage and configure alerts for anomalous data extraction.
B.Deploy Azure Firewall with application rules to allow only approved FQDNs.
C.Configure network security groups (NSGs) on subnets to deny outbound traffic to the internet.
D.Use Azure Private Endpoints for all storage accounts.
E.Enable soft delete and versioning for blobs.
AnswersA, B, C

Detects suspicious data transfer patterns.

Why this answer

Option A is correct because NSGs can restrict egress traffic at the subnet level. Option C is correct because Azure Firewall can inspect outbound traffic and block unauthorized destinations. Option E is correct because Microsoft Defender for Storage alerts on anomalous data transfers.

Option B is wrong because private endpoints do not prevent exfiltration; they prevent public access. Option D is wrong because soft delete is for recovery, not exfiltration prevention.

675
Multi-Selecteasy

Your organization needs to comply with GDPR. You need to design a data protection strategy using Microsoft Purview. Which THREE capabilities should you include?

Select 3 answers
A.Azure Policy
B.eDiscovery
C.Data classification and labeling
D.Data subject request management
E.Data Loss Prevention (DLP) policies
AnswersC, D, E

Classification and labeling help identify and protect personal data covered by GDPR.

Why this answer

Options B, C, and D are correct. Option B: Data classification and labeling helps identify personal data. Option C: Data Loss Prevention (DLP) prevents unauthorized sharing of personal data.

Option D: Data subject requests (DSR) management is a GDPR requirement. Option A is wrong because eDiscovery is for legal holds, not GDPR specifically. Option E is wrong because Azure Policy is for Azure resource compliance, not data protection.

Page 8

Page 9 of 13

Page 10