CCNA Design security solutions for applications and data Questions

75 of 207 questions · Page 1/3 · Design security solutions for applications and data · Answers revealed

1
MCQmedium

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel to find high-risk sign-ins. The query returns no results, but they know there were high-risk sign-ins. What is the most likely reason?

A.The value 'high' should be 'High' (capitalized)
B.The query uses double equals instead of single equals
C.The field name is incorrect; it should be 'RiskLevel'
D.The time range should be 'ago(7d)'
AnswerA

Risk level values are case-sensitive and stored as 'High'.

Why this answer

The query uses 'RiskLevelDuringSignIn' and 'RiskLevelAggregated' but filters on 'RiskLevelDuringSignIn'. However, in the schema, the field is named 'RiskLevelDuringSignIn' correctly. But the query uses 'where RiskLevelDuringSignIn == "high"' but the field may store values as 'High' (capitalized).

Option C is correct. Option A is wrong because the field exists. Option B is wrong because the query is valid syntax.

Option D is wrong because the time range is last 1 day.

2
MCQhard

You are designing a data security solution for a Microsoft 365 tenant that contains highly confidential files. You need to ensure that these files are encrypted and can only be accessed by authorized users, even if the files are downloaded and stored on a personal device. Which technology should you use?

A.Office 365 Message Encryption
B.Microsoft Purview Information Protection with encryption and usage rights
C.BitLocker Drive Encryption
D.Azure Information Protection
AnswerB

This protects files persistently, even when downloaded.

Why this answer

Option D is correct: Microsoft Purview Information Protection with encryption and usage rights restricts access even after download, because the protection travels with the file. Option A is wrong: BitLocker encrypts the device, not individual files. Option B is wrong: Office 365 Message Encryption is for email, not files.

Option C is wrong: Azure Information Protection (now part of Purview) is the correct technology, but the more specific answer is Purview Information Protection.

3
MCQhard

A large financial services company is migrating its customer-facing web application to Azure. The application handles sensitive personal data and must comply with PCI DSS. The solution will use Azure App Service (Linux) with a custom container, Azure SQL Database, and Azure Redis Cache. The security architect mandates that all data in transit be encrypted using the latest TLS version, and that the application must be protected against common web vulnerabilities. The company also wants to ensure that only authenticated users can access the Redis cache. Users will authenticate via Microsoft Entra ID. The operations team needs to be able to monitor for SQL injection attempts and anomalous access patterns. You need to design the security configuration. Which of the following is the most comprehensive approach that meets all requirements?

A.Configure App Service to enforce TLS 1.2 as minimum. Deploy Azure Application Gateway with WAF enabled in front of App Service. Enable Azure AD authentication for Azure Redis Cache. Enable Microsoft Defender for SQL for Azure SQL Database.
B.Use Azure Front Door with custom domain and enforce TLS 1.2. Configure IP firewall on Redis Cache. Use Azure SQL Database with VNet service endpoints.
C.Deploy App Service with HTTPS only enabled. Use Azure API Management with WAF. Use Redis Cache with access keys. Enable SQL audit logging.
D.Enable TLS 1.3 on App Service. Use Azure CDN with WAF. Configure Redis Cache with a firewall rule allowing only App Service outbound IPs.
AnswerA

Covers all: TLS, WAF, Redis auth, and SQL threat detection.

Why this answer

Azure App Service enforces TLS 1.2/1.3 by default. Azure WAF (Web Application Firewall) in front of App Service protects against OWASP Top 10. Azure AD authentication for Redis Cache is supported via Azure AD RBAC for Redis (currently in preview but available).

Microsoft Defender for SQL detects SQL injection and anomalous access. Option A covers all requirements. Option B uses Application Gateway without WAF.

Option C uses Redis firewall which doesn't enforce authentication. Option D uses Azure Front Door without WAF.

4
MCQeasy

Your organization stores sensitive customer data in Azure Blob Storage. You need to implement data classification and labeling using Microsoft Purview. Which resource should you use to automatically scan and classify the data?

A.Azure Policy
B.Microsoft Purview Data Map
C.Microsoft Purview Information Protection
D.Microsoft Purview Data Loss Prevention
AnswerB

Data Map scans assets and applies classification rules automatically.

Why this answer

Option A is correct because Microsoft Purview Data Map provides automated scanning and classification of data assets across Azure and on-premises. Option B is wrong because Purview Information Protection focuses on labeling and protection policies, not scanning. Option C is wrong because Purview Data Loss Prevention (DLP) monitors and prevents data exfiltration.

Option D is wrong because Azure Policy enforces organizational standards, not data classification.

5
Multi-Selectmedium

Your organization uses Microsoft Defender for Cloud Apps. You need to detect and prevent the use of unsanctioned cloud apps. The solution should generate alerts when users access high-risk apps and block access to very high-risk apps. Which three actions should you take? (Choose three.)

Select 3 answers
A.Configure Conditional Access policies in Microsoft Entra ID to block unsanctioned apps
B.Unsanction high-risk apps using the app catalog
C.Create a session or access policy to block unsanctioned apps
D.Enable Cloud Discovery in Defender for Cloud Apps to discover app usage
E.Create a DLP policy to prevent data upload to unsanctioned apps
AnswersB, C, D

Unsanctioning marks apps as blocked.

Why this answer

Options A, C, and D are correct because to detect and block unsanctioned apps, you need to discover them via Cloud Discovery, sanction or unsanction them, and create policies to block unsanctioned apps. Option B is wrong because Conditional Access policies are for identity, not app blocking. Option E is wrong because DLP policies are for data protection, not app control.

6
MCQmedium

Refer to the exhibit. You are deploying an Azure Storage container for storing compliance records. The ARM template snippet above configures the container. Which statement accurately describes the configuration?

A.The container allows protected append writes.
B.Blob versioning is disabled for the container.
C.The container allows anonymous read access.
D.Blobs cannot be modified or deleted for 365 days after creation.
AnswerD

Immutability policy enforces a 365-day retention period.

Why this answer

Option D is correct. The snippet sets publicAccess to 'None', so no anonymous access is allowed. It enables immutable storage with versioning and sets an immutability period of 365 days, meaning blobs cannot be deleted or modified for 365 days after creation.

Option A is wrong because public access is set to None. Option B is wrong because allowProtectedAppendWrites is false, so append blobs cannot be written. Option C is wrong because versioning is enabled.

7
MCQmedium

Your organization uses Microsoft Purview Information Protection to label and protect sensitive emails and documents. You need to ensure that when a user applies a 'Highly Confidential' label, the content is automatically encrypted and a watermark is added. Which configuration should you use?

A.Use Azure Information Protection scanner to apply labels automatically.
B.Create a DLP policy that blocks sharing of highly confidential content.
C.Configure a sensitivity label with encryption and watermark settings.
D.Enable Microsoft 365 Message Encryption for all emails.
AnswerC

Sensitivity labels can include protection actions like encryption and watermarks.

Why this answer

Option B is correct because a label with protection settings can enforce encryption and apply a watermark. Option A is wrong because the label itself can be configured, not requiring a separate policy. Option C is wrong because DLP policies prevent sharing but do not add watermarks.

Option D is wrong because Azure Information Protection is the underlying technology, but the configuration is done via sensitivity labels.

8
MCQhard

Refer to the exhibit. You are reviewing an Azure Policy definition that uses a 'modify' effect. The policy is intended to automatically enable transparent data encryption (TDE) on Azure SQL databases after they are created. Which condition must be met for the modify effect to work?

A.The policy must be assigned at the management group scope.
B.A managed identity must be associated with the policy assignment and have permissions to modify TDE.
C.The database must be newly created.
D.The SQL database must be using the General Purpose service tier.
AnswerB

Modify effect uses a managed identity to make changes.

Why this answer

Option D is correct because the modify effect requires a managed identity with the appropriate role (e.g., SQL DB Contributor) to perform the remediation. Option A is wrong because the modify effect does not require a specific SKU. Option B is wrong because the policy can be applied at any scope, including subscription.

Option C is wrong because TDE can be enabled on any database, not just new ones.

9
MCQhard

Your organization uses Azure API Management (APIM) to expose APIs to external partners. You need to ensure that only authorized partners can access the APIs and that the API requests are rate-limited to prevent abuse. What should you implement?

A.Use a validate JWT policy to authenticate partners and a rate-limit by key policy to control request rates.
B.Configure client certificate authentication and set a global rate limit in the APIM service.
C.Require a subscription key for each partner and configure IP whitelisting.
D.Use OAuth 2.0 tokens and store partner API keys in Azure Key Vault.
AnswerA

JWT validation ensures partner identity, rate limit by subscription key restricts usage.

Why this answer

Option D is correct because APIM policies can validate JWT tokens for authorization and use rate limiting policy to control request rates. Option A is wrong because subscription keys alone are not secure for partner authentication. Option B is wrong because OAuth 2.0 with API keys is not standard; APIM supports OAuth via policies.

Option C is wrong because Client certificates are another method but not combined with rate limiting as effectively as policy.

10
MCQmedium

A company uses Microsoft Sentinel for security operations. They want to collect logs from a custom application running on Azure Virtual Machines. The application writes logs to a local file. Which data connector should they use?

A.Application Insights
B.Syslog
C.Windows Event Forwarding
D.Custom Logs via Log Analytics agent
AnswerD

The Log Analytics agent can ingest custom log files from Windows or Linux VMs.

Why this answer

The Log Analytics agent (or Azure Monitor Agent) can collect custom log files from VMs. Option C is correct. Option A is wrong because Syslog is for Linux, but the application writes to a file, not syslog.

Option B is wrong because Windows Event Log is for Windows event logs, not custom file logs. Option D is wrong because Application Insights is for application performance monitoring, not log file collection.

11
MCQeasy

A company uses Microsoft Intune to manage corporate devices. They want to ensure that only compliant devices can access corporate email in Outlook Mobile. Which type of policy should they configure?

A.App protection policy
B.Device configuration policy
C.Conditional Access policy
D.Compliance policy
AnswerC

Conditional Access can block access to apps if device is not compliant.

Why this answer

Conditional Access in Microsoft Entra ID can require device compliance before granting access. Option B is correct. Option A is wrong because compliance policies define what compliance means, but the enforcement is via Conditional Access.

Option C is wrong because app protection policies are for app-level controls, not device compliance. Option D is wrong because device configuration policies are for settings, not access control.

12
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps to monitor shadow IT. You discover that employees are using a third-party file sharing app that is not sanctioned. The security team wants to block access to this app from managed devices and require authentication for unmanaged devices. You need to configure the appropriate controls in Defender for Cloud Apps. What should you do?

A.Create a session policy that monitors file uploads to the app.
B.Create an app governance policy to restrict the app's permissions.
C.Create an access policy to block the app on unmanaged devices and require authentication on managed devices.
D.Configure a DLP policy to prevent sharing of sensitive data through the app.
AnswerC

Access policies can block or allow based on device and user context.

Why this answer

Option C is correct because it uses access policies to block unmanaged devices and require authentication, which aligns with the requirement. Option A is wrong because session policies monitor but do not block. Option B is wrong because app governance policies manage app permissions.

Option D is wrong because DLP policies focus on data protection.

13
MCQmedium

You are designing an API management solution using Azure API Management. The security team requires that all API calls must be authenticated using OAuth 2.0 and that only specific Azure AD applications can access the APIs. Additionally, the solution must support rate limiting and IP filtering. What should you configure?

A.Set up client certificate authentication and map certificates to Azure AD apps
B.Enable API key authentication and restrict access using subscription keys
C.Use OAuth 2.0 with Azure AD and configure inbound policies to validate JWTs
D.Configure OAuth 2.0 in Azure API Management, use validate-jwt policy to restrict to specific Azure AD apps, and add rate-limit and ip-filter policies
AnswerD

This combination meets all requirements.

Why this answer

Option B is correct because Azure API Management can validate OAuth tokens, and you can restrict access to specific Azure AD applications using the 'validate-jwt' policy. Rate limiting and IP filtering are also built-in policies. Option A is wrong because it's not a complete solution.

Option C is wrong because API keys are less secure. Option D is wrong because client certificates are not OAuth.

14
Multi-Selecteasy

You are designing an API management solution using Azure API Management. Which TWO should you implement to protect the API from unauthorized access? (Choose TWO.)

Select 2 answers
A.Implement OAuth 2.0 authorization with Microsoft Entra ID.
B.Use client certificates for authentication.
C.Enable Cross-Origin Resource Sharing (CORS).
D.Restrict access by IP address only.
E.Require subscription keys for all API calls.
AnswersA, E

OAuth 2.0 is a standard authorization framework.

Why this answer

A and D are correct. Subscription keys are a basic mechanism to authenticate callers. OAuth 2.0 is a standard authorization framework integrated with Azure API Management.

Option B is wrong because client certificates are for mutual TLS, not a primary authentication method. Option C is wrong because IP filtering is for restricting IP ranges, not authentication. Option E is wrong because CORS is for cross-origin requests, not authentication.

15
MCQeasy

A company uses Microsoft Sentinel to detect threats. They want to automatically send an email to the security team when a high-severity incident is created. What should they configure?

A.An analytics rule with an automated response
B.A workbook
C.A watchlist
D.A hunting query
AnswerA

Analytics rules can trigger playbooks that send email notifications when an incident is created.

Why this answer

Option B is correct because analytics rules with automated responses can trigger a playbook to send email. Option A is wrong because workbooks are for visualization. Option C is wrong because watchlists are for reference data.

Option D is wrong because hunting queries are for proactive threat hunting.

16
MCQmedium

Your company develops a web application hosted on Azure App Service. The application uses Azure SQL Database and requires managed identities to access the database. You need to ensure that the application can authenticate to Azure SQL without storing credentials in code. Which authentication method should you implement?

A.Store a client certificate in Azure Key Vault and reference it from the app.
B.Use an Azure AD service principal with a client secret.
C.Use Azure SQL database-level firewall rules with a static IP restriction.
D.Enable system-assigned managed identity on the App Service and grant it access to the SQL database.
AnswerD

Managed identity eliminates credential storage.

Why this answer

Option B is correct because system-assigned managed identity is the simplest and most secure way for an Azure App Service to authenticate to Azure SQL without credential storage. Option A is wrong because Azure AD service principals require secret management. Option C is wrong because certificate-based authentication still requires certificate deployment.

Option D is wrong because access keys are static credentials.

17
MCQmedium

Your organization uses Microsoft Entra ID for identity and access management. You are developing a web application that needs to access Microsoft Graph API on behalf of the signed-in user. Which authentication flow should you implement?

A.Implicit Flow
B.Client Credentials Flow
C.Authorization Code Flow with PKCE
D.Device Code Flow
AnswerC

Recommended for web apps accessing APIs on behalf of user.

Why this answer

Option B is correct because the Authorization Code Flow with PKCE is the recommended flow for web applications that need to access APIs on behalf of the user. Option A is wrong because Client Credentials Flow is for daemon applications, not on behalf of a user. Option C is wrong because Device Code Flow is for devices without browsers.

Option D is wrong because Implicit Flow is legacy and less secure.

18
MCQmedium

A retail company uses Microsoft Defender for APIs to protect its online store API. The security team notices unusual API calls from an IP address that is not in the allowed list. They want to block this IP address for 24 hours. What should they configure?

A.Configure API schema validation
B.Modify the authentication settings
C.Update the API collection
D.Create a rate-limiting rule
AnswerD

Rate-limiting rules can block specific IP addresses for a defined period.

Why this answer

Option A is correct because Defender for APIs allows creating a rate-limiting rule to block an IP. Option B is wrong because API schema validation validates request structure, not blocks IPs. Option C is wrong because authentication settings verify tokens.

Option D is wrong because API collections group APIs.

19
MCQhard

A company is designing a microservices architecture on Azure Kubernetes Service (AKS). Each microservice needs to authenticate to Azure SQL Database using its own identity. The security team requires that no service principal secrets or certificates be stored in the cluster. What should you implement to authenticate the microservices to Azure SQL Database?

A.Create a service principal and store its secret in Azure Key Vault; use the Key Vault Secrets Store CSI driver to mount it.
B.Enable a system-assigned managed identity on the AKS cluster nodes and have pods use it.
C.Use Azure AD Workload Identity for each pod to authenticate to Azure SQL Database using managed identities.
D.Store the Azure SQL connection string with credentials in a Kubernetes secret.
AnswerC

Workload Identity assigns an Azure AD identity to each pod, enabling secure authentication without secrets.

Why this answer

Azure AD Workload Identity (formerly AAD Pod Identity) allows pods to assume an Azure AD identity and authenticate to Azure resources without secrets. This integrates with Azure SQL's Azure AD authentication. Option A is the correct approach.

Service Principal with Key Vault still stores a secret. Managed identity at the node level is too broad. Storage of client secrets is not allowed.

20
MCQhard

Your organization uses Microsoft Entra Verified ID to issue verifiable credentials to employees. You need to design a solution that allows employees to prove their employment status to third-party apps without exposing their full identity. What should you implement?

A.Microsoft Entra ID custom roles
B.Verifiable credentials with a custom credential type
C.Azure managed identities
D.Conditional Access policy with session controls
AnswerB

Verifiable credentials allow selective disclosure of attributes, such as employment status, without revealing full identity.

Why this answer

Option B is correct because a verifiable credential can contain only the attributes required (e.g., employment status) and is presented via a wallet. Option A is wrong because a custom role does not issue credentials. Option C is wrong because Conditional Access controls access but does not issue proofs.

Option D is wrong because managed identities are for Azure resources, not user identity.

21
Multi-Selecteasy

Your organization is using Microsoft Sentinel for security operations. Which THREE data sources can be connected to Microsoft Sentinel out of the box? (Choose THREE.)

Select 3 answers
A.Azure Active Directory (now Microsoft Entra ID)
B.Amazon Web Services (AWS) CloudTrail
C.Azure DevOps
D.Microsoft 365 Defender
E.Power BI
AnswersA, B, D

Entra ID logs are a common connector.

Why this answer

Options A, C, and D are valid out-of-the-box connectors. Option B is wrong because Azure DevOps is not a default data connector. Option E is wrong because Power BI is not a data source connector.

22
MCQhard

Your organization, Contoso Ltd., is a multinational company with 50,000 employees. They use Microsoft 365 E5, Azure, and Microsoft Sentinel. The security team wants to implement a data security solution that meets the following requirements: 1. All sensitive data stored in SharePoint Online and OneDrive for Business must be automatically classified and protected using sensitivity labels. 2. When a user attempts to share a file labeled 'Highly Confidential' with an external user, the action should be blocked and an alert sent to the security team. 3. The solution must detect and prevent data exfiltration from endpoints by monitoring copy/paste and print actions on sensitive data. 4. All data security events must be centralized in Microsoft Sentinel for correlation and investigation. 5. The solution must comply with regulatory requirements that mandate data retention and eDiscovery capabilities. You need to design the data security solution. Which combination of Microsoft security components should you use?

A.Microsoft Intune and Microsoft Entra ID
B.Microsoft Defender for Endpoint and Microsoft Sentinel
C.Microsoft Defender for Cloud Apps and Microsoft Entra ID
D.Microsoft Purview Information Protection, Microsoft Purview DLP, and Microsoft Purview eDiscovery
AnswerD

Covers all requirements.

Why this answer

Option D is correct. Microsoft Purview Information Protection auto-labeling policies meet requirement 1. DLP policies in Purview block sharing and alert (requirement 2).

Endpoint DLP in Purview monitors copy/paste/print (requirement 3). Purview audit logs are ingested into Microsoft Sentinel (requirement 4). Microsoft Purview eDiscovery and retention policies meet requirement 5.

Option A is wrong because Microsoft Defender for Cloud Apps does not provide endpoint DLP or eDiscovery. Option B is wrong because Microsoft Intune does not provide DLP or eDiscovery. Option C is wrong because Microsoft Defender for Endpoint focuses on endpoint protection, not data classification or eDiscovery.

23
Multi-Selectmedium

Which TWO data protection mechanisms should you implement to protect data at rest in Azure SQL Database?

Select 2 answers
A.Transparent Data Encryption (TDE)
B.Azure Policy
C.Role-Based Access Control (RBAC)
D.Azure Firewall
E.Always Encrypted
AnswersA, E

TDE encrypts the database files at rest.

Why this answer

Options A and D are correct. TDE encrypts the database files, and Always Encrypted protects data in use and at rest by encrypting columns. Option B is wrong because Azure Firewall is a network security service.

Option C is wrong because RBAC controls access, not encryption. Option E is wrong because Azure Policy enforces compliance but does not encrypt.

24
MCQhard

Your company uses Microsoft Defender for Cloud to protect Azure resources. A critical application uses an Azure SQL Database. You need to ensure that all queries to the database are encrypted in transit and that the encryption protocol is the most secure version available. Which configuration should you enforce?

A.Set the minimal TLS version to 1.2 in the server's firewall rules.
B.Configure the database to reject unencrypted connections.
C.Set the connection policy to Proxy and force TCP.
D.Enable 'Force SSL' on the database.
AnswerA

This enforces that only clients using TLS 1.2 or higher can connect.

Why this answer

Option B is correct because Azure SQL Database supports TLS 1.2 by default and can be enforced via server-level firewall rules or connection policy. Option A is wrong because TCP is a transport protocol, not encryption. Option C is wrong because forcing SSL only ensures encryption but may allow older TLS versions.

Option D is wrong because encrypted connections are not the default for all clients; you must enforce minimal TLS version.

25
Multi-Selecthard

Your organization uses Microsoft Purview to protect sensitive data. You need to implement a solution that automatically detects and protects personally identifiable information (PII) in Microsoft 365. Which THREE should be part of your solution? (Choose THREE.)

Select 3 answers
A.Azure Policy
B.Microsoft Defender for Cloud
C.Microsoft Purview Information Protection scanner
D.Microsoft Purview Data Loss Prevention (DLP) policies
E.Sensitivity labels in Microsoft Purview Information Protection
AnswersC, D, E

Scans on-premises data for sensitive content.

Why this answer

B, C, and E are correct. Microsoft Purview Data Loss Prevention (DLP) policies can detect PII and apply actions. Sensitivity labels can classify data and enforce protection.

Microsoft Purview Information Protection (formerly Azure Information Protection) scanners can scan on-premises data. Option A is wrong because Microsoft Defender for Cloud is for cloud security posture, not data classification. Option D is wrong because Azure Policy is for resource configuration, not data scanning.

26
Multi-Selectmedium

A company is designing a secure data sharing solution with a partner organization. The data will be stored in Azure Blob Storage. Requirements include: encryption at rest with customer-managed keys, granular access control to specific blobs, and the ability to expire access automatically. Which TWO solutions should you combine? (Choose two.)

Select 2 answers
A.Generate shared access signatures (SAS) with specific permissions and expiry times.
B.Enable Azure Active Directory authentication for the storage account.
C.Configure a firewall on the storage account to allow only partner IP addresses.
D.Use Azure RBAC to assign the Storage Blob Data Reader role to partner users.
E.Use Azure Storage Service Encryption with customer-managed keys in Azure Key Vault.
AnswersA, E

SAS tokens provide granular, time-limited access to specific blobs.

Why this answer

Azure Storage Service Encryption with customer-managed keys (CMK) provides encryption at rest. Shared access signatures (SAS) provide granular, time-limited access to specific blobs. RBAC is less granular (container level).

Azure AD authentication is not time-limited by default. Option A and C together meet all requirements.

27
Multi-Selectmedium

A company uses Microsoft Defender XDR (formerly Microsoft 365 Defender) to protect their Microsoft 365 environment. They want to ensure that sensitive data is not leaked through Microsoft Teams messages. Which TWO capabilities should they use? (Choose TWO.)

Select 2 answers
A.Data Loss Prevention (DLP) policies
B.Information Barriers
C.Sensitivity labels
D.Communication Compliance
E.Retention policies
AnswersA, D

Can detect and block sharing of sensitive data in Teams messages.

Why this answer

DLP policies in Microsoft Purview can scan Teams messages for sensitive data, and Communication Compliance policies can help detect policy violations. Option A and Option C are correct. Option B is wrong because sensitivity labels are for manual or automatic classification, not real-time scanning of messages.

Option D is wrong because retention policies are for data retention, not prevention. Option E is wrong because Information Barriers prevent communication between groups, not data leakage.

28
MCQmedium

Your organization uses Microsoft Entra ID for identity and access management. You need to design a solution that allows external partners to access a specific SharePoint Online site without creating guest accounts. What should you use?

A.Anonymous sharing links
B.Microsoft Entra ID business-to-business (B2B) collaboration
C.SharePoint Online external sharing with authenticated external users
D.Azure Active Directory B2C (now part of Entra ID)
AnswerC

External sharing can use Entra ID B2B to grant access via guest accounts.

Why this answer

Option B is correct because SharePoint Online external sharing can be configured to allow sharing with authenticated external users via Entra ID B2B collaboration, which creates guest accounts. Option A is wrong because Azure AD B2C is for customer-facing apps. Option C is wrong because Entra ID business-to-business (B2B) requires guest accounts.

Option D is wrong because anonymous access is not secure for partners.

29
MCQmedium

Refer to the exhibit. What is the effect of this Azure Policy definition?

A.It denies creation of virtual networks that are not using HTTPS.
B.It denies creation or update of storage accounts that do not enforce HTTPS traffic.
C.It audits storage accounts to check if HTTPS traffic is enforced.
D.It denies creation of blob services that do not enforce HTTPS.
AnswerB

The policy denies when 'supportsHttpsTrafficOnly' is false, meaning secure transfer is not required.

Why this answer

Option A is correct. The policy checks if the storage account does not have 'Secure transfer required' enabled (supportsHttpsTrafficOnly equals false) and denies creation or update. Option B is wrong because the effect is 'deny', not 'audit'.

Option C is wrong because the condition is on storage accounts, not on virtual networks. Option D is wrong because the policy does not apply to blob services.

30
MCQmedium

A company uses Microsoft Defender for Cloud Apps to control data exfiltration from sanctioned SaaS apps. Security admins want to block downloading sensitive files from SharePoint Online to unmanaged devices. Which method should be used?

A.Create a Conditional Access App Control session policy
B.Create a session policy in Defender for Cloud Apps that checks for device tags and blocks download
C.Create a Microsoft Purview Data Loss Prevention policy for SharePoint
D.Create a Microsoft Intune compliance policy to block unmanaged devices
AnswerB

Session policies can inspect device tags (managed/unmanaged) and block sensitive actions like downloading

Why this answer

Session policy with device tag check is the correct approach because Defender for Cloud Apps can inspect device tags during a session and block downloads if the device is unmanaged. Option A is wrong because Conditional Access App Control is the underlying framework, not a specific policy type. Option B is wrong because DLP policies in Purview are for classification, not real-time blocking in apps.

Option D is wrong because compliance policies are for device compliance, not session-level control.

31
MCQeasy

Your company uses Microsoft Defender for Cloud Apps to discover and control shadow IT. You need to block the use of a newly discovered unsanctioned cloud storage app that poses a high risk. What should you configure?

A.In Defender for Cloud Apps, unsanction the app and create a session policy to block it
B.Create a Conditional Access policy in Microsoft Entra ID to block the app
C.Use Microsoft Intune to set a compliance policy that blocks the app
D.Add the app to the blocked list in Microsoft Defender for Cloud Apps
AnswerA

Unsanctioning marks the app as blocked; session policy enforces the block.

Why this answer

Option A is correct because Defender for Cloud Apps allows you to sanction/unsanction apps and create access policies to block unsanctioned apps. Option B is wrong because Conditional Access policies in Entra ID control access but not app blocking. Option C is wrong because Intune compliance policies manage device compliance.

Option D is wrong because Defender for Cloud Apps can block apps directly.

32
MCQhard

A company is building a new SaaS application that will be used by external customers. The application uses Azure API Management (APIM) to expose APIs. The security requirements include: (1) Only authenticated and authorized customers can call the APIs, (2) The API keys must be rotated automatically every 90 days, (3) The APIs must be protected against common web vulnerabilities. What should you implement?

A.Use IP whitelisting in APIM to restrict access to known customer IPs and enable API key rotation manually every 90 days.
B.Require client certificates for authentication and configure APIM to automatically rotate the certificates.
C.Use OAuth 2.0 with Azure AD (Entra ID) for authentication, configure API key rotation in APIM policies, and enable Azure Web Application Firewall (WAF) in front of APIM.
D.Implement OAuth 2.0 with JWT tokens and use rate limiting to mitigate attacks.
AnswerC

OAuth 2.0 provides authentication, APIM policies enable automatic key rotation, and Azure WAF protects against web vulnerabilities.

Why this answer

Option D is correct because it combines OAuth 2.0 for authentication and authorization, automatic key rotation via APIM policies, and Azure WAF for vulnerability protection. Option A is wrong because IP whitelisting is not a strong authentication method. Option B is wrong because client certificates require certificate management and do not protect against web vulnerabilities.

Option C is wrong because rate limiting does not address authentication or vulnerability protection.

33
MCQmedium

Your organization uses Microsoft Entra ID and plans to implement a custom line-of-business application that accesses Microsoft Graph APIs. The application will be used by employees and external partners. You need to ensure that the application can authenticate users and obtain appropriate permissions without exposing the client secret. What should you implement?

A.Use a system-assigned managed identity to authenticate to Microsoft Graph.
B.Implement OAuth 2.0 authorization code flow with PKCE.
C.Store the client secret in Azure Key Vault and retrieve it at runtime.
D.Register the application as a public client and use the implicit grant flow.
AnswerB

PKCE ensures the authorization code is exchanged securely without exposing the client secret.

Why this answer

Managed identities are not suitable for client applications that run outside Azure. Using certificates instead of client secrets enhances security but still requires secret management. OAuth 2.0 authorization code flow with PKCE is the recommended approach for mobile and desktop apps, but for a web app with a backend, the best practice is to use a system-assigned managed identity if hosted in Azure, or use certificates/Key Vault.

However, the question specifies a custom LOB app used by employees and external partners, likely hosted on-premises or in Azure. The most secure approach for a confidential client is to use a certificate stored in Azure Key Vault. But the correct answer here is to implement OAuth 2.0 authorization code flow with PKCE (Proof Key for Code Exchange) to avoid exposing the client secret in the browser.

For a web app with a backend, using the authorization code flow with PKCE is still recommended, and the client secret is not exposed. Option D is the most accurate.

34
MCQeasy

A multinational corporation uses Microsoft Purview to classify and protect sensitive data. They need to ensure that any email containing a patient health record (PHI) is encrypted before delivery. Which capability should they use?

A.Data Loss Prevention (DLP) policy
B.Sensitivity label with encryption
C.Azure Information Protection
D.Microsoft Purview Message Encryption
AnswerD

Provides encryption for emails containing sensitive information.

Why this answer

Microsoft Purview Message Encryption allows sending encrypted email. Option B is correct. Option A is wrong because DLP policies trigger actions like blocking or encrypting, but the encryption itself is done by Message Encryption.

Option C is wrong because sensitivity labels can apply encryption, but for automatic encryption of emails, DLP with encryption action is typical. Option D is wrong because Azure Information Protection is the underlying technology, but the policy is configured via Purview.

35
MCQmedium

A company is designing a secure API for a customer-facing application that will handle sensitive personal data. They need to ensure that only authorized client applications can call the API and that the identity of the end-user is verified. Which of the following should they implement?

A.HTTP Basic Authentication
B.OAuth 2.0 with client credentials and OpenID Connect
C.JWT bearer tokens
D.API keys
AnswerB

OAuth 2.0 client credentials grant authenticates the client, and OpenID Connect provides user authentication via ID tokens.

Why this answer

Option D is correct because OAuth 2.0 with client credentials and OpenID Connect provides both client authentication and user authentication. Option A is wrong because API keys only authenticate the client, not the user. Option B is wrong because Basic Auth transmits credentials in plaintext.

Option C is wrong because JWT tokens are a format, not an authentication protocol.

36
MCQmedium

Your organization uses Microsoft Defender for Cloud to secure multi-cloud workloads. You need to ensure that Azure, AWS, and GCP resources are assessed against a common set of security standards. Which capability should you use?

A.Regulatory compliance standards
B.Vulnerability assessment solutions
C.Cloud Security Posture Management (CSPM)
D.Just-in-time (JIT) VM access
AnswerA

Applies to multi-cloud environments.

Why this answer

Option A is correct because regulatory compliance standards in Defender for Cloud can be applied across Azure, AWS, and GCP to enforce common benchmarks. Option B is wrong because JIT is only for Azure VMs. Option C is wrong because vulnerability assessments are per-resource type.

Option D is wrong because CNAPP is a broader framework, not a specific compliance standard.

37
Multi-Selectmedium

Your organization is developing a new application that will use Azure Cosmos DB. The security team requires that all data be encrypted at rest and in transit, and that access to the database is limited to specific Azure services and IP addresses. The application will run on Azure VMs. Which three actions should you take? (Choose three.)

Select 3 answers
A.Configure Cosmos DB to require TLS for all client connections.
B.Use Azure SQL Database instead of Cosmos DB for better security features.
C.Use a private endpoint for Cosmos DB and restrict access to the private endpoint.
D.Enable encryption at rest on the Cosmos DB account using customer-managed keys.
E.Configure the Cosmos DB firewall to allow access from all Azure services.
AnswersA, C, D

TLS encrypts data in transit between the client and Cosmos DB.

Why this answer

Option A, B, and D are correct. Option A: Enforce TLS for all requests to Cosmos DB for encryption in transit. Option B: Use a private endpoint for Cosmos DB to restrict network access.

Option D: Enable encryption at rest (which is on by default) and ensure customer-managed keys if required. Option C is wrong because firewall rules are needed, but they should be set to allow only the VM's public IP or the private endpoint; allowing all Azure services is too permissive. Option E is wrong because Azure SQL Database is not Cosmos DB.

38
MCQeasy

A company uses Microsoft Entra ID for identity management. They want to ensure that only approved users can access a custom web application. The solution must support single sign-on (SSO) and require multi-factor authentication (MFA) for external users. Which approach should they use?

A.Register the application in Microsoft Entra ID and configure SAML-based sign-on
B.Use Azure AD Application Proxy to publish the app
C.Configure Microsoft Entra B2B collaboration and set MFA trust settings
D.Register the application in Microsoft Entra ID and assign app roles
AnswerC

B2B collaboration invites external users, and Conditional Access policies can require MFA for those users, providing SSO and MFA

Why this answer

Registering the application in Microsoft Entra ID and configuring Conditional Access policies to require MFA for external users provides SSO and MFA enforcement. Option A is wrong because SAML sign-on alone does not enforce MFA. Option B is wrong because app roles manage authorization, not authentication requirements.

Option C is wrong because B2B collaboration handles identity, but MFA is enforced through Conditional Access, not solely through B2B settings.

39
Multi-Selecthard

Which TWO actions should you take to secure Azure Functions with HTTP triggers?

Select 2 answers
A.Enable App Service Authentication (EasyAuth)
B.Configure network restrictions to allow only specific IP ranges
C.Set authorization level to anonymous
D.Enable Application Insights
E.Use function keys only
AnswersA, B

EasyAuth integrates with identity providers to authenticate requests.

Why this answer

Options A and D are correct. Using easy auth (App Service Authentication) and restricting network access reduce attack surface. Option B is wrong because anonymous access is insecure.

Option C is wrong because function keys only provide basic auth, not comprehensive security. Option E is wrong because Application Insights is for monitoring, not security.

40
MCQeasy

Your company develops an API that will be consumed by external partners. You need to secure the API using Azure API Management (APIM). Which authentication mechanism should you recommend for partner applications?

A.Client certificates
B.Subscription keys
C.OAuth 2.0 with Microsoft Entra ID
D.IP address whitelisting
AnswerC

OAuth 2.0 provides secure delegated access for partner applications.

Why this answer

Option C is correct because OAuth 2.0 is the standard for delegated access and is suitable for partner applications. Option A is wrong because subscription keys are for identification, not authentication. Option B is wrong because client certificates are for server-to-server, not typical for partner apps.

Option D is wrong because IP whitelisting is network-level and not secure for authentication.

41
Multi-Selecteasy

A software company, Northwind, is developing a mobile app that uses Microsoft Entra ID for authentication. The app accesses an Azure Function App backend that stores data in Azure Cosmos DB. The company wants to implement a defense-in-depth security strategy. Which TWO of the following should you implement?

Select 2 answers
A.Use OAuth 2.0 with Microsoft Entra ID to secure the Azure Functions.
B.Restrict access to the Azure Functions by IP whitelisting.
C.Configure Azure Cosmos DB with a private endpoint.
D.Use function-level authorization keys for the Azure Functions.
E.Enforce TLS 1.0 for all API calls.
AnswersA, C

OAuth 2.0 with Entra ID provides secure user authentication and authorization.

Why this answer

Option B is correct because OAuth 2.0 with Entra ID provides user authentication and authorization. Option E is correct because Cosmos DB should be configured with a private endpoint to prevent public internet access. Option A is wrong because function keys are not user-specific.

Option C is wrong because IP whitelisting is not sufficient for user authentication. Option D is wrong because TLS 1.0 is deprecated.

42
MCQmedium

Your company is developing a mobile application that uses Microsoft Authenticator to sign in users. The app needs to call a web API that is protected by Microsoft Entra ID. You need to ensure that the app uses the OAuth 2.0 authorization code flow with PKCE. Which Microsoft authentication library should you recommend?

A.Microsoft Graph API
B.Microsoft Authentication Library (MSAL)
C.Active Directory Authentication Library (ADAL)
D.Azure AD Graph API
AnswerB

MSAL supports the OAuth 2.0 authorization code flow with PKCE for mobile apps.

Why this answer

Option D is correct: Microsoft Authentication Library (MSAL) supports the authorization code flow with PKCE for mobile apps. Option A is wrong: Active Directory Authentication Library (ADAL) is deprecated. Option B is wrong: Azure AD Graph API is not an authentication library.

Option C is wrong: Microsoft Graph API is for accessing resources, not authentication.

43
Multi-Selectmedium

Your company uses Microsoft Defender for Cloud Apps to protect its SaaS environment. You need to configure settings to detect and block risky user activities. Which TWO actions should you take? (Choose TWO.)

Select 2 answers
A.Block all third-party app access.
B.Define IP address ranges for trusted locations.
C.Configure anomaly detection policies.
D.Configure app discovery policies.
E.Enable session monitoring for critical applications.
AnswersC, E

Detects risky behaviors.

Why this answer

Option B and Option D are correct. Enabling session monitoring allows real-time activity monitoring, and configuring anomaly detection policies helps detect risky behaviors. Option A is incorrect because blocking all third-party apps is too restrictive.

Option C is incorrect because app discovery policies discover shadow IT, not detect risky user activities. Option E is incorrect because IP address ranges are for location-based policies, not core detection.

44
MCQeasy

A startup, Alpine Ski House, is developing a mobile app that allows users to book ski lessons. The app communicates with an Azure Function App backend via REST APIs. The function app stores data in Azure Cosmos DB. The company wants to secure the API endpoints using OAuth 2.0 with Microsoft Entra ID and ensure that only authenticated users can invoke the functions. The function app should also use a managed identity to access Cosmos DB. Which of the following configurations should you implement?

A.Configure the function app to require authentication with Microsoft Entra ID, enforce HTTPS only, and use a system-assigned managed identity to access Cosmos DB.
B.Configure the function app to use function-level authorization keys, enforce HTTPS only, and use a connection string with a read-write key to access Cosmos DB.
C.Configure the function app to require client certificates, enforce HTTPS only, and use a managed identity to access Cosmos DB.
D.Configure the function app to use IP whitelisting, enforce HTTPS only, and use a managed identity to access Cosmos DB.
AnswerA

Entra ID provides OAuth 2.0, managed identity provides secure database access, and HTTPS ensures encryption in transit.

Why this answer

Option A is correct because it uses OAuth 2.0 with Entra ID for authentication, managed identity for database access, and enforces HTTPS. Option B is wrong because function keys are not secure for user authentication. Option C is wrong because client certificates do not provide user-level authentication.

Option D is wrong because IP whitelisting is not a substitute for authentication.

45
MCQeasy

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. What is the purpose of this query?

A.Count the number of 'Suspicious process execution' alerts in the last hour
B.Retrieve details of security alerts named 'Suspicious process execution' from the last hour
C.Join the SecurityAlert table with another table to enrich the results
D.Create an analytics rule to detect 'Suspicious process execution'
AnswerB

The query filters by alert name and time, then projects columns.

Why this answer

Option A is correct because the query filters alerts with a specific name and time range, then projects selected fields. Option B is wrong because it does not aggregate. Option C is wrong because it does not join tables.

Option D is wrong because it does not create a new rule.

46
MCQhard

You are designing a microservices application running on Azure Kubernetes Service (AKS). You need to ensure that secrets (e.g., API keys, connection strings) are securely stored and automatically rotated without application downtime. What is the recommended approach?

A.Store secrets in Azure App Configuration with key vault references.
B.Store secrets as Kubernetes Secrets and use a controller to rotate them.
C.Use Azure Key Vault with the Secrets Store CSI driver to mount secrets as volumes and enable rotation.
D.Inject secrets as environment variables from Azure Key Vault using a pod identity.
AnswerC

CSI driver mounts secrets and supports rotation without downtime.

Why this answer

Option C is correct because using Azure Key Vault with the Secrets Store CSI driver allows pods to mount secrets as volumes, and rotation is handled by the driver. Option A is wrong because Kubernetes Secrets are base64-encoded, not encrypted by default. Option B is wrong because storing secrets in environment variables is less secure and harder to rotate.

Option D is wrong because Azure App Configuration is for configuration, not secrets management.

47
MCQmedium

Refer to the exhibit. You are investigating a security incident in Microsoft Sentinel. The KQL query above is used to identify potential brute-force attacks. What does the query return?

A.A list of computers with more than 5 failed logins from any account.
B.A list of user accounts with more than 5 failed logins across all computers.
C.A list of user accounts and computers where the account has more than 5 failed logins in the last 24 hours.
D.A list of user accounts with more than 5 successful logins in the last 24 hours.
AnswerC

Returns Account and Computer with FailedLogins > 5.

Why this answer

Option C is correct. The query filters SecurityEvent for user accounts (AccountType == 'User') in the last 24 hours, groups by Account and Computer, counts the number of events (FailedLogins), and then filters to only those accounts with more than 5 failed logins. Option A is wrong because it returns both Account and Computer.

Option B is wrong because it does not return successful logins. Option D is wrong because it counts per account and computer, not just per computer.

48
Multi-Selecthard

A hospital, Contoso Health, is deploying an Azure API Management (APIM) instance to expose healthcare APIs that comply with HIPAA. The APIs are hosted on Azure Functions and Azure Logic Apps. You need to design a security solution that includes: (1) authentication and authorization using Microsoft Entra ID, (2) protection against OWASP top 10 threats, (3) encryption of sensitive data in transit and at rest, and (4) logging and monitoring of all API calls. Which THREE of the following should you implement?

Select 3 answers
A.Configure IP whitelisting on APIM to restrict access to known IP addresses.
B.Configure OAuth 2.0 authorization with Microsoft Entra ID in APIM.
C.Configure mutual TLS (mTLS) authentication with client certificates.
D.Deploy Azure Web Application Firewall (WAF) policy on Azure Front Door or Application Gateway in front of APIM.
E.Enable Azure Monitor and Log Analytics to collect and analyze APIM logs.
AnswersB, D, E

OAuth 2.0 with Entra ID provides secure authentication and fine-grained authorization.

Why this answer

Option A is correct because OAuth 2.0 with Entra ID provides authentication and authorization. Option C is correct because WAF in front of APIM protects against OWASP threats. Option E is correct because Azure Monitor with Log Analytics provides logging and monitoring.

Option B is wrong because client certificates do not provide user-level authentication. Option D is wrong because IP whitelisting is not a substitute for authentication.

49
Multi-Selecthard

You are designing a solution to protect sensitive data in Azure Blob Storage. The data must be encrypted at rest using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, you need to ensure that only specific virtual networks can access the storage account, and all access must be logged. Which three configurations should you implement? (Choose three.)

Select 3 answers
A.Enable Azure Storage logging for read and write requests
B.Enable Azure Storage encryption with customer-managed keys in Key Vault
C.Configure a firewall and virtual network service endpoint for the storage account
D.Enable Azure Files encryption at rest
E.Enable soft delete for blobs
AnswersA, B, C

Logging captures all access requests.

Why this answer

Options A, C, and D are correct. Option A provides CMK encryption. Option C restricts network access.

Option D enables logging. Option B is wrong: Azure Files is different; Blob Storage encryption is configured at the account level. Option E is wrong: Soft delete is for data recovery, not encryption or access control.

50
MCQeasy

A company is developing a web API that will be consumed by partner applications. They need to secure the API using OAuth 2.0 and issue access tokens that expire after 1 hour. Which Microsoft Entra ID feature should they use?

A.Managed Identity
B.App registration
C.Conditional Access
D.Azure AD B2C
AnswerB

App registration in Entra ID enables OAuth 2.0 token issuance for APIs and applications.

Why this answer

Microsoft Entra ID (formerly Azure AD) provides OAuth 2.0 token issuance through app registrations. Option B is correct. Option A is wrong because Conditional Access is for access policies, not token issuance.

Option C is wrong because Managed Identity is for Azure resources, not partner apps. Option D is wrong because Azure AD B2C is for customer identities.

51
MCQeasy

Your company uses Microsoft Purview to classify and protect sensitive data. You need to automatically detect and protect credit card numbers in documents stored in SharePoint Online. Which solution should you implement?

A.Configure Azure Information Protection to automatically apply protection.
B.Apply a sensitivity label that encrypts documents with credit card numbers.
C.Create a Data Loss Prevention (DLP) policy to detect credit card numbers and block sharing.
D.Use Microsoft Defender for Cloud Apps to scan documents for credit card numbers.
AnswerC

DLP policies detect sensitive data and enforce actions.

Why this answer

Option B is correct because Microsoft Purview Data Loss Prevention (DLP) policies can automatically detect sensitive info types like credit card numbers and apply protection actions. Option A is wrong because Sensitivity labels require manual application or can be auto-labeled but DLP is more direct for detection. Option C is wrong because Microsoft Defender for Cloud Apps focuses on cloud app security, not document classification.

Option D is wrong because Azure Information Protection (now part of Purview) is for labeling, not automatic detection of specific data patterns.

52
MCQhard

Refer to the exhibit. You run the PowerShell command shown in the exhibit. The command returns the secret value in plain text. The Key Vault has soft-delete and purge protection enabled. What is the most likely reason that the command succeeded?

A.The Key Vault access policy allows the user to list secrets
B.The user has the 'Key Vault Secrets User' role assigned via RBAC
C.The user has the 'Key Vault Secret Management' role in Azure RBAC
D.The command was executed using the Key Vault managed identity
AnswerB

This role grants read access to secrets.

Why this answer

Option B is correct because the user running the command has the 'Key Vault Secrets User' role assigned, which includes the 'Microsoft.KeyVault/vaults/secrets/read' permission, allowing retrieval of secret values. Option A is wrong because the 'Secret Management' role in IAM does not exist. Option C is wrong because access policies are still used; the command uses the caller's identity.

Option D is wrong because managed identity is not mentioned.

53
Multi-Selecteasy

Which TWO Microsoft Purview features can be used to classify and label data in Microsoft 365?

Select 2 answers
A.Retention policies
B.eDiscovery
C.Auto-labeling policies
D.Audit logs
E.Sensitive info types
AnswersC, E

Auto-labeling policies automatically apply sensitivity labels based on classification.

Why this answer

Options B and C are correct. Sensitive info types define patterns to classify data, and auto-labeling policies apply labels automatically. Option A is wrong because eDiscovery is for discovery in legal cases.

Option D is wrong because audit logs track activities. Option E is wrong because retention policies manage data retention.

54
Multi-Selecthard

Your organization uses Azure Cosmos DB with SQL API. You need to implement data encryption at rest and control access to the encryption keys. Which two actions should you take? (Choose two.)

Select 2 answers
A.Implement client-side encryption using the .NET SDK.
B.Enable Azure Disk Encryption on the VMs that access Cosmos DB.
C.Configure a customer-managed key in Azure Key Vault for encryption.
D.Turn off automatic encryption and use a custom encryption algorithm.
E.Enable server-side encryption (SSE) on the Cosmos DB account.
AnswersC, E

CMK provides key control for at-rest encryption.

Why this answer

Options A and B are correct. Option A: Enable server-side encryption (SSE) which is enabled by default but explicitly ensuring it's on is good. Option B: Use customer-managed keys (CMK) stored in Azure Key Vault for key control.

Option C is wrong because client-side encryption is not the same as at-rest encryption and adds complexity. Option D is wrong because Azure Disk Encryption is for VMs. Option E is wrong because Data Encryption at rest is not turned off by default in Cosmos DB; it's always on.

55
MCQhard

Your company is deploying a new AI-powered customer service chatbot using Azure OpenAI Service. The chatbot will access customer data stored in Azure Cosmos DB. The security team requires that all data in transit is encrypted, and that the chatbot only accesses data necessary for its function. Additionally, the chatbot must use managed identities to authenticate to Cosmos DB. You need to design the security architecture. Which combination of controls should you implement?

A.Restrict network access to the chatbot's IP address. Use a system-assigned managed identity and assign the Cosmos DB Account Reader role.
B.Use a connection string with the Cosmos DB account key and enforce TLS 1.2. Grant the chatbot's managed identity contributor role.
C.Enable TLS enforcement on Cosmos DB. Use a managed identity for the chatbot and assign the Cosmos DB Built-in Data Reader role. Configure the chatbot to authenticate using the managed identity.
D.Use Azure AD authentication with a service principal and assign the Cosmos DB Built-in Data Contributor role. Enforce TLS 1.2.
AnswerC

This meets all requirements: TLS encryption, managed identity, and least privilege with Data Reader role.

Why this answer

Option B is correct because it includes all required controls: enforce TLS for data in transit, use managed identity for authentication, and implement least privilege access by granting only read access to the chatbot's identity. Option A is wrong because connection strings expose secrets. Option C is wrong because IP restrictions are not sufficient for authentication.

Option D is wrong because it uses key-based authentication instead of managed identity.

56
MCQhard

Your organization uses Microsoft Defender for Cloud to protect Azure SQL databases. You notice that a particular database is flagged with a high-severity recommendation to enable 'Advanced Data Security'. What does enabling Advanced Data Security provide?

A.It restricts access to the database to specific IP addresses.
B.It encrypts the database at rest using TDE.
C.It provides vulnerability assessments and threat detection.
D.It enables automatic backup encryption.
AnswerC

ADS includes these security capabilities.

Why this answer

Option C is correct because Advanced Data Security (ADS) includes vulnerability assessments, threat detection, and data discovery/classification. Option A is wrong because transparent data encryption (TDE) is a separate feature. Option B is wrong because ADS does not restrict network access; that is firewall or VNet rules.

Option D is wrong because backup encryption is handled by Azure Storage encryption.

57
MCQmedium

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to create an analytics rule that detects when a user account is created outside of business hours from an unusual IP address. Which type of rule should you use?

A.Anomaly rule
B.Scheduled query rule
C.ML Behavior Analytics rule
D.Fusion rule
AnswerB

Scheduled rules run KQL queries at defined intervals to detect specific patterns.

Why this answer

Option C is correct: Scheduled query rules run at regular intervals to detect suspicious activity based on KQL queries. Option A is wrong: Fusion is for multistage attacks. Option B is wrong: ML Behavior Analytics uses machine learning, not custom queries.

Option D is wrong: Anomaly rules are for detecting anomalies, not specific conditions.

58
MCQhard

Refer to the exhibit. A security architect is reviewing a Microsoft Purview sensitivity label configuration for a financial services company. The compliance team requires that employees must provide justification when downgrading a document labeled 'Confidential - Financial' to 'General'. Which configuration is missing?

A.Create a new sublabel under 'General' to match the hierarchy
B.Configure auto-labeling for the sublabel
C.Configure the sublabel's protection settings to require justification for downgrade
D.Enable label analytics in Purview
AnswerC

Protection settings on the label include an option to require justification when lowering the label

Why this answer

The exhibit shows a sensitivity label hierarchy but does not include any marking or protection settings. To require justification for downgrading, the label must have a conditional access policy or auto-labeling policy configured, specifically a 'justification on downgrade' setting. Option B is correct because justification is configured as part of the label's protection settings.

Option A is wrong because auto-labeling is for automatic application, not downgrade control. Option C is wrong because label analytics is for reporting, not enforcement. Option D is wrong because the sublabel itself does not enforce justification.

59
MCQhard

A government agency, Northwind, is deploying a sensitive application on Azure App Service Environment (ASE) v3. The application handles classified data and must meet FedRAMP High requirements. You need to design a security solution that includes: (1) encryption at rest for the app's content and configuration, (2) encryption in transit with TLS 1.2 or higher, (3) network isolation using VNet integration and private endpoints, (4) identity-based access to Azure SQL Database using managed identity, and (5) certificate management for custom domains using Azure Key Vault. Which of the following designs meets all requirements?

A.Deploy the app on a multi-tenant App Service plan, enforce HTTPS only with TLS 1.2, use a system-assigned managed identity to access Azure SQL Database, and configure TLS/SSL certificates from Azure Key Vault.
B.Deploy the app on an ASE v3 in a VNet, enforce HTTPS only with TLS 1.2, use a system-assigned managed identity to access Azure SQL Database, and configure TLS/SSL certificates from Azure Key Vault.
C.Deploy the app on an ASE v3 in a VNet, enforce HTTPS only with TLS 1.2, use a user-assigned managed identity to access Azure SQL Database, and configure TLS/SSL certificates from App Service certificates.
D.Deploy the app on an ASE v3 in a VNet, enforce HTTPS only with TLS 1.2, use a service principal to access Azure SQL Database, and configure TLS/SSL certificates from Azure Key Vault.
AnswerB

ASE v3 provides network isolation, managed identity provides secure database access, and Key Vault handles certificates.

Why this answer

Option A is correct because ASE v3 is deployed in a VNet, providing network isolation. App Service can use managed identity for database access. TLS can be enforced in the app settings.

Certificates can be imported from Key Vault. Option B is wrong because App Service on a public plan is not network isolated. Option C is wrong because VNet integration does not provide inbound isolation; private endpoint is needed.

Option D is wrong because service principal is less secure than managed identity.

60
Multi-Selecthard

A company is deploying a new application that uses Azure Cosmos DB. The security requirements include: data encryption at rest, data encryption in transit, and the ability to audit all data access. Which THREE of the following should you implement?

Select 3 answers
A.Use Azure SQL Database instead of Cosmos DB
B.Require TLS for all connections to Cosmos DB
C.Use Azure Active Directory authentication for Cosmos DB
D.Enable encryption at rest with customer-managed keys
E.Enable diagnostic logging for Cosmos DB
AnswersB, D, E

TLS encrypts data in transit between clients and Cosmos DB.

Why this answer

Option A, D, and E are correct. Option A: Cosmos DB requires TLS for all client connections by default, ensuring encryption in transit. Option D: Encryption at rest is enabled by default; using customer-managed keys provides additional control.

Option E: Diagnostic logging enables auditing of data access. Option B is wrong because Azure SQL Database is a different service. Option C is wrong because Azure Active Directory (now Entra ID) authentication is supported but does not by itself encrypt data.

61
MCQeasy

Your company is developing a Microsoft Teams app that accesses user profiles. You need to ensure the app only accesses minimal required data. What should you implement?

A.Admin consent for all scopes
B.Application permissions for Microsoft Graph
C.Delegated permissions with User.Read
D.Delegated permissions with User.Read.All
AnswerC

User.Read grants read of the signed-in user's profile only, following least privilege.

Why this answer

Option D is correct because Microsoft Graph delegated permissions with least privilege ensure the app only accesses the minimum required data. Option A is wrong because app-only permissions grant broad access. Option B is wrong because admin consent grants full access.

Option C is wrong because application permissions are for background services, not user context.

62
MCQhard

A company is deploying a new application that will store sensitive customer data in Azure SQL Database. The security team requires that all data at rest be encrypted using a customer-managed key stored in Azure Key Vault. Additionally, they need to ensure that the database can be restored to a point in time and that the encryption key is rotated every 90 days. Which combination of features should you configure?

A.Enable TDE with service-managed keys and use Azure Policy to enforce rotation.
B.Use Always Encrypted with column master key in Azure Key Vault and manual rotation.
C.Use Azure Storage Service Encryption with customer-managed keys and enable soft delete.
D.Enable TDE with customer-managed keys in Azure Key Vault and configure automatic key rotation.
AnswerD

TDE with CMK encrypts data at rest; automatic rotation handles periodic rotation.

Why this answer

Transparent Data Encryption (TDE) with customer-managed keys in Azure Key Vault meets the encryption requirement. Automatic key rotation via Key Vault ensures rotation every 90 days. Point-in-time restore (PITR) is built into Azure SQL.

Always Encrypted is column-level and not required. Option A correctly combines TDE with customer-managed keys and automatic rotation.

63
MCQmedium

Trey Research, a biotech firm, is developing a machine learning model on Azure Machine Learning that uses sensitive genomic data. The data is stored in Azure Blob Storage. The company requires that all data be encrypted at rest using customer-managed keys stored in Azure Key Vault, and that access to the storage account be restricted to the Azure Machine Learning workspace and specific data scientists via Azure AD authentication. Additionally, the storage account must be accessible only from the company's virtual network. Which of the following configurations should you implement?

A.Enable encryption at rest with a customer-managed key, configure a firewall to allow the Machine Learning workspace's IP range, and grant data scientists access via storage account access keys.
B.Enable encryption at rest with a service-managed key, configure a private endpoint, and grant data scientists access using Azure RBAC with the Storage Blob Data Reader role.
C.Enable encryption at rest with a customer-managed key, configure a private endpoint for the storage account, and grant the Machine Learning workspace and data scientists access using Azure RBAC with the Storage Blob Data Contributor role.
D.Enable encryption at rest with a customer-managed key, configure a service endpoint for the storage account, and grant the Machine Learning workspace access using a SAS token.
AnswerC

Private endpoint provides VNet isolation, RBAC provides fine-grained access, and CMK provides encryption control.

Why this answer

Option B is correct because it provides encryption at rest with CMK, private endpoint for VNet isolation, and RBAC for access control. Option A is wrong because firewall rules are less secure than private endpoints. Option C is wrong because SAS tokens are less secure than managed identities.

Option D is wrong because service-managed keys do not meet the CMK requirement.

64
MCQhard

Refer to the exhibit. A security architect is reviewing an ARM template that deploys an Azure Storage container. They want to ensure the container is not publicly accessible. What is the security implication of this template?

A.The container allows public access
B.The template creates a container with versioning enabled
C.The template enables encryption at rest
D.The template does not configure network rules, so the container may be accessible from the internet, but only to authenticated users
AnswerD

Without network restrictions, authenticated users from anywhere can access the container.

Why this answer

The template sets 'publicAccess' to 'None', which means no anonymous access. However, the container inherits default network rules from the storage account. If the storage account firewall is not configured, the container may still be accessible over the internet by authenticated users.

Option C is correct. Option A is wrong because public access is set to None. Option B is wrong because network rules are not defined in this template.

Option D is wrong because the template does not mention encryption.

65
MCQhard

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Microsoft Teams. You need to prevent users from sharing credit card numbers in Teams chat messages. However, the policy should allow sharing with external vendors if they are in your organization's approved list. What should you configure?

A.Configure a DLP policy with a condition to block sharing of credit card numbers to external users except those from approved domains.
B.Create a DLP policy that blocks credit card numbers and set the action to 'Block external sharing' for all external users.
C.Use Microsoft Purview Information Protection to automatically apply a 'Confidential' label to messages containing credit card numbers and block forwarding.
D.Create a sensitivity label for credit card data and publish it to Teams, then configure auto-labeling.
AnswerA

Allows approved external vendors while blocking others.

Why this answer

Option D is correct because DLP policies for Teams can use conditions to restrict sharing to specific domains or approved external organizations. Option A is wrong because blocking all external sharing is too restrictive. Option B is wrong because sensitivity labels are separate from DLP and not designed for this granular condition.

Option C is wrong because labels can't directly control sharing in Teams chat based on external party approval.

66
MCQeasy

Your organization uses Microsoft 365 and wants to prevent users from sharing sensitive documents externally via email. The solution must be able to detect credit card numbers and automatically block the email. Which technology should you use?

A.Microsoft Purview Sensitivity labels with auto-classification
B.Microsoft Defender for Office 365 Safe Attachments
C.Microsoft Purview Data Loss Prevention (DLP) policy for Exchange Online
D.Azure Information Protection (AIP) unified labeling client
AnswerC

DLP policies can detect sensitive data and block emails containing that data.

Why this answer

Option A is correct because Microsoft Purview DLP policies can automatically detect sensitive information types like credit card numbers and block emails. Option B is wrong because Sensitivity labels are for classification, not for blocking. Option C is wrong because AIP (now part of Purview) is for labeling, not for blocking.

Option D is wrong because Microsoft Defender for Office 365 focuses on phishing and malware, not on DLP.

67
MCQmedium

A company uses Microsoft Defender for Cloud Apps to enforce session policies. The security team needs to block downloads of sensitive files from Microsoft 365 when accessed from unmanaged devices. Which type of policy should they configure?

A.File policy
B.Data Loss Prevention (DLP) policy in Microsoft 365
C.Session policy
D.Access policy
AnswerC

Session policies monitor and control user activities in real-time based on device compliance.

Why this answer

Session policies in Defender for Cloud Apps allow real-time monitoring and control of user activities based on device state. Option A is correct. Option B is wrong because file policies are post-hoc, not real-time.

Option C is wrong because access policies govern access at the app level, not session-level controls. Option D is wrong because DLP policies in Microsoft 365 are broader and not tied to session enforcement.

68
MCQhard

A company uses Microsoft Defender for Cloud to protect their hybrid environment. They have on-premises servers that are monitored by Microsoft Defender for Servers. The security team notices that some servers are missing critical security updates. They want to automatically remediate missing updates on these servers. Which feature should they enable?

A.Adaptive Application Controls
B.Azure Automation Update Management
C.Azure Update Manager
D.Just-in-Time (JIT) VM access
AnswerC

Integrated with Defender for Cloud to assess and remediate missing updates on servers.

Why this answer

Defender for Cloud can integrate with Azure Update Manager (formerly Update Management) to remediate missing updates. Option D is correct. Option A is wrong because Azure Automation Update Management is the legacy solution, but the current recommendation is Azure Update Manager.

Option B is wrong because Just-in-Time access is for VM access control. Option C is wrong because Adaptive Application Controls are for allowing specific applications.

69
Multi-Selectmedium

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Microsoft 365. You need to create a DLP policy that detects and blocks sharing of credit card numbers in Exchange Online emails. Which TWO components must you configure?

Select 2 answers
A.Retention label for financial data
B.Auto-labeling policy
C.Action to block sharing
D.Sensitive info type for credit card number
E.Trainable classifier for credit card numbers
AnswersC, D

The DLP policy must have an action to block the email containing credit card data.

Why this answer

Option A is correct because a sensitive info type for credit card number is required to identify the data. Option C is correct because the action 'Block' must be set to prevent sharing. Option B is wrong because a retention label is for data retention, not DLP.

Option D is wrong because trainable classifiers are for complex patterns, but credit card numbers are predefined. Option E is wrong because auto-labeling is separate from DLP.

70
MCQmedium

A company uses Microsoft 365 and wants to protect sensitive documents from being shared externally. They need a solution that automatically classifies documents containing personally identifiable information (PII) and applies appropriate protection. Which two services should they combine?

A.Microsoft Defender for Cloud Apps and Microsoft Intune
B.Microsoft Purview Compliance Manager and Microsoft Sentinel
C.Azure Information Protection and Microsoft Entra ID
D.Microsoft Purview Information Protection and Data Loss Prevention (DLP)
AnswerD

Purview Information Protection classifies and labels documents, and DLP enforces policies to prevent external sharing

Why this answer

Microsoft Purview Information Protection provides classification and labeling, while Data Loss Prevention (DLP) enforces protection actions. Option A is correct because these two services work together to automatically classify and protect documents. Option B is wrong because Microsoft Defender for Cloud Apps is for SaaS app security, not primarily for document classification.

Option C is wrong because Azure Information Protection is the predecessor, now part of Purview. Option D is wrong because Microsoft Entra ID is for identity, not document classification.

71
MCQhard

Contoso, a healthcare provider, is deploying a new patient portal on Azure App Service that stores electronic health records (EHR) in Azure Cosmos DB for NoSQL. The solution must comply with HIPAA and HITRUST. You need to ensure that data is encrypted at rest and in transit, and that access is restricted based on user roles. Cosmos DB must be configured with a private endpoint to prevent public internet access. You plan to use Azure Key Vault to manage encryption keys. Additionally, the application will access Cosmos DB using a system-assigned managed identity. Which of the following is the most complete and secure design?

A.Enable encryption at rest using service-managed keys, enforce TLS 1.2, configure a service endpoint for Cosmos DB, and grant the managed identity access using Cosmos DB built-in roles (e.g., Cosmos DB Built-in Data Contributor).
B.Disable encryption at rest to improve performance, enforce TLS 1.2, configure a private endpoint, and use the managed identity with a read-write key in Azure Key Vault.
C.Enable encryption at rest using service-managed keys, enforce TLS 1.2, configure a firewall to allow only the App Service outbound IP, and use read-write keys in application settings.
D.Enable encryption at rest using a customer-managed key in Azure Key Vault, enforce TLS 1.2, configure a private endpoint for Cosmos DB, and grant the managed identity access via Azure RBAC with a custom role that allows read/write to specific containers.
AnswerD

CMK provides key control, private endpoint isolates network, managed identity eliminates key management, and RBAC provides fine-grained access.

Why this answer

Option B is correct because it enables both encryption at rest (with CMK) and encryption in transit (TLS 1.2), uses private endpoints for network isolation, and implements Azure RBAC for granular access control. Option A is wrong because service-managed keys do not meet HIPAA requirements for key control, and firewall rules are less secure than private endpoints. Option C is wrong because RBAC with Cosmos DB built-in roles does not support custom role-based access for patient data.

Option D is wrong because disabling encryption at rest is a security risk.

72
MCQhard

Your company uses Microsoft Azure to host a critical application that processes credit card payments. The application must comply with PCI DSS. You need to ensure that all access to cardholder data is logged and monitored, and that any unauthorized access attempts trigger an alert. Which combination of services should you use?

A.Azure Policy and Microsoft Defender for Cloud Apps
B.Azure Policy and Microsoft Defender for Cloud
C.Azure Key Vault and Microsoft Defender for Cloud
D.Azure Monitor and Microsoft Sentinel
AnswerD

Azure Monitor collects logs, and Sentinel provides alerting on suspicious activity.

Why this answer

Option B is correct: Azure Monitor logs access, and Microsoft Sentinel provides alerting. Option A is wrong: Defender for Cloud provides security posture but not logging. Option C is wrong: Azure Policy enforces compliance but does not log or alert.

Option D is wrong: Key Vault is for secrets, not logging.

73
MCQeasy

Your company is designing a solution to store sensitive documents in Azure Files. The files must be encrypted at rest and in transit. Which two configurations are required? (Each correct answer presents part of the solution.)

A.Enable Azure Disk Encryption on the VMs that mount the share.
B.Configure the storage account to use HTTPS only.
C.Enable Azure Storage Service Encryption (SSE) for the storage account.
D.Configure the Azure file share to require SMB 3.0 with encryption.
E.Use Azure File Sync to sync files to on-premises servers.
AnswerC, D

SSE encrypts data at rest automatically.

Why this answer

Option A and B are correct. Encryption at rest is provided by Azure Storage Service Encryption (SSE). Encryption in transit is provided by SMB 3.0 with encryption.

Option C is wrong because Azure File Sync does not provide encryption at rest or in transit for the file share itself. Option D is wrong because Azure Disk Encryption is for VMs, not Azure Files. Option E is wrong because TLS is for HTTPS, not SMB.

74
MCQhard

Your organization uses Microsoft Intune to manage devices. You need to deploy a line-of-business (LOB) app to iOS devices that is not available in the public App Store. The app is signed with an enterprise certificate. Which app deployment method should you use?

A.Android Enterprise managed Google Play
B.Volume Purchase Program (VPP) token
C.Microsoft Store for Business
D.iOS line-of-business app deployment in Intune
AnswerD

Supports enterprise-signed LOB apps.

Why this answer

Option D is correct because Intune can deploy LOB apps to iOS devices using enterprise certificate signing and MDM distribution. Option A is wrong because the VPP store only contains public apps. Option B is wrong because Android Enterprise is not for iOS.

Option C is wrong because Microsoft Store for Business is for Windows apps.

75
MCQhard

Refer to the exhibit. You are reviewing an Azure Policy definition for storage accounts. You assign this policy with effect set to 'Deny' on a resource group. Which of the following scenarios will be blocked by this policy?

A.Creating a storage account with a firewall set to deny all public access
B.Creating a storage account with TLS 1.0 enabled
C.Creating a storage account with blob service encryption disabled
D.Creating a storage account with infrastructure encryption disabled
AnswerC

The policy denies if blob service encryption is not enabled.

Why this answer

Option B is correct because the policy denies storage accounts that do not have blob service encryption enabled. Option A is wrong because the policy checks blob service encryption, not infrastructure encryption. Option C is wrong because the policy does not check TLS version.

Option D is wrong because the policy does not check network access.

Page 1 of 3 · 207 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design security solutions for applications and data questions.