CCNA Design security solutions for applications and data Questions

57 of 207 questions · Page 3/3 · Design security solutions for applications and data · Answers revealed

151
MCQmedium

Refer to the exhibit. A security architect is reviewing an Azure Policy definition. What is the effect of this policy?

A.Modifies storage accounts to enable HTTPS traffic only
B.Audits storage accounts that do not require HTTPS traffic
C.Denies creation or update of storage accounts that do not require HTTPS traffic
D.Deploys a remediation task to enable HTTPS traffic only
AnswerC

The policy denies any storage account where HTTPS traffic only is not enabled

Why this answer

The policy checks if the resource type is a storage account and if HTTPS traffic only is set to false. If both conditions are true, it denies the creation or update of the storage account. Option B is correct because the effect is 'deny'.

Option A is wrong because it does not audit; it denies. Option C is wrong because it does not modify; it denies. Option D is wrong because it does not deploy a remediation task.

152
MCQmedium

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Microsoft 365. You need to ensure that when a user attempts to share a document containing credit card numbers externally, the action is blocked and the user is shown a policy tip. Which DLP rule configuration should you use?

A.Block the action with a policy tip and allow override
B.Block the action and send an incident report in email
C.Audit the action only
D.Block the action without allowing override
AnswerA

This blocks the action, shows a policy tip, and allows override with justification.

Why this answer

Option B is correct: Block with override and policy tip allows the block and shows the tip, while still allowing user override if they provide justification. Option A is wrong: Block without override is too restrictive and does not show a policy tip. Option C is wrong: Audit only does not block the action.

Option D is wrong: Block with notification sends an email but not a policy tip.

153
MCQhard

A healthcare organization is designing a zero-trust application security strategy. They use Microsoft Entra ID for identity and plan to deploy a legacy on-premises web application with no modern authentication support. The solution must ensure that only authorized users can access the app and that access is logged for auditing. Which Microsoft security service should they use to secure access?

A.Azure AD B2C
B.Microsoft Entra application proxy
C.Microsoft Defender for Cloud Apps
D.Microsoft Intune
AnswerB

Provides secure remote access and conditional access for on-premises web apps without modifying the app.

Why this answer

Microsoft Entra application proxy provides secure remote access and conditional access for on-premises apps without requiring VPN or changes to the app. Option A is correct. Option B is wrong because Defender for Cloud Apps is for cloud apps.

Option C is wrong because Azure AD B2C is for customer-facing apps. Option D is wrong because Microsoft Intune is for device management, not app access.

154
Multi-Selectmedium

A financial institution, Contoso Bank, is deploying a new application on Azure Kubernetes Service (AKS) that processes credit card transactions (PCI DSS). The application uses Azure SQL Database and Azure Redis Cache. You need to design a security solution that meets PCI DSS requirements. Which THREE of the following should you implement?

Select 3 answers
A.Deploy AKS as a private cluster with no public endpoint.
B.Configure Always Encrypted for sensitive columns in Azure SQL Database.
C.Enable Azure RBAC for Kubernetes authorization.
D.Use private endpoints for Azure SQL Database and Azure Cache for Redis.
E.Disable TLS for Azure Cache for Redis to improve performance.
AnswersA, B, D

Private cluster ensures that the Kubernetes API server is not exposed to the internet.

Why this answer

Option A is correct because AKS should be private to isolate the cluster from the internet. Option C is correct because Azure SQL Database should use Always Encrypted for sensitive data. Option E is correct because Azure Cache for Redis should use private endpoints for network isolation.

Option B is wrong because Azure RBAC for Kubernetes is not sufficient for PCI DSS; network policies and private cluster are needed. Option D is wrong because Redis cache should be encrypted in transit (TLS) and at rest if needed.

155
MCQmedium

Your organization is deploying a customer-facing web application in Azure. The application must authenticate users via Microsoft Entra ID and access Microsoft Graph to read user profiles. The security team requires that the application never has access to user passwords. Which authentication flow should you recommend?

A.OAuth 2.0 implicit grant flow
B.OAuth 2.0 device authorization flow
C.OAuth 2.0 client credentials grant flow
D.OAuth 2.0 authorization code flow with PKCE
AnswerD

This flow obtains an authorization code after user consent, then exchanges it for tokens. PKCE ensures the code cannot be intercepted. No password is exposed.

Why this answer

Option B is correct because the OAuth 2.0 authorization code flow with PKCE is the recommended flow for native and web apps that need to access APIs without exposing user credentials. Option A is wrong because client credentials flow is for server-to-server scenarios without a user context. Option C is wrong because device authorization flow is for devices with limited input capabilities.

Option D is wrong because implicit grant flow is deprecated due to security concerns.

156
MCQmedium

Your company is developing a microservices application that will run on Azure Kubernetes Service (AKS). The application must authenticate to Azure SQL Database using managed identities. Which type of managed identity should you assign to the AKS cluster?

A.Certificate-based authentication using Azure Key Vault
B.System-assigned managed identity on the cluster
C.Service principal with client secret
D.User-assigned managed identity and Azure AD Pod Identity
AnswerD

Pod Identity assigns a user-assigned identity to pods to access Azure resources.

Why this answer

Option B is correct because AKS uses a system-assigned managed identity for the cluster itself to integrate with Azure resources like load balancers. For pods to access Azure SQL, you need a pod identity (like Azure AD Pod Identity) which uses a user-assigned managed identity. Option A is wrong because system-assigned is for cluster, not pods.

Option C is wrong because service principal is legacy. Option D is wrong because certificate-based authentication is not managed identity.

157
MCQhard

Refer to the exhibit. A security administrator is reviewing a Conditional Access policy JSON. They want to ensure that users with medium risk level are prompted for multi-factor authentication (MFA), while high-risk users are blocked. The policy is not working as expected. Which issue is present in the policy?

A.The policy mode should be 'report-only'
B.The policy requires both user and sign-in risk to be high to block, but a user with high user risk and low sign-in risk would not be blocked
C.The JSON syntax is invalid
D.The conditions are combined with 'Or' instead of 'And'
AnswerB

Yes, the rule requires both risk levels to be high; a single high risk would not trigger the block.

Why this answer

The policy uses 'and' logic for user and sign-in risk within the same rule, meaning both must be high to block, and both must be medium to require MFA. However, the conditions are combined with implicit 'and'. For the intended effect, separate policies or different condition structure is needed.

Option C is correct. Option A is wrong because the syntax is valid JSON. Option B is wrong because there is no 'Or' condition issue; it's 'and'.

Option D is wrong because the policy mode is 'default'.

158
Multi-Selectmedium

Your organization uses Azure Data Lake Storage Gen2 for big data analytics. You need to secure access to the data using Azure RBAC and ACLs. Which two methods can you use to authorize access? (Choose two.)

Select 2 answers
A.Configure IP firewall rules to restrict access.
B.Assign Azure RBAC roles such as Storage Blob Data Contributor to security principals.
C.Set POSIX-like access control lists (ACLs) on directories and files.
D.Use managed identities for Azure resources.
E.Generate shared access signatures (SAS) for delegated access.
AnswersB, C

RBAC roles grant permissions to storage account.

Why this answer

Options A and B are correct. Azure RBAC roles (e.g., Storage Blob Data Contributor) provide coarse-grained access. POSIX-like ACLs provide fine-grained access at directory/file level.

Option C is wrong because SAS tokens provide delegated access but not RBAC/ACL. Option D is wrong because managed identity is an identity, not an authorization method. Option E is wrong because firewall rules control network access.

159
Multi-Selecthard

Your organization is implementing a secure DevOps pipeline for Azure. You need to ensure that secrets (e.g., API keys) are not stored in source code and that access to production resources is controlled. Which THREE practices should you implement?

Select 3 answers
A.Store secrets in Azure DevOps pipeline variables with encryption enabled
B.Use Azure Key Vault to store secrets and retrieve them at deployment time
C.Use Azure DevOps variable groups linked to Azure Key Vault
D.Store secrets in a configuration file in a private Git repository
E.Use managed identities for Azure resources to authenticate to Key Vault
AnswersB, C, E

Key Vault securely stores secrets and can be accessed by pipelines.

Why this answer

Options A, B, and D are correct. Using Azure Key Vault for secrets, managed identities for Azure resources, and Azure DevOps variable groups linked to Key Vault are all secure practices. Option C is wrong because storing secrets in pipeline variables with encryption is not as secure as Key Vault.

Option E is wrong because hardcoding secrets in configuration files is insecure.

160
MCQeasy

Your company uses Microsoft Defender for Cloud Apps to discover shadow IT. You need to ensure that data exfiltration from sanctioned cloud apps is blocked in real-time. Which control should you configure?

A.Conditional Access App Control
B.IP address ranges
C.Cloud discovery
D.App connector
AnswerA

Session-based control uses reverse proxy to monitor and block data exfiltration in real time.

Why this answer

Option C is correct because session-based Conditional Access App Control enforces real-time monitoring and control of app sessions. Option A is wrong because app connectors provide read-only monitoring. Option B is wrong because cloud discovery only identifies apps, not controls.

Option D is wrong because IP address ranges are used for location policies, not session control.

161
MCQmedium

A security architect is designing a data protection strategy for a Microsoft 365 tenant. The company must prevent users from sharing sensitive documents with external users via SharePoint Online. They want to apply a policy that automatically detects sensitive content and blocks external sharing. Which Microsoft Purview solution should they use?

A.Sensitivity labels
B.Retention policies
C.Data Loss Prevention (DLP) policy
D.Microsoft Purview Information Protection
AnswerC

DLP policies can automatically detect sensitive data and block actions like external sharing.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) policies can detect sensitive data and block external sharing. Option C is correct. Option A is wrong because sensitivity labels require manual application or automatic classification, but blocking external sharing is typically done by DLP.

Option B is wrong because retention policies are for data retention, not blocking sharing. Option D is wrong because Microsoft Purview Information Protection is the umbrella, but the specific policy is DLP.

162
Multi-Selectmedium

Your company uses Microsoft Intune to manage mobile devices. You need to protect corporate data on mobile devices by ensuring that work files are encrypted and not accessible by personal apps. What three configurations should you implement? (Choose three.)

Select 3 answers
A.Require device encryption on all devices.
B.Enable mobile threat defense (MTD) integration to block risky devices.
C.Deploy a device compliance policy that requires a PIN.
D.Create an app protection policy (MAM) that encrypts work data and prevents save-as to personal locations.
E.Configure Conditional Access to require app protection policy for access to corporate data.
AnswersB, D, E

MTD adds security by detecting threats.

Why this answer

Options A, B, and C are correct. App protection policies (MAM) prevent data from being copied to personal apps. Conditional Access with 'Require app protection policy' ensures managed apps are used.

Mobile threat defense integration adds security. Option D is wrong because device encryption is device-level, not app-level. Option E is wrong because compliance policies are for device compliance, not data protection on unmanaged devices.

163
MCQeasy

Your organization uses Microsoft Sentinel as its SIEM. You need to collect logs from a custom line-of-business application that does not support standard syslog or Windows Event Log. The application writes logs to a text file on a Windows server. What is the most efficient way to ingest these logs into Microsoft Sentinel?

A.Configure the application to send logs to a syslog server and use a syslog connector.
B.Set up a Azure Event Hubs and have the application write logs to Event Hubs.
C.Use the Azure Monitor Agent to collect the text file via a custom data source.
D.Install the Log Analytics Agent (deprecated, but still available) on the server and configure custom log collection.
AnswerD

The Log Analytics Agent can collect custom text files and parse them.

Why this answer

The Log Analytics Agent can collect custom text logs by specifying the log file path and parsing rules. This is the most direct method. Syslog is for Linux.

Azure Monitor Agent does not support custom text logs natively. Event Hubs would require additional configuration. Option A is correct.

164
Multi-Selectmedium

You need to design a secure solution for a web application that authenticates users via Microsoft Entra ID and calls a downstream API. Which TWO should you implement to secure the application? (Choose TWO.)

Select 2 answers
A.Use the OAuth 2.0 authorization code flow with PKCE.
B.Store application secrets in Azure Key Vault.
C.Store application secrets in app configuration files.
D.Use the OAuth 2.0 client credentials flow.
E.Use shared access signatures (SAS) for API authentication.
AnswersA, B

Recommended for web apps with user interaction.

Why this answer

B and C are correct. Using OAuth 2.0 authorization code flow (with PKCE) is the recommended authentication flow for web apps. Storing secrets in Azure Key Vault ensures they are securely managed.

Option A is wrong because the client credentials flow is for server-to-server, not on behalf of users. Option D is wrong because storing secrets in configuration files is insecure. Option E is wrong because shared access signatures (SAS) are for storage, not API authentication.

165
MCQeasy

Your company uses Microsoft Purview to classify and protect sensitive data. You need to ensure that when a user sends an email containing a credit card number, the email is automatically encrypted and a notification is sent to the user. Which Microsoft Purview feature should you configure?

A.Sensitivity labels
B.Audit log policies
C.Insider risk management policies
D.Data Loss Prevention (DLP) policies
AnswerD

DLP can encrypt and notify on sensitive data.

Why this answer

Option B is correct because Data Loss Prevention (DLP) policies in Microsoft Purview can automatically apply encryption and send notifications when sensitive data is detected in emails. Option A is wrong because sensitivity labels require user action or auto-labeling, but not automatic encryption on send. Option C is wrong because audit logs only record events, not enforce controls.

Option D is wrong because insider risk management focuses on user behavior, not content protection.

166
MCQeasy

A company stores sensitive customer data in Azure SQL Database. They need to encrypt the data at rest and control access to encryption keys. Which solution should they use?

A.Azure Information Protection
B.Always Encrypted
C.Transparent Data Encryption (TDE) with customer-managed keys in Azure Key Vault
D.Dynamic Data Masking
AnswerC

TDE encrypts the database at rest, and using customer-managed keys in Key Vault gives the customer control over the encryption keys

Why this answer

Transparent Data Encryption (TDE) with customer-managed keys in Azure Key Vault provides at-rest encryption and allows the customer to control the encryption keys. Option A is wrong because Dynamic Data Masking hides data from non-privileged users but does not encrypt at rest. Option B is wrong because Always Encrypted encrypts data in use and at rest, but TDE is the standard for at-rest encryption.

Option D is wrong because Azure Information Protection is for classification and labeling, not database encryption.

167
MCQmedium

Your organization is deploying a new line-of-business application on Azure App Service. The app must authenticate users from Microsoft Entra ID and also access a downstream API that requires a client secret. You need to recommend the most secure method for managing the client secret. What should you use?

A.Store the secret in the Azure AD app registration manifest.
B.Store the secret in an App Service application setting.
C.Store the secret in Azure Key Vault and use a Key Vault reference in App Service.
D.Store the secret in the application code as a constant.
AnswerC

Key Vault provides centralized secret management with access policies and auditing.

Why this answer

Option C is correct because Azure Key Vault provides secure storage for secrets and certificates, and App Service can reference them via managed identity or Key Vault references. Option A is wrong because storing the secret in code exposes it to source control and accidental disclosure. Option B is wrong because App Service application settings are less secure and can be accessed through the portal.

Option D is wrong because Azure AD app registration is the identity object, not a storage for secrets.

168
MCQmedium

Your organization uses Microsoft Sentinel to centralize security monitoring. You need to detect anomalous access to a critical Azure SQL Database from unusual geographic locations. Which data connector and analytic rule should you use?

A.Azure SQL Database connector and a custom scheduled query rule with geo-location
B.Azure Active Directory connector and an anomaly rule for sign-ins
C.Windows Security Events connector and a rule for failed logins
D.Azure Activity connector and a rule for resource deletion
AnswerA

The Azure SQL Database connector ingests diagnostic logs (SQLInsights, QueryStoreRuntimeStatistics) that include client IP. A rule can detect connections from unusual locations.

Why this answer

Option D is correct because the Azure SQL Database connector ingests diagnostic logs containing connection events, and an analytics rule can detect anomalies by location. Option A is wrong because Azure AD sign-in logs do not include database-level connections. Option B is wrong because Azure Activity logs track control plane operations, not data plane access.

Option C is wrong because Windows Security Events are for on-premises servers, not Azure SQL.

169
MCQhard

You are designing a solution for an Azure SQL Database that stores sensitive financial data. The compliance team requires that all queries are audited and that access to sensitive columns is restricted for certain users. What should you implement?

A.Enable Transparent Data Encryption (TDE) and SQL Server Audit.
B.Use Dynamic Data Masking and SQL Server Audit.
C.Implement Row-Level Security (RLS) and enable audit.
D.Use Always Encrypted for sensitive columns and enable Azure SQL Auditing.
AnswerD

Always Encrypted protects columns and auditing logs queries.

Why this answer

Option D is correct because using Always Encrypted protects sensitive columns at rest and in transit, and auditing via Azure SQL Auditing meets compliance. Option A is wrong because TDE encrypts the entire database, not columns. Option B is wrong because Dynamic Data Masking masks data but does not restrict access.

Option C is wrong because Row-Level Security restricts rows, not columns.

170
MCQmedium

Your organization uses Microsoft Defender for Cloud to assess security posture. You need to ensure that your Azure App Service web applications are protected against common web vulnerabilities like SQL injection. What should you enable?

A.Web Application Firewall (WAF) on Azure Front Door
B.Just-in-time (JIT) VM access
C.Adaptive Application Controls
D.Azure DDoS Protection
AnswerA

WAF protects web applications from common exploits like SQL injection.

Why this answer

Option C is correct because Web Application Firewall (WAF) on Azure Front Door or Application Gateway protects against OWASP top 10 vulnerabilities including SQL injection. Option A is wrong because DDoS Protection protects against volumetric attacks, not web application attacks. Option B is wrong because JIT VM access reduces attack surface on VMs, not web apps.

Option D is wrong because Adaptive Application Controls whitelist applications on servers, not protect against web attacks.

171
MCQmedium

Your company uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. You need to prevent users from sharing credit card numbers via email in Outlook on the web. The policy should notify users when they try to send such data and allow them to override with a business justification. What should you configure?

A.Create a DLP policy with the action 'Audit only' for credit card numbers
B.Create a DLP policy with the action 'Block with override' and enable 'Business justification'
C.Create a DLP policy that encrypts emails containing credit card numbers
D.Create a DLP policy with the action 'Block' for credit card numbers
AnswerB

This blocks by default but allows override with justification.

Why this answer

Option C is correct because DLP policies can have rules that detect sensitive info types like credit card numbers, and the action 'Block with override' allows users to override with justification. Option A is wrong because 'Block' without override is too restrictive. Option B is wrong because 'Audit only' does not block.

Option D is wrong because encryption alone does not block.

172
MCQmedium

Your team develops a web application hosted on Azure App Service. You need to secure the application against common web vulnerabilities like SQL injection and cross-site scripting. What should you implement?

A.Enable Azure Web Application Firewall (WAF) on Azure Front Door or Application Gateway.
B.Store application secrets in Azure Key Vault and enable managed identity.
C.Configure Network Security Groups (NSGs) on the App Service subnet to restrict inbound traffic.
D.Enable Azure DDoS Protection on the virtual network.
AnswerA

WAF protects against SQL injection, XSS, and other web threats.

Why this answer

Option C is correct because Azure Web Application Firewall (WAF) on Azure Front Door or Application Gateway protects against OWASP Top 10 threats including SQL injection and XSS. Option A is wrong because NSGs protect network traffic, not application layer. Option B is wrong because Key Vault is for secrets.

Option D is wrong because DDoS protection is for network layer attacks.

173
MCQmedium

You are reviewing the ARM template snippet for an Azure Storage container. What does the 'denyEncryptionScopeOverride' property set to 'true' ensure?

A.Double encryption is enabled for the container.
B.Encryption at rest is required for all blobs in the container.
C.The container automatically uses a customer-managed key for encryption.
D.Users cannot override the default encryption scope for blobs in this container.
AnswerD

This property prevents using a different encryption scope than the default.

Why this answer

Option A is correct because when 'denyEncryptionScopeOverride' is true, all blobs in the container must use the default encryption scope and cannot specify a different scope. Option B is wrong because it is about enforcing default scope, not requiring customer-managed keys. Option C is wrong because encryption at rest is always enabled; this setting controls scope override.

Option D is wrong because it doesn't affect double encryption.

174
MCQhard

Your organization uses Microsoft Defender for Endpoint (MDE) for endpoint detection and response. You need to protect sensitive data on Windows 10 devices from being exfiltrated via USB drives. The solution must be able to audit file copy operations to USB and block them for high-risk users. What should you configure?

A.Set up a Conditional Access policy in Microsoft Entra ID to block sign-ins from devices with USB activity
B.Use Microsoft Intune to create a device configuration profile that disables USB ports
C.Configure a Microsoft Purview DLP policy for endpoint devices
D.Deploy a device control policy in Microsoft Defender for Endpoint to audit USB usage and block for high-risk users
AnswerD

MDE device control can audit and block removable storage based on user groups.

Why this answer

Option D is correct because Microsoft Defender for Endpoint includes device control features that can audit and block removable storage. You can configure policies to audit all users and block for high-risk users using custom device control policies. Option A is wrong because Intune can manage USB restrictions but not with MDE-specific auditing.

Option B is wrong because DLP policies in Microsoft Purview are for cloud and network. Option C is wrong because conditional access does not control USB.

175
MCQhard

An organization is using Microsoft Defender for Cloud to secure their Azure workloads. They have several Azure SQL databases that store sensitive financial data. The security team wants to receive alerts when a user attempts to access the database from a suspicious IP address or at an unusual time. Which Defender for Cloud plan provides this capability?

A.Defender for SQL
B.Defender for Databases
C.Defender for Cloud SQL
D.Microsoft Sentinel
AnswerA

Provides advanced threat protection for Azure SQL databases, including anomalous access patterns.

Why this answer

Defender for Cloud includes Defender for SQL, which provides anomalous activity detection for Azure SQL databases. Option B is correct. Option A is wrong because Defender for Databases is a broader plan that includes SQL detection, but the specific feature is anomalous activity.

Option C is wrong because Defender for Cloud SQL is not a plan name. Option D is wrong because Microsoft Sentinel is for SIEM, not built-in database protection.

176
MCQmedium

Your company is migrating a legacy on-premises web application to Azure App Service. The application uses Windows Integrated Authentication and connects to a SQL Server database. You need to design a security solution that minimizes changes to the application code while ensuring secure authentication and data protection. What should you use to authenticate users?

A.Microsoft Entra Application Proxy
B.Microsoft Entra Domain Services
C.App Service Authentication (EasyAuth) with Entra ID
D.Site-to-Site VPN with on-premises Active Directory
AnswerA

Application Proxy enables legacy apps to use Entra ID authentication with minimal code changes.

Why this answer

Option C is correct because Microsoft Entra ID Application Proxy allows legacy apps to use Entra ID authentication without modifying code, by publishing the app through the proxy. Option A is wrong because Azure AD (now Entra ID) Domain Services provides domain join but requires code changes or a separate auth flow. Option B is wrong because App Service Authentication (EasyAuth) can be configured but may require code changes for WIA.

Option D is wrong because a VPN doesn't solve authentication; it just secures network access.

177
MCQeasy

Your organization is implementing Microsoft Defender for Cloud Apps to protect against malicious OAuth app permissions. Users have been granting permissions to third-party apps that request excessive scopes. What should you configure to automatically revoke such permissions?

A.OAuth app policies in Defender for Cloud Apps
B.Microsoft Intune app protection policies
C.Conditional Access policies
D.Azure AD app permissions management
AnswerA

OAuth app policies can automatically revoke permissions for risky apps.

Why this answer

Option B is correct: OAuth app policies in Defender for Cloud Apps allow you to set policies to automatically revoke permissions for apps that meet certain criteria. Option A is wrong: Conditional Access policies can block access but do not revoke app permissions. Option C is wrong: Azure AD app permissions management is part of Entra ID, but automatic revocation is done via Defender for Cloud Apps.

Option D is wrong: Intune is for device management, not app permissions.

178
MCQhard

Refer to the exhibit. A security administrator needs to ensure that the storage account 'securestore' is compliant with the company policy that requires encryption at rest using customer-managed keys and network access restricted to a specific virtual network. Which of the following statements is correct?

A.The storage account is compliant only if encryption is enabled for blob and file services.
B.The storage account is non-compliant because it uses Microsoft-managed keys for encryption.
C.The storage account is compliant because it uses customer-managed keys from Key Vault and network access is restricted to a specific virtual network.
D.The storage account is non-compliant because network access is allowed from any virtual network.
AnswerC

The output confirms customer-managed keys (keySource: Microsoft.Keyvault) and network ACLs with default deny and VNet rule.

Why this answer

Option A is correct. The output shows 'keySource' is 'Microsoft.Keyvault' indicating customer-managed keys. Network ACLs have 'defaultAction': 'Deny' and a virtual network rule allowing traffic from vnet1/subnet1.

Option B is wrong because the encryption is customer-managed, not Microsoft-managed. Option C is wrong because there is a VNet rule, but the default action is Deny, which restricts access. Option D is wrong because the output shows encryption is enabled for both blob and file services.

179
MCQmedium

Your organization uses Microsoft Defender for Cloud to protect Azure resources. You need to ensure that only authorized applications can access Azure Key Vault secrets. The solution must use managed identities and least privilege. What should you configure?

A.Use a shared access signature (SAS) token stored in an environment variable
B.Assign a system-assigned managed identity to the application and grant it Key Vault Secrets User role
C.Enable public network access on Key Vault and restrict inbound IP addresses
D.Install a client certificate on the application server and use it to authenticate to Key Vault
AnswerB

This provides secure, identity-based access with least privilege.

Why this answer

Option C is correct because using a system-assigned managed identity and assigning Key Vault access policies with Get and List permissions provides secure, identity-based access with least privilege. Option A is wrong because enabling public network access increases the attack surface. Option B is wrong because shared access signature tokens are less secure and harder to manage.

Option D is wrong because certificate-based authentication adds complexity without managed identity benefits.

180
MCQmedium

Refer to the exhibit. You are designing an API Management instance for a production environment. The exhibit shows a snippet of an ARM template. Which security concern is most critical to address before deploying to production?

A.Weak TLS cipher suites are enabled.
B.Publisher email and name are hardcoded.
C.The API version constraint is outdated.
D.The SKU is set to Developer, which is not suitable for production.
AnswerD

Developer SKU lacks SLA and scale.

Why this answer

Option D is correct because the Developer SKU is not suitable for production due to lack of SLA and limited scale. Option A is wrong because disabling TLS 1.0/1.1 and weak ciphers is actually a security best practice. Option B is wrong because the publisher email and name are informational.

Option C is wrong because the API version constraint affects feature set, not security.

181
MCQeasy

You are designing security for a web application that will be developed by an external vendor. The vendor will have access to the source code repository and the development environment. You need to ensure that no secrets (e.g., API keys, connection strings) are stored in the source code. What is the best approach to manage secrets for this application?

A.Use Azure Key Vault to store secrets and configure the application to use managed identity to retrieve them.
B.Store secrets in environment variables on the application server.
C.Store secrets in Azure App Service application settings encrypted at rest.
D.Embed secrets in the compiled code using obfuscation.
AnswerA

Key Vault provides centralized secret management; managed identity avoids storing credentials.

Why this answer

Using Azure Key Vault to store secrets and referencing them from the application is the standard best practice. The application can use managed identity to authenticate to Key Vault securely. Storing secrets in app settings is not secure if the repository is accessible.

Using environment variables is better but still not as secure as Key Vault. Hardcoding is unacceptable.

182
MCQhard

Wide World Importers is deploying a critical line-of-business application on Azure Kubernetes Service (AKS). The application processes financial transactions and must meet SOX compliance. You need to design a security solution that includes: encryption of secrets (e.g., database connection strings) using Azure Key Vault, automatic certificate rotation for TLS termination, network isolation of the AKS cluster, and audit logging of all access to secrets. The solution should use a managed identity for the AKS cluster to access Key Vault. Which of the following designs meets the requirements?

A.Enable managed identity for the AKS cluster, integrate Key Vault with AKS using the Secrets Store CSI driver, deploy the cluster as a private cluster, and enable diagnostic settings on Key Vault to send logs to a Log Analytics workspace.
B.Use a service principal for AKS to access Key Vault, store secrets as Kubernetes secrets, configure a private cluster, and enable audit logging on Key Vault.
C.Enable managed identity for the AKS cluster, store secrets in the cluster's native Kubernetes secrets, use a private endpoint for the AKS API server, and enable Azure Monitor for containers.
D.Use a service principal to access Key Vault, store secrets as encrypted Kubernetes secrets with a customer-managed key, deploy a public cluster with network policies, and enable Key Vault logging.
AnswerA

Managed identity provides secure access, CSI driver mounts secrets securely, private cluster provides network isolation, and diagnostic settings provide audit logs.

Why this answer

Option C is correct because it uses managed identity for secure secret access, Key Vault integration for secrets, private cluster for network isolation, and diagnostic settings for audit logging. Option A is wrong because private cluster is needed for network isolation, not just a private endpoint. Option B is wrong because secrets should be stored in Key Vault, not in Kubernetes secrets.

Option D is wrong because service principal is less secure than managed identity, and Kubernetes secrets are not encrypted at rest by default.

183
Multi-Selectmedium

Your company uses Microsoft Intune to manage corporate devices. You need to protect company data on devices by preventing data leakage to personal apps. Which TWO policies should you configure? (Choose TWO.)

Select 2 answers
A.Device compliance policies
B.App protection policies (MAM)
C.Device configuration profiles
D.Windows Information Protection (WIP)
E.Conditional access policies requiring approved client apps
AnswersB, E

Prevent data transfer to unmanaged apps.

Why this answer

Option A and Option D are correct. App protection policies (MAM) can prevent data transfer to unmanaged apps, and conditional access can restrict access to managed apps. Option B is incorrect because device compliance policies focus on device health, not data leakage.

Option C is incorrect because Windows Information Protection (WIP) is for Windows devices, not cross-platform. Option E is incorrect because configuration profiles set device settings, not data protection.

184
MCQeasy

Refer to the exhibit. What is the purpose of this KQL query?

A.To count the number of SQL injection alerts by severity.
B.To retrieve SQL injection alerts from the past 7 days with specific fields.
C.To join security alerts with other data sources to find compromised entities.
D.To list all security alerts generated in the last 7 days.
AnswerB

The query selects alerts where AlertName contains 'SQL injection' and projects selected columns.

Why this answer

Option B is correct. The query filters for SQL injection alerts in the last 7 days and projects relevant columns. Option A is wrong because it does not show all alerts, only SQL injection ones.

Option C is wrong because it does not join with other tables. Option D is wrong because it does not aggregate or count alerts.

185
Multi-Selecteasy

Your organization wants to enable Microsoft Defender for Cloud Apps to monitor and control the use of Box and Dropbox. Which TWO steps must you perform?

Select 2 answers
A.Connect the app using an app connector
B.Add Box and Dropbox to the unsanctioned list
C.Deploy a forward proxy
D.Configure Conditional Access App Control
E.Run a cloud discovery report
AnswersA, D

App connectors allow Defender for Cloud Apps to monitor and control the app.

Why this answer

Option A is correct because you need to connect the app via an app connector to allow monitoring. Option C is correct because Conditional Access App Control enables session-level control. Option B is wrong because cloud discovery automatically detects apps, but for sanctioned apps you use app connectors.

Option D is wrong because you deploy a reverse proxy, not a forward proxy. Option E is wrong because you need to add the app to the sanctioned list after connecting.

186
MCQeasy

A software company, SouthRidge, is deploying a multi-tier application on Azure Virtual Machines. The web tier runs IIS, the application tier runs a .NET application, and the data tier runs SQL Server. You need to ensure that all traffic between tiers is encrypted, and that the application tier can access the database using a managed identity. The solution should also include a web application firewall (WAF) to protect the web tier from common attacks. Which of the following designs should you use?

A.Use application-level encryption between tiers, deploy Azure Application Gateway with WAF in front of the web tier, and use a service principal to access SQL Server.
B.Use SSL/TLS termination at the Azure Load Balancer, deploy Azure Front Door with WAF, and use a managed identity for the web tier to access SQL Server.
C.Use IPsec encryption between tiers, deploy Azure Application Gateway with WAF, and use a managed identity for the web tier to access SQL Server.
D.Use IPsec encryption between tiers, deploy Azure Application Gateway with WAF in front of the web tier, and use a managed identity for the application tier to access SQL Server.
AnswerD

IPsec encrypts traffic between VMs, WAF protects web tier, and managed identity provides secure database access from the application tier.

Why this answer

Option D is correct because it provides encryption between tiers via IPsec, WAF for web protection, and managed identity for database access. Option A is wrong because application-level encryption is complex and not standard. Option B is wrong because SSL/TLS termination at the load balancer means traffic inside the VNet is unencrypted.

Option C is wrong because the web tier should not have direct database access; application tier should.

187
Multi-Selecthard

A company is designing a solution to protect Azure Functions that process sensitive data. They need to ensure that only authenticated and authorized callers can invoke the function, and that secrets are not hard-coded. Which THREE actions should they take?

Select 3 answers
A.Store connection strings in application settings
B.Require client certificates
C.Use managed identity to access Azure Key Vault for secrets
D.Enable Azure AD authentication for the function app
E.Set authorization level to 'Function' or 'Admin'
AnswersC, D, E

Managed identity allows the function to securely retrieve secrets without storing credentials.

Why this answer

Option A is correct because using managed identity eliminates secrets in code. Option C is correct because Azure AD authentication validates tokens from callers. Option D is correct because function-level authorization keys (like 'Function' or 'Admin') provide an additional layer.

Option B is wrong because connection strings are not for authentication of callers. Option E is wrong because client certificates are not the primary method for caller authentication in Azure Functions; managed identity and Azure AD are preferred.

188
MCQhard

You are designing a secure CI/CD pipeline for a web application deployed to Azure Kubernetes Service (AKS). The security team requires that container images are scanned for vulnerabilities before deployment. Which two services should you integrate?

A.Azure DevOps and Azure Key Vault
B.Azure Policy and Azure DevOps
C.Microsoft Defender for Containers and Azure Container Registry
D.Azure Key Vault and Azure Container Registry
AnswerC

Defender for Containers can scan images in ACR for vulnerabilities before deployment.

Why this answer

Option C is correct because Microsoft Defender for Containers integrates with ACR to scan images. Option A is wrong because Azure Policy can enforce rules but does not scan images. Option B is wrong because Azure DevOps does not scan images natively.

Option D is wrong because Azure Key Vault stores secrets.

189
MCQhard

A company is migrating a legacy on-premises application to Azure. The application currently uses Windows Integrated Authentication (Kerberos) and requires access to a SQL Server database on the same network. In Azure, the application will run on Azure Virtual Machines and the database will be migrated to Azure SQL Managed Instance. You need to ensure the application can authenticate to the database without storing credentials. What should you implement?

A.Store the database credentials in Azure Key Vault and retrieve them at runtime.
B.Use SQL authentication with a contained database user.
C.Join the virtual machine to an Azure AD Domain Services domain and configure the application to use Azure AD Kerberos authentication.
D.Create a service principal in Azure AD and grant it access to the database.
AnswerC

This enables Windows Integrated Authentication to Azure SQL Managed Instance without credentials.

Why this answer

Azure SQL Managed Instance supports Azure AD authentication. By joining the VM to an Azure AD Domain Services domain and using Azure AD Kerberos authentication, the application can use Windows Integrated Authentication to connect to the managed instance without storing credentials. Option D is correct.

Key Vault is unnecessary. SQL authentication requires credentials. Service principal is not compatible with Kerberos.

190
MCQmedium

A company uses Microsoft Entra ID to authenticate users for a web application. They want to enable self-service password reset (SSPR) for users. What is the minimum licensing requirement?

A.Microsoft 365 E3
B.Microsoft Entra ID P2
C.Microsoft Entra ID Free
D.Microsoft Entra ID P1
AnswerD

P1 includes SSPR with password writeback.

Why this answer

Option B is correct because Microsoft Entra ID P1 includes SSPR with writeback to on-premises Active Directory. Option A is wrong because the free tier does not include SSPR. Option C is wrong because P2 adds Identity Protection, not required for basic SSPR.

Option D is wrong because Microsoft 365 E3 includes Entra ID P1, but the question asks for minimum licensing.

191
MCQeasy

Your organization is using Microsoft Defender for Cloud to assess the security posture of your Azure resources. You need to ensure that all storage accounts have secure transfer required enabled. Which Defender for Cloud feature should you use?

A.Security policies and initiatives
B.File integrity monitoring
C.Adaptive network hardening
D.Just-In-Time VM access
AnswerA

Policies can enforce that secure transfer is enabled on storage accounts.

Why this answer

Option A is correct: Security policies and initiatives allow you to define and enforce compliance requirements. Option B is wrong: Just-In-Time VM access is for network access. Option C is wrong: Adaptive network hardening is for NSGs.

Option D is wrong: File integrity monitoring is for critical files.

192
Multi-Selecthard

Your organization uses Azure DevOps for CI/CD. You need to ensure that secrets (e.g., API keys) used in pipeline tasks are securely stored and accessed. The security requirements are: secrets must be encrypted at rest, access must be audited, and secrets must be automatically rotated. Which THREE services or features should you use? (Choose three.)

Select 3 answers
A.Azure Key Vault access policy to grant permissions.
B.Azure DevOps Variable Groups to store secrets.
C.Azure Key Vault to store secrets.
D.Azure Active Directory service principal to access secrets.
E.Azure Key Vault key rotation policy.
AnswersA, C, E

Access policies control who can read secrets, with auditing.

Why this answer

Azure Key Vault provides encrypted storage for secrets with access auditing. Managed identities allow secure access without storing credentials. Key Vault supports automatic rotation for some secret types.

Azure DevOps Variable Groups can link to Key Vault but do not provide rotation. Azure AD is not a secret store. Pipeline secrets are not centrally managed.

Options A, B, and C together meet all requirements.

193
MCQhard

A financial services company is deploying a new application on Azure Kubernetes Service (AKS). The application must meet PCI DSS compliance requirements, which mandate encryption of data at rest and in transit, as well as network segmentation. The application will use Azure SQL Database. What is the MOST secure approach to meet these requirements?

A.Deploy the application in an Azure App Service Environment (ASE) with a private endpoint and enable SQL Server encryption.
B.Use Azure Service Endpoints for the AKS cluster and enable Transparent Data Encryption (TDE) on Azure SQL Database.
C.Deploy Azure Firewall in front of the AKS cluster and enable SSL/TLS termination at the firewall for all incoming traffic.
D.Use Azure Policy to enforce encryption and network policies in AKS, and enable TDE and Always Encrypted for Azure SQL Database.
AnswerD

Azure Policy can enforce encryption at rest and in transit; network policies provide segmentation; TDE and Always Encrypted protect data at rest and in use.

Why this answer

Option C is correct because it combines Azure Policy to enforce encryption, network policies for segmentation, and Azure SQL Database with TDE and Always Encrypted for data protection. Option A is wrong because service endpoints do not encrypt in-transit traffic and do not provide segmentation. Option B is wrong because Azure Firewall is a perimeter firewall, not granular network policy within AKS.

Option D is wrong because App Service Environment is not used for AKS.

194
MCQeasy

Your organization is adopting Microsoft Copilot for Microsoft 365. You need to ensure that Copilot respects the existing sensitivity labels when processing data. What should you configure?

A.Create Data Loss Prevention (DLP) policies.
B.Configure sensitivity labels in Microsoft Purview Information Protection.
C.Use Azure Information Protection.
D.Apply retention labels to documents.
AnswerB

Copilot respects sensitivity labels.

Why this answer

Option A is correct because Microsoft Purview Information Protection sensitivity labels are respected by Microsoft Copilot. Option B is wrong because DLP policies are for data loss prevention, not labeling. Option C is wrong because Retention labels are for retention, not sensitivity.

Option D is wrong because sensitivity labels are the correct solution.

195
MCQmedium

You are designing a solution to protect an Azure App Service web app that authenticates users via Microsoft Entra ID. The app needs to ensure that only users from specific external partner organizations can access it. You do not want to create user objects for each partner user in your tenant. What should you configure?

A.Configure a Conditional Access policy that restricts access to partners' IP ranges.
B.Enable Microsoft Entra B2B collaboration and configure the application to accept tokens from partner tenants.
C.Create guest user accounts for each external user and assign them to a group.
D.Use Azure AD B2C custom policies to allow partner authentication.
AnswerB

B2B allows external users to authenticate using their own tenants without creating user objects.

Why this answer

B2B collaboration allows external users to use their own identities without creating separate user objects. B2C is for customer-facing apps. Conditional Access policies can restrict access but require user objects.

Application permissions are for app-to-app scenarios. Option D is correct.

196
MCQmedium

A company is implementing Microsoft Priva to manage subject rights requests. Users submit requests to access their personal data stored in Exchange Online, SharePoint, and Teams. The privacy team needs to automate the retrieval of data from these sources. Which Priva capability should they use?

A.Subject Rights Requests
B.Consent Management
C.Data Inventory
D.Data Breach Notifications
AnswerA

Subject Rights Requests automates the search and retrieval of personal data from Microsoft 365 services.

Why this answer

Option C is correct because Priva Subject Rights Requests includes built-in data retrieval from Microsoft 365 sources. Option A is wrong because Data Inventory scans but does not retrieve data for requests. Option B is wrong because Consent Management handles consent, not data retrieval.

Option D is wrong because Data Breach Notifications are for incident response.

197
Multi-Selecteasy

Your company, Fabrikam, is designing a solution to securely store and manage secrets (e.g., API keys, database passwords) for cloud applications. The solution must use Azure Key Vault and support automatic rotation of secrets. The applications will run on Azure VMs and Azure App Service. Which TWO of the following should you include in your design?

Select 2 answers
A.Use service principals with client secrets to authenticate to Key Vault.
B.Rotate secrets manually using Azure Automation runbooks on a schedule.
C.Store secrets in application configuration files encrypted with Azure Key Vault.
D.Implement automatic secret rotation using Key Vault with Event Grid and Azure Functions.
E.Use managed identities for Azure resources to authenticate to Key Vault.
AnswersD, E

Key Vault integration with Event Grid and Functions enables automated rotation.

Why this answer

Option B is correct because managed identities allow VMs and App Service to authenticate to Key Vault without storing credentials. Option D is correct because Key Vault can rotate secrets automatically using Event Grid and Azure Functions. Option A is wrong because storing secrets in application configuration is insecure.

Option C is wrong because service principals require credential management. Option E is wrong because Azure Automation is not designed for secret rotation.

198
MCQhard

Refer to the exhibit. A security architect is reviewing an ARM template for an Azure Key Vault. The vault must be accessible from a backend subnet via private endpoint. What is the missing configuration component?

A.Enable RBAC authorization on the vault
B.Add a Microsoft.Network/privateEndpoints resource and a private DNS zone
C.Assign a system-assigned managed identity to the vault
D.Set the defaultAction to Allow for the network ACLs
AnswerB

Private endpoints are separate resources that provide private connectivity; a private DNS zone enables name resolution

Why this answer

The exhibit shows network ACLs with virtual network rules, but to use private endpoints, the template must include a private endpoint resource and a private DNS zone. Option B is correct because private endpoints are required for private connectivity, and they are not part of the vault resource itself. Option A is wrong because enabling RBAC authorization is not required for private endpoint access.

Option C is wrong because disabling public network access is done via the network ACLs, but private endpoints still need a separate resource. Option D is wrong because a system-assigned managed identity is not needed for private endpoint connectivity.

199
Multi-Selecteasy

Your company uses Microsoft 365 and wants to prevent sensitive data from being copied to personal cloud storage services like Dropbox. Which TWO Microsoft Purview capabilities should you use?

Select 2 answers
A.Data Loss Prevention (DLP) policies in Microsoft Purview
B.Endpoint Data Loss Prevention (Endpoint DLP)
C.Azure Information Protection (AIP) unified labeling client
D.Sensitivity labels
E.Microsoft Defender for Cloud Apps (formerly Cloud App Security)
AnswersA, B

DLP policies can detect and block sharing of sensitive data to unauthorized cloud services.

Why this answer

Options B and D are correct. Endpoint DLP can block copying to personal cloud storage from devices, and DLP policies in Microsoft 365 can detect and block such actions. Option A is wrong because sensitivity labels classify but don't block actions.

Option C is wrong because AIP is deprecated in favor of Purview. Option E is wrong because Cloud App Security can block downloads from cloud apps but not from endpoint to personal cloud.

200
MCQeasy

Your organization is planning to use Microsoft Sentinel for security information and event management (SIEM). You need to ingest security logs from on-premises Active Directory. What should you deploy?

A.Microsoft Monitoring Agent (MMA)
B.Log Analytics agent
C.Microsoft Defender for Cloud agent
D.Azure Monitor Agent
AnswerD

Azure Monitor Agent is the modern unified agent for collecting logs.

Why this answer

Option A is correct because Azure Monitor Agent is the current agent for collecting Windows events from on-premises VMs and sending to Log Analytics workspace, which is used by Sentinel. Option B is wrong because Log Analytics agent is legacy. Option C is wrong because MMA is also legacy.

Option D is wrong because Defender for Cloud agent focuses on security baselines, not general event collection.

201
MCQhard

Your company, Lucerne Publishing, is migrating its on-premises SQL Server databases to Azure SQL Managed Instance. The databases contain sensitive customer data subject to GDPR. You need to design a security solution that includes: (1) Always Encrypted for sensitive columns, (2) dynamic data masking for non-privileged users, (3) auditing of all data access, and (4) encryption at rest using customer-managed keys stored in Azure Key Vault. Which of the following configurations should you implement?

A.Enable Always Encrypted for sensitive columns, configure dynamic data masking, enable auditing via Azure Policy, and enable TDE with a customer-managed key stored in Azure Key Vault.
B.Enable Always Encrypted for sensitive columns, configure dynamic data masking, disable TDE to improve performance, and use row-level security to restrict access.
C.Enable Always Encrypted for sensitive columns, configure dynamic data masking, enable SQL Server auditing to Azure Blob Storage, and enable Transparent Data Encryption (TDE) with a service-managed key.
D.Enable Always Encrypted for sensitive columns, configure dynamic data masking, enable Azure SQL auditing to a Log Analytics workspace, and enable TDE with a customer-managed key stored in Azure Key Vault.
AnswerD

All requirements are met: column encryption, masking, auditing, and CMK encryption.

Why this answer

Option B is correct because it includes all required features: Always Encrypted for column-level encryption, dynamic data masking, auditing via SQL Audit with Log Analytics, and TDE with CMK in Key Vault. Option A is wrong because TDE with service-managed keys does not meet CMK requirement. Option C is wrong because auditing via server-level audit is possible but not as integrated with Log Analytics.

Option D is wrong because disabling TDE is not secure.

202
Multi-Selectmedium

A company is deploying a new API management solution using Azure API Management. The APIs will be consumed by external partners. Security requirements include: protecting against OWASP Top 10 attacks, throttling requests per subscription, and validating JSON schemas. Which TWO policies should you configure? (Choose two.)

Select 2 answers
A.Validate content policy to check JSON schema.
B.Rate limit policy to throttle requests per subscription.
C.Validate JWT policy to ensure tokens are valid.
D.IP filter policy to restrict access to partner IPs.
E.Cross domain policy to allow CORS.
AnswersA, B

Validates request body against a defined schema.

Why this answer

Azure API Management policies can be added to protect APIs. The 'Validate JWT' policy is for token validation, not OWASP protection. The 'Rate limit' policy throttles requests per subscription.

The 'Validate content' policy can validate JSON schemas. The 'Cross domain' policy is for CORS. The 'IP filter' restricts by IP.

Options B and D meet the requirements.

203
MCQmedium

Your organization is designing a new application that will store sensitive customer data in Azure Cosmos DB. You need to ensure that data at rest is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. What should you configure?

A.Enable Transparent Data Encryption (TDE) on the Cosmos DB account.
B.Enable Azure Storage Service Encryption (SSE) on the Cosmos DB account.
C.Use Always Encrypted with Azure SQL Database.
D.Configure a customer-managed key in Azure Key Vault and assign it to the Cosmos DB account.
AnswerD

Azure Cosmos DB supports CMK via Azure Key Vault.

Why this answer

Option A is correct because Azure Cosmos DB supports CMK by creating an encryption key in Azure Key Vault and associating it with the Cosmos DB account. Option B is wrong because Transparent Data Encryption (TDE) is for SQL databases, not Cosmos DB. Option C is wrong because Always Encrypted is for SQL Server.

Option D is wrong because Azure Storage Service Encryption is for storage accounts, not Cosmos DB.

204
MCQmedium

You are analyzing sign-in logs in Microsoft Sentinel. The query returns users with ResultType 50074. What does this result type indicate?

A.The user was blocked by a conditional access policy.
B.The user did not pass strong authentication.
C.The user successfully signed in with MFA.
D.The user failed to sign in due to incorrect password.
AnswerB

50074 indicates strong auth failure.

Why this answer

Option B is correct because ResultType 50074 indicates that strong authentication was required but the user did not pass it (e.g., MFA challenge failure or not performed). Option A is wrong because 50074 is not generic failure. Option C is wrong because 50074 is specific to strong authentication.

Option D is wrong because it's not about conditional access policy, but authentication strength.

205
MCQmedium

A healthcare organization is using Microsoft Purview to govern its data estate. They have multiple Azure Data Lake Storage accounts and Azure SQL Databases. They need to classify sensitive data such as patient health information (PHI) and apply protection automatically when data is exported from these sources to an external location. The organization also wants to prevent unauthorized users from accessing sensitive data in Azure SQL Database by using built-in security features. The compliance team requires that any access to sensitive data be logged and auditable. You need to design a solution that meets these requirements. What should you implement?

A.Use Microsoft Purview to scan and classify data. Auto-apply sensitivity labels. Implement Azure AD authentication and row-level security in Azure SQL Database. Enable auditing and send to Log Analytics.
B.Use Microsoft Purview to scan and classify data. Apply sensitivity labels manually. Configure Azure SQL Database firewall to block all but admin. Use Azure SQL auditing.
C.Use Microsoft Defender for Cloud to identify sensitive data. Implement Azure SQL Database always encrypted. Use Azure Monitor to log queries.
D.Use Microsoft Purview to classify data. Apply data masking in Azure SQL Database for PHI columns. Use Azure SQL Database threat detection.
AnswerA

Automated classification, granular access control, and auditing.

Why this answer

Microsoft Purview can scan data sources and classify sensitive data. Sensitivity labels can be applied automatically based on classification. Azure SQL Database supports Azure AD authentication and row-level security to restrict access.

Auditing logs can be sent to Log Analytics. Option B combines all these. Option A uses Azure Information Protection (now part of Purview) but does not cover SQL access control.

Option C uses data masking which doesn't prevent access. Option D uses Defender for Cloud but not data classification.

206
MCQhard

Refer to the exhibit. You are reviewing an ARM template for an Azure Function App. The function app uses a user-assigned managed identity and references a Key Vault secret for the storage connection string. The deployment fails because the function app cannot access the Key Vault secret. What is the most likely cause?

A.The function app is configured with a custom DNS server that cannot resolve the Key Vault URI
B.The secret name in the URI does not match the actual secret name in Key Vault
C.The Key Vault reference syntax is incorrect; it should use '@Microsoft.KeyVault(SecretUri=...)'
D.The user-assigned managed identity does not have a Key Vault access policy to get secrets
AnswerD

The identity needs an access policy to retrieve secrets from Key Vault.

Why this answer

Option A is correct because the user-assigned managed identity must have a Key Vault access policy to read secrets. Option B is wrong because the secret name is 'storage-connection', not 'storage-connection-string'. Option C is wrong because the reference syntax is correct for Key Vault references.

Option D is wrong because a custom DNS is not relevant.

207
MCQhard

Refer to the exhibit. A security architect is reviewing the network configuration of an Azure App Service app named 'finance-app'. The app needs to be accessible from a backend subnet via private endpoint. Which additional configuration is required?

A.Set publicNetworkAccess to Enabled
B.Configure regional VNet integration for the app
C.Create a private endpoint and associate it with the App Service
D.Enable IP-based SSL for the app
AnswerC

Private endpoint is required for inbound private connectivity; the vNet rule alone does not enable private endpoint

Why this answer

The exhibit shows network ACLs with a virtual network rule allowing traffic from a subnet. However, to use private endpoint, the app must be integrated with a private endpoint resource. The 'publicNetworkAccess' is disabled, but private endpoint access requires a private endpoint resource to be created and associated with the app.

Option A is correct. Option B is wrong because IP-based SSL is unrelated to network access. Option C is wrong because a regional VNet integration provides outbound connectivity, not inbound private access.

Option D is wrong because enabling public access would defeat the purpose of private endpoint.

← PreviousPage 3 of 3 · 207 questions total

Ready to test yourself?

Try a timed practice session using only Design security solutions for applications and data questions.