CCNA Design solutions that align with security best practices and priorities Questions

75 of 180 questions · Page 2/3 · Design solutions that align with security best practices and priorities · Answers revealed

76
MCQhard

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. What is the purpose of this query?

A.Correlate malware alerts with device OS version
B.List all malware alerts in the last 7 days
C.Identify malware alerts on unmanaged devices
D.Show device inventory for unmanaged devices
AnswerC

Exactly: filters on IsManaged == false.

Why this answer

The query uses the `DeviceInfo` table to filter for devices where `IsManaged` is `false`, then joins with `SecurityAlert` to find alerts where `AlertName` contains 'Malware'. This specifically identifies malware alerts generated on unmanaged devices, not all malware alerts or a general device inventory.

Exam trap

The trap here is that candidates may confuse the purpose of the query as simply listing all malware alerts (Option B) or showing device inventory (Option D), overlooking the critical `IsManaged == false` filter that narrows the scope to unmanaged devices.

How to eliminate wrong answers

Option A is wrong because the query does not correlate malware alerts with device OS version; it only filters on `IsManaged` and `AlertName`, with no reference to OS version fields. Option B is wrong because the query does not list all malware alerts in the last 7 days; it restricts results to alerts on unmanaged devices (IsManaged == false) and does not include a time filter for the last 7 days. Option D is wrong because the query returns alerts, not a device inventory; the output includes alert details (e.g., AlertName, TimeGenerated) rather than a list of devices.

77
MCQhard

Refer to the exhibit. You are an Azure security engineer reviewing a custom Azure Policy definition. The policy is intended to audit virtual machines to ensure they have the Azure Security extension installed. However, the policy is not triggering on any resources. What is the most likely reason?

A.The policy condition requires a managed disk, but the VMs might have unmanaged disks.
B.The 'existenceCondition' field path is incorrect; it should be 'Microsoft.Compute/virtualMachines/extensions/publisher'.
C.The policy is assigned to a management group, but the VMs are in a subscription under a different management group.
D.The policy effect should be 'Deny' instead of 'auditIfNotExists'.
AnswerA

If the VM does not have a managed disk, the 'if' condition is false, and the policy does not evaluate the audit effect.

Why this answer

Option A is correct because the policy condition uses `field` to check for `Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.id`, which requires the VM to have a managed disk. If the VMs use unmanaged disks (i.e., the `managedDisk` property is absent), the condition evaluates to false, and the `auditIfNotExists` effect never triggers the existence check for the Azure Security extension.

Exam trap

The trap here is that candidates focus on the `existenceCondition` or effect syntax, overlooking that the parent `field` condition silently fails on VMs without managed disks, preventing the entire policy from evaluating.

How to eliminate wrong answers

Option B is wrong because the `existenceCondition` field path `Microsoft.Compute/virtualMachines/extensions/publisher` is syntactically valid for checking the extension's publisher property; the issue is not with the path but with the parent condition failing. Option C is wrong because policy assignment inheritance works correctly across management group hierarchies—if the policy is assigned to a management group, it applies to all descendant subscriptions, so VMs in a child subscription would still be evaluated. Option D is wrong because changing the effect to `Deny` would not fix the triggering issue; the policy is not evaluating resources at all due to the condition, not because of the effect type.

78
MCQmedium

Your company is implementing Microsoft Purview Information Protection to protect sensitive data. The compliance team requires that when a user applies a 'Highly Confidential' sensitivity label to a document, the document is automatically encrypted and watermarked. Which configuration should you use?

A.Create a DLP policy that encrypts and watermarks the document when it is shared externally
B.Create an auto-labeling policy that detects sensitive content and applies the label automatically
C.Create a Conditional Access policy that requires the label to be applied to all documents
D.Configure the sensitivity label to apply encryption and dynamic watermarking. Publish the label to users.
AnswerD

Encryption and watermarking are configured in the label settings; user applies the label manually.

Why this answer

Option A is correct because encryption and dynamic watermarking are built-in label settings. Option B is wrong because auto-labeling policies apply labels based on conditions, not user action. Option C is wrong because access policies control access but do not add watermarks.

Option D is wrong because DLP policies apply actions like block, not encryption or watermarking.

79
MCQhard

You are a security architect for a large financial services company. The company has a hybrid identity environment with on-premises Active Directory synchronized to Microsoft Entra ID using Microsoft Entra Connect. They use Microsoft 365 E5 licenses and have deployed Microsoft Defender for Cloud, Microsoft Defender for Identity, Microsoft Sentinel, and Microsoft Purview. The company has recently suffered a ransomware attack where an attacker gained access via a compromised service account that had permanent Global Administrator privileges. The attacker then used the account to create a backdoor user and exfiltrate sensitive data from SharePoint Online. After the incident, the CISO mandates a Zero Trust security transformation with the following requirements: 1. Eliminate standing privileged access for all cloud admins. 2. Require phishing-resistant authentication for all privileged roles. 3. Ensure that all sensitive data in SharePoint Online is automatically classified and protected. 4. Enable detection of lateral movement using anomalous behavior analytics. Which combination of actions should you recommend?

A.Implement Privileged Identity Management (PIM) for Global Administrator roles, configure Authentication Strengths to require FIDO2, create auto-labeling policies for credit card numbers, and enable Defender for Identity lateral movement path detection.
B.Deploy Microsoft Entra Identity Protection for all users, configure Azure AD Conditional Access with MFA, use Microsoft Purview Information Protection with manual labeling, and enable Microsoft Sentinel analytics for lateral movement.
C.Configure Conditional Access to require MFA for admins, enable Microsoft Purview DLP for SharePoint, deploy Defender for Cloud Apps, and use Identity Protection for user risk.
D.Remove all permanent admin roles and use just-in-time access via PIM, enforce MFA via Conditional Access, apply sensitivity labels via Microsoft Purview Data Map, and use Microsoft Defender for Cloud for network security groups.
AnswerA

Meets all requirements: PIM eliminates standing access, Authentication Strengths enforces phishing-resistant MFA, auto-labeling protects data, Defender for Identity detects lateral movement.

Why this answer

Option A is correct because it directly addresses all four CISO requirements: Privileged Identity Management (PIM) eliminates standing Global Administrator privileges by requiring just-in-time activation; Authentication Strengths with FIDO2 enforces phishing-resistant authentication for privileged roles; auto-labeling policies in Microsoft Purview automatically classify and protect sensitive data like credit card numbers in SharePoint Online; and Defender for Identity lateral movement path detection uses behavioral analytics to detect anomalous lateral movement, fulfilling the detection requirement.

Exam trap

The trap here is that candidates often confuse MFA (which can be phishable) with phishing-resistant authentication (e.g., FIDO2 or certificate-based), and they may overlook that automatic classification requires auto-labeling policies, not manual labeling or data discovery tools like Data Map.

How to eliminate wrong answers

Option B is wrong because it relies on manual labeling instead of automatic classification, which fails to meet the requirement for automatic protection of sensitive data in SharePoint Online; additionally, Identity Protection does not provide lateral movement detection. Option C is wrong because it only enforces MFA via Conditional Access, which is not phishing-resistant (e.g., it allows TOTP or phone call verification), and it lacks automatic data classification and lateral movement detection. Option D is wrong because it enforces MFA via Conditional Access instead of phishing-resistant authentication (e.g., FIDO2), and it uses Microsoft Defender for Cloud for network security groups, which does not address lateral movement detection; Purview Data Map is for data discovery, not automatic classification and protection.

80
MCQmedium

A company uses Microsoft Entra ID for identity management. They want to ensure that only managed devices can access corporate email. Which Conditional Access policy setting should be configured?

A.Require multifactor authentication
B.Block legacy authentication
C.Require approved client app
D.Require device to be marked as compliant
AnswerD

This ensures only managed and compliant devices can access.

Why this answer

To ensure only managed devices can access corporate email, you need to enforce device compliance. The Conditional Access policy setting 'Require device to be marked as compliant' checks that the device is enrolled in Microsoft Intune and meets all compliance policies (e.g., encryption, OS version, jailbreak detection) before granting access. This directly restricts access to managed devices only.

Exam trap

The trap here is that candidates often confuse 'Require device to be marked as compliant' with 'Require approved client app' or 'Require multifactor authentication,' thinking that MFA or app approval alone ensures device management, but only compliance enforcement ties directly to Intune-managed device policies.

How to eliminate wrong answers

Option A is wrong because requiring multifactor authentication (MFA) verifies the user's identity but does not enforce any device management or compliance; a personal device with MFA could still access email. Option B is wrong because blocking legacy authentication prevents protocols like POP3, IMAP, or SMTP that don't support modern authentication, but it does not ensure the device is managed or compliant; a managed device using legacy auth would still be blocked, but an unmanaged device using modern auth would not be blocked. Option C is wrong because requiring an approved client app (e.g., Outlook mobile) ensures the app is from a trusted source but does not enforce device management; an unmanaged device with the approved app could still access email.

81
Multi-Selecthard

Which THREE of the following are valid ways to protect sensitive data in Microsoft 365 using Microsoft Purview? (Choose three.)

Select 3 answers
A.Sensitivity labels
B.Data Loss Prevention (DLP) policies
C.Data Lifecycle Management (retention policies)
D.Conditional Access policies
E.Microsoft Defender for Endpoint
AnswersA, B, C

Labels classify and protect data with encryption and markings.

Why this answer

Sensitivity labels are a core Microsoft Purview Information Protection capability that allows you to classify and protect data at the item level. They can apply encryption, visual markings (headers/footers/watermarks), and enforce rights management (Azure RMS) directly on documents and emails, ensuring protection persists even when data leaves Microsoft 365.

Exam trap

The trap here is that candidates often confuse Conditional Access policies (which control access) or Defender for Endpoint (which protects endpoints) with Purview's data protection capabilities, but neither directly classifies, encrypts, or prevents data loss at the content level.

82
MCQmedium

A company is migrating its on-premises Active Directory to Microsoft Entra ID. They need to ensure that all user authentication for cloud apps uses passwordless methods. Which security best practice should they implement?

A.Implement Microsoft Entra ID passwordless authentication
B.Configure conditional access policies to block legacy authentication
C.Enable Microsoft Entra ID Privileged Identity Management (PIM)
D.Require multifactor authentication (MFA) for all users
AnswerA

Passwordless methods such as FIDO2 keys eliminate passwords entirely, aligning with Zero Trust.

Why this answer

Option B is correct because implementing Microsoft Entra ID passwordless authentication (e.g., FIDO2 keys, Windows Hello for Business) aligns with the Zero Trust principle of eliminating passwords. Option A is wrong because MFA alone still relies on a password. Option C is wrong because conditional access policies can enforce passwordless but are not the best practice itself.

Option D is wrong because privileged identity management addresses just-in-time access, not passwordless.

83
MCQeasy

A company is designing a Zero Trust security strategy. They want to ensure that all access requests are authenticated, authorized, and encrypted before granting access. Which Microsoft security solution should they use as the central policy engine?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Entra ID
D.Microsoft Intune
AnswerC

Entra ID is the identity provider that enforces conditional access.

Why this answer

Microsoft Entra ID (formerly Azure AD) is the correct central policy engine because it provides identity-based conditional access policies that authenticate, authorize, and enforce encryption (e.g., via device compliance or app protection policies) before granting access. It acts as the policy decision point (PDP) in a Zero Trust architecture, evaluating signals like user risk, device state, and location to allow or deny access.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a security posture tool) or Microsoft Sentinel (a monitoring tool) with the identity-based policy engine required for Zero Trust access control, but only Microsoft Entra ID handles real-time authentication and authorization decisions.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform, not a policy engine for authentication/authorization decisions. Option B is wrong because Microsoft Sentinel is a SIEM/SOAR solution for security information and event management, not a real-time access policy engine. Option D is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) tool, which enforces device compliance but does not serve as the central policy engine for authentication and authorization.

84
MCQmedium

Refer to the exhibit. You are reviewing a Conditional Access policy JSON. What is the effect of this policy?

A.Blocks sign-ins from locations with high sign-in risk
B.Blocks sign-ins from users with high user risk
C.Blocks all sign-ins from any user
D.Requires multifactor authentication for high-risk users
AnswerB

The policy targets high user risk and blocks.

Why this answer

The policy JSON specifies `"userRiskLevels": ["high"]` under the conditions block, which means it targets only users whose user risk level is assessed as high by Microsoft Entra ID Protection. The grant control is set to `"builtInControls": ["block"]`, so the policy blocks sign-ins for those high-risk users. Option B is correct because the policy explicitly blocks sign-ins from users with high user risk, not sign-in risk or all users.

Exam trap

Microsoft often tests the distinction between `userRiskLevels` and `signInRiskLevels` in Conditional Access policies, and candidates frequently confuse the two, thinking a high user risk policy blocks sign-in risk events rather than user account risk.

How to eliminate wrong answers

Option A is wrong because the policy uses `userRiskLevels`, not `signInRiskLevels`; sign-in risk levels are a separate property in Conditional Access policies that assess the risk of a specific authentication attempt, not the user account. Option C is wrong because the policy has a condition targeting only high user risk levels, not all users; a block-all policy would omit the risk level condition or use an empty conditions block. Option D is wrong because the grant control is `"block"`, not `"mfa"`; requiring multifactor authentication would use `"mfa"` in the builtInControls array, and the policy does not include any authentication requirement.

85
MCQmedium

A company uses Microsoft Entra ID and wants to enable passwordless authentication for all users to reduce phishing risks. Users are already using Microsoft Authenticator for MFA. Which passwordless method should you prioritize?

A.Windows Hello for Business
B.FIDO2 security keys
C.Certificate-based authentication
D.Microsoft Authenticator passwordless sign-in
AnswerD

Leverages existing app and is user-friendly.

Why this answer

Option D is correct because the organization already uses Microsoft Authenticator for MFA, making the transition to passwordless sign-in via Authenticator the most seamless and cost-effective path. This method leverages the existing app registration and push notification infrastructure, allowing users to authenticate with a biometric or PIN gesture without deploying additional hardware or certificates.

Exam trap

The trap here is that candidates may choose Windows Hello for Business (A) because it is a common passwordless option, but they overlook the requirement that it only works on Windows devices, not for all users across platforms.

How to eliminate wrong answers

Option A is wrong because Windows Hello for Business requires Windows devices and is not universally applicable to all users (e.g., mobile or non-Windows users). Option B is wrong because FIDO2 security keys require purchasing and distributing physical hardware, which adds cost and logistical overhead not justified when Authenticator is already deployed. Option C is wrong because certificate-based authentication requires a public key infrastructure (PKI) and certificate enrollment, which is more complex to deploy and manage than leveraging the existing Authenticator app.

86
MCQeasy

Your company uses Microsoft Sentinel for security information and event management (SIEM). You need to design a solution that reduces alert fatigue by correlating low-fidelity alerts from multiple sources into a single high-fidelity incident. Which Microsoft Sentinel feature should you use?

A.Workbooks
B.Analytics rules with alert grouping enabled
C.Playbooks
D.Hunting queries
AnswerB

Analytics rules can correlate alerts and group them into incidents.

Why this answer

Analytics rules with alert grouping enabled allow you to configure a rule that correlates multiple low-fidelity alerts (e.g., from different data sources or detection types) into a single high-fidelity incident. When alert grouping is enabled, the rule groups alerts that occur within a specified time window and share common entities (such as IP addresses or user accounts), reducing alert fatigue by presenting one consolidated incident instead of many individual alerts.

Exam trap

The trap here is that candidates often confuse 'alert grouping' with 'playbook automation' or 'workbook visualization', thinking that any tool that reduces noise must involve automation or dashboards, rather than understanding that the correlation logic is built directly into the analytics rule configuration.

How to eliminate wrong answers

Option A is wrong because Workbooks are visualization tools that display data from queries and logs; they do not perform correlation or grouping of alerts into incidents. Option C is wrong because Playbooks are automated response workflows (based on Azure Logic Apps) that trigger on incidents or alerts but do not correlate or group alerts into a single incident. Option D is wrong because Hunting queries are ad-hoc, interactive searches for threats in raw log data; they do not automatically create incidents or group alerts.

87
MCQmedium

Your organization is implementing Microsoft Entra ID Conditional Access. You need to require multi-factor authentication (MFA) for all users accessing financial applications, but only when the sign-in risk is medium or higher. What is the most efficient way to achieve this?

A.Create a Microsoft Entra ID Protection user risk policy to require MFA
B.Enable MFA per user for all users in the financial team
C.Create a Conditional Access policy that targets all users, includes a named location, and requires MFA
D.Create a Conditional Access policy that targets the financial applications, uses sign-in risk as a condition, and requires MFA
AnswerD

This directly meets the requirement.

Why this answer

Option D is correct because it uses a single Conditional Access policy to target the specific financial applications and sets the sign-in risk condition to medium or higher, which triggers MFA only when the risk threshold is met. This approach is efficient as it avoids per-user MFA configuration and leverages Microsoft Entra ID Protection's risk detection to dynamically enforce MFA based on real-time sign-in risk, aligning with the principle of adaptive access control.

Exam trap

The trap here is that candidates often confuse user risk policies with sign-in risk conditions, or they default to per-user MFA or location-based policies, missing the precise combination of application scoping and risk-based conditions that the question requires.

How to eliminate wrong answers

Option A is wrong because a user risk policy in Microsoft Entra ID Protection targets user-level risk (e.g., compromised credentials) rather than sign-in risk, and it cannot be scoped to specific applications like financial apps; it would apply MFA based on user risk, not sign-in risk. Option B is wrong because enabling MFA per user forces MFA on every authentication for those users, regardless of sign-in risk level, which violates the requirement to only require MFA when risk is medium or higher and is less efficient than a risk-based policy. Option C is wrong because it includes a named location condition, which is irrelevant to sign-in risk, and targets all users without application scoping, meaning it would apply MFA to all applications for all users, not just financial apps when risk is elevated.

88
MCQhard

Refer to the exhibit. You are reviewing an ARM template snippet for an Azure Storage container. Which security best practice does this configuration enforce?

A.Disables anonymous public access to the container
B.Allows public access from the internet
C.Configures a firewall rule to restrict access to specific IPs
D.Enables encryption at rest for the container
AnswerA

Setting publicAccess to None disables anonymous access.

Why this answer

The ARM template snippet sets the `publicAccess` property of the container to `None`. This explicitly disables anonymous public access to the container, enforcing the security best practice of preventing unauthenticated access to Azure Storage data. By default, Azure Storage containers allow anonymous read access if enabled at the account level, but this configuration overrides that to block any public requests.

Exam trap

The trap here is that candidates may confuse the container-level `publicAccess` property with storage account-level firewall rules or encryption settings, leading them to select options that describe unrelated security features.

How to eliminate wrong answers

Option B is wrong because allowing public access from the internet is the opposite of the security best practice; the snippet disables public access, not enables it. Option C is wrong because the snippet does not include any `networkAcls` or `ipRules` properties; firewall rules are configured at the storage account level, not within a container resource definition. Option D is wrong because encryption at rest is enabled by default for Azure Storage and is not controlled by the `publicAccess` property; the snippet does not reference any encryption settings.

89
MCQmedium

Your organization uses Microsoft Sentinel to centralize security logs from multiple clouds. They need to ensure that logs from Amazon Web Services (AWS) are ingested and analyzed for threats. Which connector should you implement?

A.Microsoft Defender for Cloud
B.Azure Monitor Agent
C.AWS S3 connector
D.Azure Event Hubs
AnswerC

The AWS S3 connector ingests CloudTrail logs into Sentinel.

Why this answer

The AWS S3 connector is the correct choice because it is the native Microsoft Sentinel data connector designed specifically to ingest AWS CloudTrail logs (and other AWS service logs) from an S3 bucket. It uses an AWS Simple Queue Service (SQS) to poll for new log files, then streams them into Sentinel for analysis, enabling threat detection across multi-cloud environments.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Cloud (a security posture tool) with a log ingestion connector, or assume Azure Event Hubs is the default streaming solution for all external logs, overlooking the purpose-built AWS S3 connector that handles the specific S3-to-Sentinel pipeline.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection tool, not a log ingestion connector for AWS; it does not directly pull raw logs from S3 into Sentinel. Option B is wrong because Azure Monitor Agent (AMA) is designed to collect telemetry from Azure VMs and on-premises machines via Data Collection Rules, not from external cloud storage like AWS S3. Option D is wrong because Azure Event Hubs is a data streaming platform that can receive logs from external sources, but it is not a pre-built Sentinel connector for AWS; using it would require custom configuration and additional components to replicate the S3 connector's functionality.

90
MCQhard

Your enterprise uses Microsoft Defender for Cloud to secure a hybrid cloud environment spanning Azure and AWS. You need to design a solution that prioritizes remediation of the most critical vulnerabilities across both clouds based on Common Vulnerability Scoring System (CVSS) scores, exploitability, and business impact. Which Defender for Cloud feature should you use?

A.Security Explorer
B.Regulatory Compliance Dashboard
C.Secure Score
D.Adaptive Application Controls
AnswerA

Security Explorer enables querying and prioritizing vulnerabilities across clouds.

Why this answer

Security Explorer (now part of Microsoft Defender for Cloud's Cloud Security Explorer) provides a graph-based query interface that allows you to identify and prioritize vulnerabilities across Azure and AWS based on CVSS scores, exploitability, and business impact. It enables you to filter by multiple dimensions (e.g., internet exposure, data sensitivity, attack path) to pinpoint the most critical risks, directly addressing the requirement to prioritize remediation across both clouds.

Exam trap

The trap here is that candidates often confuse Secure Score with vulnerability prioritization, but Secure Score only measures compliance with security recommendations and does not factor in CVSS scores or exploitability to rank individual vulnerabilities.

How to eliminate wrong answers

Option B is wrong because the Regulatory Compliance Dashboard focuses on mapping your cloud environment to compliance standards (e.g., SOC 2, PCI DSS) and does not prioritize vulnerabilities by CVSS score, exploitability, or business impact. Option C is wrong because Secure Score provides an overall security posture percentage based on control recommendations, but it does not allow granular prioritization of individual vulnerabilities by CVSS or exploitability across multi-cloud environments. Option D is wrong because Adaptive Application Controls is a just-in-time and whitelisting feature for controlling which applications can run on Azure VMs, not a vulnerability prioritization tool.

91
MCQhard

Contoso is a financial services company migrating critical workloads to Azure. They must comply with PCI DSS and have a Security Operations Center (SOC) team that uses Microsoft Sentinel. The CISO wants to ensure that the security posture aligns with Microsoft's cybersecurity reference architecture (MCRA). You need to design a solution that includes the following requirements: 1) All Azure subscriptions must be managed under a single management group hierarchy with consistent policies. 2) The SOC must have a centralized view of security alerts across all resources, including on-premises servers and multi-cloud environments. 3) Privileged access to Azure resources must be protected using just-in-time (JIT) access and Privileged Identity Management (PIM). 4) Compliance with PCI DSS must be continuously monitored and reported. 5) The solution must minimize operational overhead. What should you include in the design?

A.Create separate management groups per business unit. Enable Microsoft Defender for Cloud on each subscription individually. Use Azure Policy to assign PCI DSS policies per subscription. Configure PIM at the tenant root management group. Use a third-party SIEM to aggregate alerts.
B.Deploy a single management group containing all subscriptions. Enable Microsoft Defender for Cloud with the 'PCI DSS v3.2.1' regulatory compliance dashboard on the management group. Configure Azure Policy to enforce security standards. Enable PIM and configure JIT VM access. Use Microsoft Sentinel as the SIEM, connecting it to Defender for Cloud and on-premises security sources.
C.Deploy a management group hierarchy with policies inherited. Use Microsoft Defender for Cloud's secure score to monitor compliance manually. Implement PIM without JIT. Use Microsoft Sentinel but only for cloud workloads.
D.Use a single management group with Azure Policy to enforce PCI DSS controls. Rely on Azure Monitor for security alerts. Do not enable Defender for Cloud to reduce costs. Use PIM for privileged roles. Connect on-premises logs to a Log Analytics workspace for the SOC.
AnswerB

Provides centralized management, continuous compliance monitoring, integrated PIM/JIT, and a single SIEM for the SOC.

Why this answer

Option A is correct because it provides a centralized management group structure for policy enforcement, uses Microsoft Defender for Cloud for continuous compliance monitoring and multicloud visibility, and integrates PIM and JIT for privileged access. Microsoft Sentinel can ingest alerts from Defender for Cloud. Option B is less effective because it lacks centralized policy management and uses separate Defender for Cloud instances.

Option C is wrong because it relies on Azure Policy alone without the compliance monitoring and threat detection capabilities of Defender for Cloud. Option D is wrong because it bypasses policy enforcement at the management group level and uses manual processes.

92
MCQmedium

Your organization is planning to deploy Microsoft Purview Information Protection to classify and protect sensitive data. You need to design a solution that automatically applies sensitivity labels to documents containing personally identifiable information (PII) when they are uploaded to SharePoint Online. Which configuration should you use?

A.Set a default sensitivity label for the SharePoint site
B.Use trainable classifiers to identify PII and apply labels
C.Create an auto-labeling policy that uses a sensitive info type for PII
D.Configure a manual labeling policy that prompts users to classify documents
AnswerC

Auto-labeling policies can automatically apply labels based on detection of sensitive information types like PII.

Why this answer

Option C is correct because Microsoft Purview auto-labeling policies can automatically apply sensitivity labels to documents containing PII when they are uploaded to SharePoint Online. By configuring a policy with a sensitive info type (e.g., U.S. Social Security Number) as the condition, the service scans content at rest and applies the label without user intervention, meeting the requirement for automatic classification.

Exam trap

The trap here is confusing trainable classifiers with sensitive info types; candidates often pick trainable classifiers because they sound like a smart AI solution, but they are designed for broader content categories, not specific PII patterns like SSNs or credit card numbers.

How to eliminate wrong answers

Option A is wrong because setting a default sensitivity label for a SharePoint site applies a label to all new documents in that site, but it does not automatically detect and label only those containing PII; it labels everything regardless of content. Option B is wrong because trainable classifiers are used for pattern-based content categorization (e.g., contracts or resumes) and are not designed to identify specific PII data types like credit card numbers or SSNs; sensitive info types are the correct mechanism for PII detection. Option D is wrong because a manual labeling policy requires users to classify documents themselves, which does not meet the requirement for automatic labeling upon upload.

93
MCQeasy

Your organization is migrating to Microsoft 365 and wants to implement a defense-in-depth strategy for email security. Which combination of Microsoft services should you use?

A.Microsoft Defender for Office 365 and Exchange Online Protection
B.Microsoft Purview Compliance Manager and Microsoft Defender for Cloud Apps
C.Microsoft Intune and Microsoft Entra ID
D.Microsoft Sentinel and Microsoft Defender for Identity
AnswerA

Defender for Office 365 provides advanced threat protection, and EOP provides baseline filtering.

Why this answer

Defense-in-depth for email security requires layered protection at the transport, filtering, and post-delivery stages. Exchange Online Protection (EOP) provides baseline anti-malware, anti-spam, and transport rules, while Microsoft Defender for Office 365 adds advanced threat protection like Safe Attachments, Safe Links, and anti-phishing policies that inspect URLs and attachments in real time. Together, they cover the full email threat chain from ingress to user interaction.

Exam trap

The trap here is that candidates confuse compliance or identity services with email security layers, forgetting that defense-in-depth for email specifically requires both transport-level (EOP) and post-delivery (Defender for Office 365) protections.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Compliance Manager focuses on compliance posture and risk assessments, not on email security filtering or threat detection. Option C is wrong because Microsoft Intune manages device compliance and application policies, and Microsoft Entra ID handles identity and access management; neither provides email transport or content inspection. Option D is wrong because Microsoft Sentinel is a SIEM for centralized security analytics and Microsoft Defender for Identity detects on-premises Active Directory attacks; they do not directly protect email transport or attachments.

94
MCQeasy

Your organization wants to implement a security baseline for Azure resources using built-in policies. Which Azure service should you use to assign policies that enforce compliance with security best practices?

A.Azure Blueprints
B.Microsoft Defender for Cloud
C.Azure Policy
D.Azure Role-Based Access Control (RBAC)
AnswerC

Azure Policy enforces compliance rules on Azure resources, aligning with security baselines.

Why this answer

Azure Policy is the correct service because it allows you to create, assign, and manage policies that enforce specific rules and effects on your Azure resources. These policies can be used to implement a security baseline by ensuring resources comply with built-in security best practices, such as requiring encryption or restricting resource types. Azure Policy evaluates resources against assigned policies and can automatically remediate non-compliant resources.

Exam trap

The trap here is that candidates often confuse Azure Policy with Microsoft Defender for Cloud, thinking Defender for Cloud is the tool for enforcing security baselines, but Defender for Cloud only recommends policies and monitors compliance, while Azure Policy is the actual service that enforces them.

How to eliminate wrong answers

Option A is wrong because Azure Blueprints is used to orchestrate the deployment of resource templates, policies, and role assignments as a repeatable set of artifacts, but it is not the service for directly assigning and enforcing individual policies; it can include Azure Policy definitions as part of a blueprint, but the core policy enforcement mechanism is Azure Policy itself. Option B is wrong because Microsoft Defender for Cloud provides security posture management, threat detection, and recommendations based on security benchmarks, but it does not directly assign or enforce policies; it can integrate with Azure Policy to apply regulatory compliance initiatives, but the assignment and enforcement of policies is done through Azure Policy. Option D is wrong because Azure Role-Based Access Control (RBAC) manages who has access to Azure resources and what actions they can perform, but it does not enforce compliance rules or security baselines on resource configurations; RBAC is about authorization, not about ensuring resources meet specific security standards.

95
MCQeasy

Adventure Works is a startup that uses Microsoft 365 Business Premium. They have 20 employees and no cloud expertise. The CEO has been hearing about ransomware attacks on small businesses. They want to implement basic protection against ransomware using built-in Microsoft 365 features. They also want to ensure they can recover from an attack quickly. What should you recommend?

A.Purchase Azure Backup for all user devices. Configure backup policies to run daily. Use Microsoft Intune to enforce encryption. Implement Conditional Access to require MFA.
B.Enable Microsoft Defender for Office 365 to block malicious attachments and links. Configure Microsoft Defender for Business to enable controlled folder access and ransomware protection. Educate users on phishing. Use OneDrive Files Restore to recover from ransomware.
C.Use Microsoft Sentinel as a SIEM to detect ransomware patterns. Deploy Azure ATP for identity protection. Use Azure Policy to enforce backup.
D.Implement Azure Site Recovery for on-premises servers. Use Microsoft Defender for Cloud for threat detection. Deploy a third-party antivirus.
AnswerB

Uses built-in features, simple to configure, effective against ransomware.

Why this answer

Option B is correct because it leverages built-in Microsoft 365 Business Premium features to provide immediate ransomware protection without requiring cloud expertise. Microsoft Defender for Office 365 blocks malicious attachments and links at the email gateway, while Defender for Business provides endpoint protection with controlled folder access. OneDrive Files Restore enables self-service recovery of files from ransomware within the last 30 days, aligning with the startup's need for quick recovery without additional infrastructure.

Exam trap

The trap here is that candidates often over-engineer the solution by recommending enterprise-grade tools like Azure Backup or Sentinel, failing to recognize that Microsoft 365 Business Premium includes sufficient built-in capabilities for a small startup with no cloud expertise.

How to eliminate wrong answers

Option A is wrong because Azure Backup is not included in Microsoft 365 Business Premium and requires additional licensing and cloud expertise to configure; it also does not address ransomware prevention at the email or endpoint level. Option C is wrong because Microsoft Sentinel and Azure ATP are advanced security tools requiring significant cloud expertise and additional licensing, far beyond the scope of a 20-employee startup with no cloud expertise. Option D is wrong because Azure Site Recovery is designed for on-premises server disaster recovery, not for user devices or Microsoft 365 data, and deploying a third-party antivirus contradicts the requirement to use built-in Microsoft 365 features.

96
MCQhard

Contoso is a large enterprise with a complex Azure environment. They have multiple management groups, subscriptions, and a hub-spoke network topology. The security team wants to implement a consistent security baseline across all subscriptions using Azure Policy. They need to ensure that: 1) All resources must be deployed in approved regions only. 2) Network security groups must have specific rules to block high-risk ports. 3) All storage accounts must enforce HTTPS traffic. 4) The policies must be applied at the management group level to ensure inheritance. 5) Non-compliant resources must be automatically remediated where possible. What should you do?

A.Use Azure Policy Guest Configuration to enforce region and NSG rules. Assign policies at each subscription. Use Azure Automation runbooks for remediation.
B.Create custom Azure Policy definitions for the required configurations (allowed locations, NSG rule blocking ports, storage HTTPS). Assign the policies at the root management group. Enable 'deployIfNotExists' effect for automatic remediation of non-compliant resources. Use Azure Policy remediation tasks to fix existing non-compliant resources.
C.Use Azure Blueprints to define the environment. Include Azure Policy assignments in the blueprint. Assign blueprint to each management group. Remediate manually.
D.Create a custom script using Azure PowerShell to check compliance daily. Use Azure Logic Apps to send alerts for non-compliance. Have IT staff manually fix issues.
AnswerB

Automated enforcement and remediation at scale.

Why this answer

Option B is correct because it uses Azure Policy at the root management group to enforce inheritance across all subscriptions, with custom policy definitions for allowed locations, NSG rules blocking high-risk ports, and storage HTTPS. The 'deployIfNotExists' effect enables automatic remediation of non-compliant resources, and remediation tasks fix existing non-compliant resources, meeting all requirements without manual intervention.

Exam trap

The trap here is confusing Azure Policy's 'deployIfNotExists' effect with manual remediation or third-party automation, leading candidates to choose options that lack native, automatic, and inherited policy enforcement at the management group level.

How to eliminate wrong answers

Option A is wrong because Azure Policy Guest Configuration is designed for in-guest machine settings (e.g., OS configuration), not for enforcing region, NSG rules, or storage HTTPS; assigning policies at each subscription breaks inheritance, and Azure Automation runbooks are not the native remediation mechanism for Azure Policy. Option C is wrong because Azure Blueprints are used for orchestrating resource deployments (including policy assignments) but do not provide automatic remediation; manual remediation violates the requirement for automatic remediation where possible. Option D is wrong because a custom PowerShell script with Logic Apps alerts and manual fixes is not a scalable, automated, or policy-driven solution; it lacks inheritance, automatic remediation, and centralized enforcement at the management group level.

97
MCQeasy

A manufacturing company wants to secure its IoT devices that run on Azure IoT Hub. They need to ensure that only authorized devices can connect and that firmware updates are signed. Which combination of Azure services should they use?

A.Azure IoT Hub Device Provisioning Service and Microsoft Defender for IoT
B.Microsoft Entra ID and Azure Policy
C.Azure Sphere and Azure Security Center
D.Microsoft Intune and Azure Automation
AnswerA

DPS ensures authorized provisioning, Defender for IoT monitors and validates firmware.

Why this answer

Option A is correct because Azure IoT Hub Device Provisioning Service (DPS) enables zero-touch, just-in-time provisioning of IoT devices while enforcing authentication via X.509 certificates or TPM attestation, ensuring only authorized devices connect. Microsoft Defender for IoT provides continuous threat monitoring and firmware integrity validation, including cryptographic signing verification for firmware updates, which aligns with the requirement for signed updates.

Exam trap

The trap here is that candidates may confuse Azure Sphere's built-in security features with the need for a separate provisioning and monitoring service, overlooking that Azure Sphere is a full-stack solution rather than a service that integrates with existing IoT Hub devices.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID (formerly Azure AD) is an identity and access management service for user and application identities, not for IoT device authentication or firmware signing; Azure Policy enforces compliance rules on Azure resources but does not handle device provisioning or firmware update signing. Option C is wrong because Azure Sphere is a complete IoT security solution with its own certified chips and OS, but it is a standalone platform, not a combination of services that integrates with existing Azure IoT Hub devices; Azure Security Center (now Microsoft Defender for Cloud) provides security posture management but does not handle device provisioning or firmware signing. Option D is wrong because Microsoft Intune is a mobile device management (MDM) service for managing user endpoints like phones and PCs, not IoT devices; Azure Automation is for automating cloud management tasks, not for device provisioning or firmware signing.

98
Multi-Selectmedium

Which TWO Microsoft security solutions should be integrated to provide a comprehensive Zero Trust architecture that includes identity protection, endpoint detection, and response? (Select exactly two correct options.)

Select 2 answers
A.Microsoft 365 E5
B.Microsoft Defender XDR
C.Microsoft Entra ID
D.Microsoft Sentinel
E.Microsoft Purview
AnswersB, C

Provides endpoint detection and response across domains.

Why this answer

Microsoft Defender XDR (B) is correct because it provides unified endpoint detection and response (EDR) across devices, email, and identities, integrating signals from Microsoft Defender for Endpoint, Defender for Office 365, and Defender for Identity. Microsoft Entra ID (C) is correct because it delivers identity protection through Conditional Access, risk-based policies, and identity governance, forming the identity pillar of a Zero Trust architecture. Together, they cover identity protection and endpoint detection/response, two core Zero Trust components.

Exam trap

The trap here is that candidates often confuse Microsoft 365 E5 (a licensing bundle) with a specific security solution, or they mistakenly think Microsoft Sentinel (a SIEM) fulfills the endpoint detection requirement, when in fact Sentinel is for log analysis and not for real-time endpoint detection and response.

99
Multi-Selecthard

A company is deploying Microsoft Entra ID Governance. They need to implement a least privilege access model for their Azure resources. Which TWO features should they use? (Choose two.)

Select 2 answers
A.Privileged Identity Management (PIM)
B.Identity Protection
C.Conditional Access policies
D.Microsoft Intune compliance policies
E.Entitlement Management
AnswersA, E

PIM provides just-in-time privileged access to Azure resources.

Why this answer

Privileged Identity Management (PIM) is correct because it provides just-in-time (JIT) privileged access to Azure resources, enabling time-bound and approval-based role activation. This directly supports a least privilege model by ensuring users only have elevated permissions when needed, reducing standing access.

Exam trap

The trap here is confusing Identity Protection (a risk-detection tool) or Conditional Access (an access-enforcement tool) with governance features that directly manage role assignments and time-bound access, leading candidates to overlook the two specific features designed for least privilege in Azure resources.

100
Multi-Selectmedium

Which TWO actions align with the Zero Trust principle of 'verify explicitly'? (Select two.)

Select 2 answers
A.Deploy a VPN for remote access
B.Use conditional access policies to evaluate user and device risk before granting access
C.Encrypt all data at rest
D.Require multifactor authentication for all users
E.Implement network segmentation to limit lateral movement
AnswersB, D

Conditional Access verifies explicitly by evaluating multiple signals.

Why this answer

Option B is correct because conditional access policies evaluate real-time signals such as user identity, device compliance, location, and risk level before granting access to resources. This aligns with the Zero Trust principle of 'verify explicitly' by requiring continuous validation of every access request rather than trusting based on network location alone.

Exam trap

Microsoft often tests the misconception that encryption or network segmentation are forms of verification, but they are actually data protection and containment controls, respectively, and do not satisfy the 'verify explicitly' requirement of Zero Trust.

101
Multi-Selecteasy

Your organization is implementing a Zero Trust network architecture in Azure. Which TWO principles are foundational to Zero Trust?

Select 2 answers
A.Use network segmentation
B.Verify explicitly
C.Assume breach
D.Rely on perimeter security
E.Trust but verify
AnswersB, C

Always authenticate and authorize based on all available data points.

Why this answer

Option B is correct because 'Verify explicitly' is a core principle of Zero Trust, which mandates that every access request must be authenticated and authorized based on all available data points (e.g., user identity, device health, location) before granting access. This eliminates implicit trust based solely on network location, aligning with Azure's conditional access policies and Microsoft Entra ID authentication.

Exam trap

The trap here is that candidates often confuse network segmentation (a tactical control) with the strategic Zero Trust principle of 'Assume breach', or mistakenly think 'Trust but verify' is acceptable when the exam requires the explicit 'Verify explicitly' and 'Assume breach' as the two foundational pillars.

102
MCQmedium

Refer to the exhibit. You are reviewing an ARM template that deploys a network security group (NSG) for a web application. The NSG allows inbound HTTP traffic from any source and then denies all other inbound traffic. However, after deployment, you find that HTTP traffic is being blocked. What is the most likely cause?

A.The AllowHTTP rule uses sourcePortRange '*' which conflicts with the DenyAll rule.
B.The NSG is not associated with the subnet or network interface where the web server is deployed.
C.The DenyAll rule has a higher priority than the AllowHTTP rule, so it takes precedence.
D.The DenyAll rule uses protocol '*' which blocks all traffic including HTTP.
AnswerB

An NSG must be associated with a subnet or NIC to take effect.

Why this answer

Option B is correct because an NSG only filters traffic when it is associated with a subnet or a network interface card (NIC). Without association, the NSG rules are never applied, so the web server's HTTP traffic is not affected by the AllowHTTP rule and is instead subject to the default platform behavior, which allows all inbound traffic. Since the question states HTTP traffic is being blocked, the most likely cause is that the NSG is not associated with the subnet or NIC, leaving the web server's traffic ungoverned by the intended rules.

Exam trap

The trap here is that candidates assume an NSG's rules are automatically applied to all resources in the same region or virtual network, when in fact the NSG must be explicitly associated with a subnet or NIC to take effect.

How to eliminate wrong answers

Option A is wrong because sourcePortRange '*' is the default wildcard that matches any source port and does not conflict with the DenyAll rule; port ranges are evaluated independently, and a wildcard source port does not cause blocking. Option C is wrong because the DenyAll rule must have a higher priority number (lower precedence) than the AllowHTTP rule to be effective; if the DenyAll rule had a higher priority (lower number), it would override the Allow rule, but the question implies the Allow rule is correctly prioritized, so this is not the cause. Option D is wrong because protocol '*' matches all protocols, including HTTP (TCP port 80), but the DenyAll rule is intended to block all traffic; the issue is not the protocol wildcard but the lack of NSG association, as the DenyAll rule would only block traffic if the NSG were applied.

103
MCQmedium

Fabrikam is a healthcare organization that uses Microsoft 365 E5 and Azure. They have a hybrid identity environment with Active Directory on-premises synced to Microsoft Entra ID. The security team wants to implement a Zero Trust strategy following the 'verify explicitly' principle. They need to ensure that all access to Microsoft 365 services and Azure applications is conditionally enforced based on real-time risk signals. Additionally, they want to block legacy authentication protocols that do not support modern authentication. The solution must integrate with Microsoft Defender XDR and Microsoft Sentinel for threat intelligence. Which combination of technologies should you recommend?

A.Implement Azure AD Identity Governance with access reviews. Use Conditional Access to require hybrid Azure AD joined devices. Block legacy authentication by disabling protocols in Exchange Online. Use Azure Sentinel without Defender XDR.
B.Use Azure AD B2B for external users only. Configure Conditional Access with MFA for all users. Use Azure AD Identity Protection for risk. Block legacy authentication at the firewall level.
C.Deploy Microsoft Intune for mobile device management and require compliant devices. Use Conditional Access to block legacy protocols. Rely on Azure ATP (now Microsoft Defender for Identity) for risk signals.
D.Use Microsoft Entra Conditional Access policies with session controls from Microsoft Defender for Cloud Apps. Enable Microsoft Entra ID Protection to feed risk signals into Conditional Access. Block legacy authentication via a Conditional Access policy targeting 'Exchange Active Sync' and 'Other clients'. Integrate Microsoft Sentinel to ingest alerts from Defender XDR.
AnswerD

Directly addresses real-time risk, legacy auth blocking, and central SIEM integration.

Why this answer

Option D is correct because it directly implements the 'verify explicitly' principle by using Microsoft Entra ID Protection to feed real-time risk signals into Conditional Access policies, which then enforce session controls via Microsoft Defender for Cloud Apps. It blocks legacy authentication through a targeted Conditional Access policy (not just disabling protocols in Exchange Online or at the firewall), and integrates Microsoft Sentinel to ingest alerts from Defender XDR for centralized threat intelligence. This combination ensures all access to Microsoft 365 and Azure applications is conditionally enforced based on dynamic risk, while also addressing the requirement to block legacy protocols that lack modern authentication support.

Exam trap

The trap here is that candidates often think blocking legacy authentication must be done at the protocol level (e.g., disabling in Exchange Online or firewall) rather than using a Conditional Access policy, which is the recommended and more comprehensive method in a Zero Trust architecture.

How to eliminate wrong answers

Option A is wrong because it relies on disabling legacy protocols in Exchange Online (which is incomplete—does not block protocols like POP3/IMAP/SMTP across all services) and uses Azure Sentinel without Defender XDR, violating the requirement to integrate both. Option B is wrong because it blocks legacy authentication at the firewall level (which is not granular enough and does not address protocol-level blocking within Microsoft 365), and Azure AD B2B is only for external users, not the core Zero Trust strategy for internal access. Option C is wrong because it relies on Azure ATP (now Microsoft Defender for Identity) for risk signals, but the correct modern approach is Microsoft Entra ID Protection, which provides real-time risk detection and feeds directly into Conditional Access; also, Intune for compliant devices is not the primary mechanism for risk-based conditional access.

104
MCQmedium

Your organization uses Microsoft Defender for Office 365 to protect against phishing attacks. The security team wants to implement a custom advanced phishing threshold policy that blocks suspicious emails more aggressively. Which policy type should they modify?

A.ATP policy
B.Safe Attachments policy
C.Safe Links policy
D.Anti-phishing policy
AnswerD

Anti-phishing policies have advanced threshold settings.

Why this answer

The Anti-phishing policy in Microsoft Defender for Office 365 includes the Advanced Phishing Threshold (APT) settings that allow administrators to control the aggressiveness of phishing detection. By modifying the anti-phishing policy, you can set the phishing threshold to 'Aggressive' or 'Most Aggressive,' which applies more stringent machine learning models to block suspicious emails earlier. This is the correct policy type because it directly governs the phishing threshold level, not attachment or link scanning.

Exam trap

The trap here is that candidates confuse the outdated 'ATP policy' term with the modern anti-phishing policy, or they mistakenly think Safe Attachments or Safe Links control phishing thresholds, when in fact only the anti-phishing policy contains the Advanced Phishing Threshold settings.

How to eliminate wrong answers

Option A is wrong because 'ATP policy' is an outdated term; Microsoft Defender for Office 365 no longer uses 'ATP' as a policy name—it has been rebranded, and the correct policy for phishing thresholds is the anti-phishing policy. Option B is wrong because Safe Attachments policy controls the scanning of email attachments for malware, not the phishing threshold or aggressiveness of phishing detection. Option C is wrong because Safe Links policy protects users from malicious URLs in emails and Office documents, but it does not control the phishing threshold level or the aggressiveness of email filtering.

105
Multi-Selectmedium

Which TWO of the following are key components of a Zero Trust architecture according to Microsoft? (Choose two.)

Select 2 answers
A.Trust but verify
B.Implicit trust for internal traffic
C.Use least privilege access
D.Verify explicitly
E.Rely on a strong perimeter
AnswersC, D

Limit user access with just-in-time and just-enough-access.

Why this answer

In Microsoft's Zero Trust model, 'least privilege access' (Option C) is a core principle that ensures users and devices are granted only the minimum permissions necessary to perform their tasks, reducing the attack surface. This is enforced through technologies like Azure AD Conditional Access and Privileged Identity Management (PIM), which dynamically limit access based on risk and context.

Exam trap

The trap here is that candidates often confuse 'trust but verify' (a legacy model) with Zero Trust's 'never trust, always verify' principle, leading them to incorrectly select Option A as a key component.

106
MCQhard

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure resources. The compliance team wants to ensure that all storage accounts have secure transfer required enabled. Which action should you take in Defender for Cloud?

A.Configure the regulatory compliance dashboard
B.Review the secure score
C.Implement the 'Secure transfer to storage accounts should be enabled' recommendation
D.Enable the 'Cloud Security Posture Management' plan
AnswerC

Implementing the recommendation applies the required setting via Azure Policy.

Why this answer

The correct action is to implement the 'Secure transfer to storage accounts should be enabled' recommendation because Microsoft Defender for Cloud provides built-in security recommendations that map to specific controls. This recommendation directly checks whether the 'Secure transfer required' property is enabled on each storage account, and if not, it provides remediation steps to enforce HTTPS-only traffic, which aligns with the compliance team's requirement.

Exam trap

The trap here is that candidates confuse viewing compliance or score metrics (options A and B) with taking direct action to enforce a specific security control, or they mistakenly think enabling a higher-level plan (option D) automatically applies all underlying recommendations.

How to eliminate wrong answers

Option A is wrong because the regulatory compliance dashboard is used to view compliance posture against standards (e.g., PCI DSS, ISO 27001) and track progress, but it does not directly enforce or implement a specific security setting like secure transfer required. Option B is wrong because the secure score is a numerical summary of your overall security posture based on implemented recommendations; reviewing it shows the score impact but does not itself enable the secure transfer setting. Option D is wrong because enabling the 'Cloud Security Posture Management' plan is a prerequisite for receiving certain recommendations and advanced features, but it does not directly implement the 'Secure transfer to storage accounts should be enabled' recommendation; it only enables the capability to assess and recommend.

107
Multi-Selectmedium

Which TWO Microsoft security solutions can help enforce Zero Trust principles by verifying identity and device health before granting access to resources?

Select 2 answers
A.Microsoft Intune
B.Microsoft Purview
C.Microsoft Entra ID Conditional Access
D.Microsoft Defender for Cloud Apps
E.Microsoft Sentinel
AnswersA, C

Intune ensures devices are compliant and healthy, supporting conditional access.

Why this answer

Microsoft Entra ID Conditional Access verifies identity and enforces policies. Microsoft Intune manages device compliance and health. Both are used together for Zero Trust access.

Option C is wrong because Microsoft Defender for Cloud Apps focuses on cloud app security. Option D is wrong because Microsoft Sentinel is a SIEM. Option E is wrong because Microsoft Purview is for data governance.

108
Multi-Selecteasy

Your organization wants to implement a defense-in-depth strategy for Azure virtual machines. Which THREE of the following should you include?

Select 3 answers
A.Azure Disk Encryption for OS and data disks
B.Azure Firewall to inspect all traffic to the VMs
C.Microsoft Defender for Cloud with vulnerability assessment and just-in-time VM access
D.Azure Bastion to provide secure RDP and SSH access
E.Network security groups (NSGs) to filter traffic to and from the VMs
AnswersA, C, E

Encryption at rest protects data if disks are compromised.

Why this answer

Azure Disk Encryption (ADE) uses BitLocker for Windows and DM-Crypt for Linux to encrypt OS and data disks at rest, protecting against unauthorized access to the physical disk. This is a foundational layer of defense-in-depth, ensuring that if an attacker gains access to the disk, the data remains unreadable without the encryption keys stored in Azure Key Vault.

Exam trap

The trap here is that candidates often include Azure Firewall or Azure Bastion as core defense-in-depth components, but the question asks for the three most essential layers; Azure Firewall is redundant with NSGs for basic VM traffic filtering, and Bastion is a secure access method, not a protective layer for the VM itself.

109
Multi-Selectmedium

Which TWO should you implement to protect privileged accounts in Microsoft Entra ID?

Select 2 answers
A.Microsoft Purview Data Loss Prevention
B.Conditional Access policies requiring MFA for privileged roles
C.Microsoft Defender for Cloud security score
D.Microsoft Defender Vulnerability Management
E.Microsoft Entra Privileged Identity Management (PIM)
AnswersB, E

Adds authentication step for privileged access.

Why this answer

Option B is correct because Conditional Access policies can enforce multifactor authentication (MFA) specifically for users assigned to privileged roles in Microsoft Entra ID. This directly protects those accounts by requiring a second authentication factor, reducing the risk of credential theft or reuse. It is a core identity security control recommended by Microsoft for privileged access.

Exam trap

The trap here is that candidates often confuse a measurement or monitoring tool (like security score or vulnerability management) with an actual security control that directly protects privileged accounts, leading them to select options that are only indirectly related.

110
MCQhard

You are designing a security solution for a multinational organization that uses Microsoft Entra ID. They have a hybrid identity environment with Active Directory on-premises. The security team requires that all administrative actions in Microsoft Entra ID are logged and monitored in real-time with alerts for critical changes. Which two data sources should you stream to Microsoft Sentinel?

A.Microsoft Entra ID Sign-in Logs
B.Microsoft Entra ID Audit Logs
C.Azure Activity Log
D.Microsoft Entra ID Provisioning Logs
AnswerA, B

Sign-in logs provide real-time authentication activity.

Why this answer

Microsoft Entra ID Audit Logs contain records of all administrative changes and configuration modifications within the tenant, such as user role assignments, group membership updates, and application permission grants. Streaming these logs to Microsoft Sentinel enables real-time monitoring and alerting for critical administrative actions, meeting the security team's requirement for logging and alerting on all administrative actions.

Exam trap

The trap here is that candidates often confuse Azure Activity Log (which covers Azure resource operations) with Microsoft Entra ID Audit Logs (which cover directory administrative actions), leading them to select Azure Activity Log instead of the correct Entra ID Audit Logs.

How to eliminate wrong answers

Option C (Azure Activity Log) is wrong because it captures control-plane operations on Azure resources (e.g., creating a VM or modifying a network security group), not administrative actions within Microsoft Entra ID itself. Option D (Microsoft Entra ID Provisioning Logs) is wrong because it records synchronization activities between Entra ID and third-party applications (e.g., ServiceNow or SAP), not administrative changes to the Entra ID directory.

111
MCQmedium

Refer to the exhibit. You are reviewing a conditional access policy JSON in Microsoft Entra ID. The policy is enabled but users with the Global Administrator role are not being prompted for MFA. What is the most likely reason?

A.The policy does not include any users except by role.
B.The policy does not include any applications.
C.The grant control requires a compliant device instead of MFA.
D.The policy state is disabled.
AnswerA

The policy includes users by role but missing the 'includeUsers' array; without specifying users, no users are targeted.

Why this answer

Option A is correct because the policy is scoped to 'All users' but the 'Include' filter is set to 'All users' while the 'Exclude' filter includes 'Global Administrator' role. Since the policy excludes Global Administrators, they are not subject to the MFA grant control, even though the policy is enabled. The JSON snippet shows the policy is enabled and includes all users by default, but the exclusion of the Global Administrator role overrides the inclusion, so they are never evaluated for MFA.

Exam trap

The trap here is that candidates assume 'All users' includes all users regardless of role, but they overlook that the exclusion of specific roles or users can completely bypass the policy, and the exam tests whether you understand that exclusion rules override inclusion rules in Conditional Access policies.

How to eliminate wrong answers

Option B is wrong because the policy does not need to include any specific applications; if no applications are selected, the policy applies to all applications by default, which would still trigger MFA for included users. Option C is wrong because the grant control in the policy explicitly requires MFA ('mfa' in the grantControls), not a compliant device, so that does not explain why Global Administrators are not prompted. Option D is wrong because the policy state is set to 'enabled' (as shown in the JSON), so it is active and should enforce MFA for users who are not excluded.

112
MCQmedium

Your organization is implementing a secure DevOps pipeline for a critical application. You need to design a solution that scans container images for vulnerabilities before they are deployed to production. Which Azure service should you integrate into the pipeline?

A.Azure Key Vault
B.Azure Policy
C.Microsoft Defender for Cloud
D.Azure Security Center
AnswerC

Defender for Cloud provides vulnerability scanning for container images in ACR.

Why this answer

Microsoft Defender for Cloud (formerly Azure Security Center) provides integrated vulnerability assessment for container images stored in Azure Container Registry (ACR). When integrated into a DevOps pipeline, Defender for Cloud can scan images on push or on demand, using the Qualys scanner to detect CVEs and generate detailed security reports. This allows the pipeline to block or flag vulnerable images before they reach production, directly addressing the requirement for pre-deployment vulnerability scanning.

Exam trap

The trap here is that candidates may confuse the old name 'Azure Security Center' with the current service 'Microsoft Defender for Cloud', or assume that Azure Policy can perform vulnerability scanning when it only enforces configuration compliance, not image-level security analysis.

How to eliminate wrong answers

Option A is wrong because Azure Key Vault is a secrets management service for storing keys, certificates, and passwords, not a container image vulnerability scanner. Option B is wrong because Azure Policy enforces compliance rules on Azure resources (e.g., requiring ACR to use private endpoints) but does not perform runtime or image-level vulnerability scanning. Option D is wrong because Azure Security Center was the previous name for what is now Microsoft Defender for Cloud; the current service name is Defender for Cloud, and the exam expects the updated terminology.

113
MCQmedium

Your organization uses Microsoft Entra ID and plans to implement a Zero Trust security model. You need to ensure that all access requests to corporate applications are continuously evaluated based on user risk, device compliance, and location. Which Microsoft Entra ID feature should you configure?

A.Identity Governance
B.Privileged Identity Management (PIM)
C.Identity Protection
D.Conditional Access
AnswerD

Conditional Access enforces policies based on user, device, and location signals.

Why this answer

Conditional Access is the correct feature because it enables real-time policy evaluation of access requests based on signals such as user risk (from Identity Protection), device compliance (via Microsoft Intune), and location (IP address ranges or named locations). This aligns directly with the Zero Trust principle of 'never trust, always verify' by continuously re-evaluating each access attempt rather than relying on static permissions.

Exam trap

The trap here is that candidates often confuse Identity Protection (which only detects risk) with Conditional Access (which enforces policies based on that risk), leading them to select Option C instead of D.

How to eliminate wrong answers

Option A is wrong because Identity Governance focuses on managing user lifecycle, access reviews, and entitlement management, not on real-time risk-based access evaluation. Option B is wrong because Privileged Identity Management (PIM) provides just-in-time privileged role activation and approval workflows, but it does not evaluate device compliance or location for general application access. Option C is wrong because Identity Protection detects and reports user and sign-in risks (e.g., leaked credentials, anonymous IP addresses) but does not enforce access decisions itself; it requires integration with Conditional Access to block or require MFA based on those risks.

114
Multi-Selectmedium

Your organization is implementing Microsoft Intune for mobile device management. You need to design a solution that ensures corporate data on mobile devices is protected if the device is lost or stolen. Which TWO actions should you configure?

Select 2 answers
A.Enforce a minimum PIN length on devices
B.Configure a compliance policy that requires device encryption
C.Deploy a selective wipe policy that removes corporate data
D.Require app protection policies (MAM) for all apps
E.Enable jailbreak detection in a device compliance policy
AnswersB, C

Encryption protects data if the device is physically accessed.

Why this answer

Option B is correct because a compliance policy requiring device encryption ensures that if a device is lost or stolen, the data stored on it is unreadable without the decryption key. Intune compliance policies evaluate encryption status (e.g., BitLocker on Windows, FileVault on macOS, or device encryption on iOS/Android) and mark noncompliant devices for conditional access blocking, preventing unauthorized access to corporate data.

Exam trap

The trap here is that candidates often confuse device-level encryption (compliance policy) with app-level protection (MAM) or access controls (PIN, jailbreak detection), failing to recognize that only encryption and selective wipe directly address data protection on a lost or stolen device.

115
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that devices that are not compliant with your organization's security policies are blocked from accessing corporate resources. Which Intune feature should you configure?

A.App protection policies
B.Device configuration profiles
C.Compliance policies
D.Enrollment restrictions
AnswerC

Compliance policies define conditions for device compliance; combined with Conditional Access, non-compliant devices are blocked.

Why this answer

Compliance policies in Microsoft Intune define the rules and settings that devices must meet to be considered compliant (e.g., requiring a minimum OS version, encryption, or a healthy device health attestation). When a device is marked as non-compliant, Intune can automatically block access to corporate resources such as Exchange Online, SharePoint, or VPN by integrating with Conditional Access in Microsoft Entra ID. This is the correct feature because it directly evaluates device compliance and enforces access control.

Exam trap

The trap here is that candidates confuse device configuration profiles (which apply settings) with compliance policies (which evaluate settings and enforce access), leading them to select Option B when the question specifically asks about blocking access based on non-compliance.

How to eliminate wrong answers

Option A is wrong because App protection policies (MAM) manage how data is accessed and shared within apps on devices that may not be enrolled in Intune, but they do not block device-level access to corporate resources based on device compliance. Option B is wrong because Device configuration profiles push settings (e.g., Wi-Fi, VPN, email) to devices but do not evaluate or enforce compliance; they are separate from the compliance evaluation and conditional access workflow. Option D is wrong because Enrollment restrictions control which devices can enroll in Intune (e.g., by platform or OS version), but they do not block access for devices that are already enrolled and become non-compliant after enrollment.

116
MCQhard

Your company is implementing Microsoft Copilot for Security to assist the security operations team. You need to ensure that prompts and responses from Copilot do not expose sensitive internal information to unauthorized users. Which configuration should you apply?

A.Enable RBAC and data boundary controls in Copilot for Security settings
B.Use a third-party AI gateway to sanitize prompts
C.Disable Copilot for Security for all users
D.Train users to avoid entering sensitive information in prompts
AnswerA

RBAC restricts access to authorized users, and data boundaries keep data within the tenant.

Why this answer

Enabling role-based access control (RBAC) and data boundary controls in Copilot for Security settings is correct because it restricts access to prompts and responses based on user roles and ensures data stays within your tenant. Option B (Disable Copilot for Security for all users) would block the feature entirely. Option C (Use a third-party AI gateway) is unnecessary.

Option D (Train users to avoid sensitive data) is not a technical control.

117
MCQhard

You are a security architect for a large enterprise that is migrating to Microsoft 365. The organization has 50,000 users across multiple regions. They have recently experienced a ransomware attack that encrypted files on SharePoint Online and OneDrive for Business. The security team wants to implement a comprehensive protection strategy. Requirements: 1. Automatically detect and block ransomware-like behavior in real-time. 2. Provide users with self-service recovery of files encrypted by ransomware. 3. Ensure that all files in SharePoint and OneDrive are scanned for malware upon upload. 4. Minimize administrative overhead. Which combination of Microsoft 365 security features should you recommend?

A.Use Microsoft Entra ID Protection to detect compromised accounts and automatically block access.
B.Enable Microsoft Endpoint DLP and configure file policies to block encrypted files.
C.Enable Microsoft Defender for Office 365 to scan files on upload and use version history and recycle bin for recovery.
D.Configure Microsoft Purview auto-labeling to apply a 'Ransomware' label and then block all labeled files.
AnswerC

Defender for Office 365 provides malware scanning and ransomware detection; version history allows self-recovery.

Why this answer

Option C is correct because Microsoft Defender for Office 365 provides real-time scanning of files uploaded to SharePoint and OneDrive, detecting and blocking known malware. Combined with version history and the recycle bin, users can self-recover files encrypted by ransomware without administrative intervention, satisfying all requirements with minimal overhead.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Office 365 with Microsoft Defender for Cloud Apps or Microsoft Purview, but only Defender for Office 365 provides both upload scanning and native version history/recycle bin recovery for SharePoint and OneDrive.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Protection detects compromised accounts and can block access, but it does not scan files for malware upon upload, nor does it provide self-service recovery of encrypted files. Option B is wrong because Microsoft Endpoint DLP focuses on preventing data loss via policies (e.g., blocking sensitive data sharing), not on detecting ransomware behavior or scanning files for malware in real-time. Option D is wrong because Microsoft Purview auto-labeling applies labels based on content, but it cannot block files in real-time based on ransomware behavior, and it does not provide file scanning or self-service recovery.

118
Multi-Selecteasy

Which TWO are best practices for securing Microsoft Entra ID?

Select 2 answers
A.Use a Conditional Access policy to require MFA for all users
B.Disable sign-in logs to reduce storage costs
C.Enable security defaults for all tenants
D.Allow users to create Microsoft 365 groups without approval
E.Assign Global Administrator to all users for simplicity
AnswersA, C

This is a strong security baseline.

Why this answer

Option A is correct because requiring MFA via Conditional Access is a foundational security control that mitigates the risk of credential theft. Conditional Access policies allow granular enforcement based on user, location, device, and risk signals, making them more flexible than security defaults while still ensuring MFA is applied to all users.

Exam trap

Microsoft often tests the misconception that security defaults are always the best choice for all tenants, but the exam expects you to recognize that Conditional Access policies offer more granular control and are the recommended approach for production environments, while security defaults are a simplified baseline for smaller or less complex tenants.

119
MCQmedium

You are designing a Zero Trust architecture for a company that uses Microsoft Entra ID and Microsoft Intune. The security team wants to enforce device compliance before granting access to cloud apps. Which policy should you implement?

A.Microsoft Entra Identity Protection user risk policy
B.Microsoft Defender for Cloud Apps session policy
C.Microsoft Entra Conditional Access policy requiring compliant device
D.Azure AD Identity Protection sign-in risk policy
AnswerC

Directly enforces device compliance before access.

Why this answer

Option C is correct because Microsoft Entra Conditional Access policies can require that devices are marked as compliant by Microsoft Intune before granting access to cloud apps. This directly enforces device compliance as a condition for access, which is a core Zero Trust principle of verifying every access request based on device health.

Exam trap

The trap here is that candidates confuse risk-based policies (Identity Protection) with device compliance policies, assuming any policy that checks 'risk' or 'session' can enforce device health, but only Conditional Access with the compliant device grant control directly ties Intune compliance to access decisions.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Identity Protection user risk policy evaluates the likelihood that a user's identity has been compromised, not the compliance state of the device. Option B is wrong because Microsoft Defender for Cloud Apps session policy controls app behavior in real-time (e.g., blocking downloads) but does not enforce device compliance before access is granted. Option D is wrong because Azure AD Identity Protection sign-in risk policy assesses the risk of the authentication attempt (e.g., from an anonymous IP), not the device's compliance with security policies.

120
Multi-Selecthard

Which THREE components are essential for implementing a successful SIEM strategy using Microsoft Sentinel?

Select 3 answers
A.Automation rules
B.Workbooks
C.Analytics rules
D.Watchlists
E.Data connectors
AnswersA, C, E

Automation rules enable response orchestration, essential for SOAR capabilities.

Why this answer

Automation rules are essential because they allow you to centrally manage and automate incident response actions, such as assigning incidents, running playbooks, or triggering suppression logic, based on specific conditions. Without automation rules, your SOC would have to manually handle every alert, which is not scalable for a successful SIEM strategy.

Exam trap

The trap here is that candidates often confuse 'nice-to-have' features like Workbooks and Watchlists with 'essential' components, but Microsoft defines the three pillars of a successful SIEM strategy as data ingestion (connectors), detection (analytics rules), and automated response (automation rules).

121
MCQmedium

A company wants to use Microsoft Defender XDR to detect and respond to advanced persistent threats (APTs). They have deployed Defender for Endpoint, Defender for Office 365, and Defender for Identity. What additional step is critical to correlate signals across these products?

A.Enable the Microsoft Defender XDR unified experience in the portal
B.Configure Microsoft Defender for Cloud servers plan
C.Assign Microsoft 365 E5 licenses to all users
D.Deploy Microsoft Defender for Office 365 Safe Links
AnswerA

Correlates alerts and incidents across all Defender products.

Why this answer

Enabling the Microsoft Defender XDR unified experience in the portal is critical because it aggregates and correlates signals from Defender for Endpoint, Defender for Office 365, and Defender for Identity into a single incident queue and unified alert timeline. Without this step, each product operates in isolation, preventing cross-product detection of multi-stage APT attacks that span endpoints, email, and identity. The unified experience activates the Microsoft 365 Defender portal's correlation engine, which uses machine learning to link related alerts across domains into a single incident.

Exam trap

The trap here is that candidates often assume that simply having the licenses and deploying the products is sufficient for cross-product correlation, but Microsoft explicitly requires enabling the unified experience in the portal to activate the correlation engine and unified incident queue.

How to eliminate wrong answers

Option B is wrong because configuring the Microsoft Defender for Cloud servers plan is focused on securing cloud workloads (VMs, containers) and does not enable cross-product signal correlation for APT detection across endpoints, email, and identity. Option C is wrong because while Microsoft 365 E5 licenses include the necessary products, simply assigning licenses does not activate the unified correlation engine; the unified experience must be explicitly enabled in the portal. Option D is wrong because deploying Safe Links is a specific email security policy within Defender for Office 365 that protects against malicious URLs, but it does not correlate signals across different Defender products.

122
Multi-Selectmedium

Your organization is designing a security strategy for Microsoft 365 Copilot. You need to ensure that Copilot does not generate responses based on sensitive data that users are not authorized to access. Which TWO configurations should you implement?

Select 2 answers
A.Set up Information Barriers to prevent Copilot from accessing data across departments.
B.Configure Data Loss Prevention (DLP) policies to block sensitive data from being used in prompts.
C.Implement Conditional Access policies to restrict Copilot access based on user, device, and location.
D.Enable Purview Audit to monitor Copilot interactions.
E.Use sensitivity labels to classify and protect data; Copilot respects labels.
AnswersC, E

Conditional Access can restrict who can use Copilot.

Why this answer

Conditional Access policies (C) are correct because they enforce access controls at the authentication layer, ensuring that only authorized users from compliant devices and trusted locations can interact with Copilot. Sensitivity labels (E) are correct because Microsoft 365 Copilot respects sensitivity labels on documents and emails, preventing it from generating responses that include content from labeled sensitive data unless the user has the appropriate permissions. Together, these two controls address both who can access Copilot and what data Copilot can use in its responses.

Exam trap

The trap here is that candidates often confuse Data Loss Prevention (DLP) with access control, mistakenly thinking DLP can block Copilot from using sensitive data internally, when in fact DLP only applies to data sharing and exfiltration, not to Copilot's internal data retrieval and response generation.

123
MCQhard

A multinational corporation is implementing a privileged access strategy. They need to ensure that all users with permanent administrative roles sign in using phishing-resistant authentication methods. Which Microsoft Entra ID feature should they enforce?

A.Privileged Identity Management (PIM) with access reviews
B.Multifactor authentication (MFA) with Conditional Access
C.Authentication Strengths in Conditional Access
D.Conditional Access policies requiring MFA for all admins
AnswerC

Allows requiring specific authentication methods like FIDO2.

Why this answer

Authentication Strengths in Conditional Access allows organizations to enforce specific authentication methods, such as FIDO2 security keys or certificate-based authentication, which are phishing-resistant. This directly meets the requirement to ensure users with permanent administrative roles use phishing-resistant methods, unlike general MFA policies that may allow weaker methods like SMS or OTP.

Exam trap

The trap here is that candidates confuse general MFA enforcement with the ability to enforce specific authentication method types, assuming any MFA policy is sufficient for phishing resistance, whereas Authentication Strengths provides granular control over which methods are allowed.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) with access reviews manages just-in-time access and recertification, not the enforcement of specific authentication methods. Option B is wrong because standard MFA with Conditional Access can enforce MFA but does not restrict to phishing-resistant methods; it may allow SMS, voice, or OATH tokens that are vulnerable to phishing. Option D is wrong because a Conditional Access policy requiring MFA for all admins is too broad and does not specify phishing-resistant methods; it could still permit weaker MFA factors.

124
MCQhard

An organization uses Microsoft Purview Information Protection. They want to automatically apply a sensitivity label to documents containing credit card numbers. Which policy should they configure?

A.Retention policy
B.Sensitivity label policy
C.Auto-labeling policy
D.Data loss prevention policy
AnswerC

Auto-labeling policies can automatically label documents containing sensitive data like credit cards.

Why this answer

Auto-labeling policies in Microsoft Purview Information Protection automatically apply sensitivity labels to documents and emails that match specified conditions, such as the presence of credit card numbers. This policy uses sensitive information types (e.g., Credit Card Number) to scan content and apply the label without user intervention, meeting the requirement for automatic labeling.

Exam trap

The trap here is confusing sensitivity label policies (which require user action or default labeling) with auto-labeling policies (which automatically scan and apply labels based on sensitive data patterns), leading candidates to choose option B incorrectly.

How to eliminate wrong answers

Option A is wrong because retention policies manage how long content is kept or deleted, not the application of sensitivity labels. Option B is wrong because sensitivity label policies publish labels for manual or default application by users, but they do not automatically scan for sensitive data like credit card numbers. Option D is wrong because data loss prevention (DLP) policies detect and block sharing of sensitive data, but they do not apply sensitivity labels to content.

125
MCQhard

A company uses Microsoft Sentinel and wants to prioritize incidents using user risk scores from Microsoft Entra ID Protection. Which configuration should they use to automatically assign a Sentinel severity based on the user's risk level?

A.Create a custom analytics rule that uses the RiskLevel field to set severity
B.Configure an automation rule to set severity when risk is high
C.Use a watchlist to map risk levels to severity
D.Create a playbook that assigns severity based on risk
AnswerA

Custom analytics rules can map risk level to incident severity during creation.

Why this answer

A is correct because Microsoft Sentinel's custom analytics rules can directly reference the `RiskLevel` field from Microsoft Entra ID Protection user risk data ingested via the UEBA connector. By writing a KQL query that checks the user's risk level (e.g., `RiskLevel == 'high'`) and mapping it to a Sentinel severity (e.g., High, Medium, Low) within the rule's incident creation settings, you automate severity assignment without external dependencies. This native integration ensures real-time synchronization of risk levels to incident priority.

Exam trap

The trap here is that candidates often assume automation rules or playbooks are required for any custom severity assignment, overlooking that custom analytics rules can directly map query results to severity fields without additional automation layers.

How to eliminate wrong answers

Option B is wrong because automation rules can set severity based on conditions like incident properties or entities, but they cannot directly read the `RiskLevel` field from Entra ID Protection user risk data; they operate on incident metadata after creation, not on raw risk signals. Option C is wrong because watchlists are static reference tables used for enrichment or correlation, not for dynamic, real-time mapping of continuously changing user risk levels to severity. Option D is wrong because playbooks (Azure Logic Apps) can assign severity, but they introduce latency and complexity compared to a native analytics rule, and they require additional permissions and orchestration, making them less efficient for this straightforward mapping.

126
MCQeasy

A company wants to use Microsoft Defender XDR to correlate alerts across endpoints, email, and identities. Which component enables this correlation?

A.Microsoft 365 Defender
B.Microsoft Defender XDR
C.Microsoft Sentinel
D.Microsoft Defender for Cloud
AnswerB

Microsoft Defender XDR is the correct name for the unified platform.

Why this answer

Microsoft Defender XDR (the new name for Microsoft 365 Defender) is the unified pre- and post-breach enterprise defense suite that natively correlates signals from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. Its correlation engine uses machine learning and the Microsoft Intelligent Security Graph to fuse alerts across these domains into a single incident, enabling security teams to see the full attack chain from email to endpoint to identity.

Exam trap

The trap here is that candidates confuse the old branding (Microsoft 365 Defender) with the new branding (Microsoft Defender XDR) and pick the outdated name, or they mistake Microsoft Sentinel's broader SIEM capabilities for the native cross-domain correlation engine that Defender XDR provides.

How to eliminate wrong answers

Option A is wrong because 'Microsoft 365 Defender' is the previous name for the same product now called Microsoft Defender XDR; the question explicitly uses the current name, so selecting the old name would be technically inaccurate. Option C is wrong because Microsoft Sentinel is a cloud-native SIEM and SOAR solution that ingests logs from many sources, including Defender XDR, but it does not perform the native, real-time cross-domain alert correlation that Defender XDR's built-in engine does; Sentinel correlates at a higher level using analytics rules and is not the component that directly correlates alerts across endpoints, email, and identities. Option D is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) focused on securing Azure, AWS, and GCP resources, not on correlating alerts across endpoints, email, and identities.

127
MCQeasy

Your organization plans to use Microsoft Defender for Cloud to secure Azure resources. The security team wants to continuously assess compliance against the CIS Azure Foundations Benchmark. What should you do?

A.Create a custom Azure Blueprint for CIS
B.Deploy Azure Security Center (legacy)
C.Enable the CIS Azure Foundations Benchmark in Defender for Cloud regulatory compliance dashboard
D.Assign Azure Policy for all CIS controls manually
AnswerC

Directly supports the benchmark.

Why this answer

Option C is correct because Microsoft Defender for Cloud's regulatory compliance dashboard includes built-in support for the CIS Azure Foundations Benchmark. By enabling this standard in the dashboard, Defender for Cloud continuously assesses your Azure resources against all CIS controls, providing automated compliance scores and remediation recommendations without requiring custom definitions or manual policy assignments.

Exam trap

The trap here is that candidates may think they need to create custom Azure Blueprints or manually assign Azure Policies for CIS compliance, overlooking that Defender for Cloud's regulatory compliance dashboard already includes a pre-configured, continuously updated CIS benchmark initiative that automates the entire assessment process.

How to eliminate wrong answers

Option A is wrong because Azure Blueprints are used to define a repeatable set of Azure resources and policies for deployment, not to continuously assess compliance against a specific benchmark like CIS; the CIS benchmark is already available as a built-in standard in Defender for Cloud. Option B is wrong because Azure Security Center (legacy) has been superseded by Microsoft Defender for Cloud, and the legacy version does not include the regulatory compliance dashboard with CIS Azure Foundations Benchmark support; you must use the current Defender for Cloud. Option D is wrong because manually assigning Azure Policy for all CIS controls is inefficient, error-prone, and unnecessary since Defender for Cloud provides a pre-built, automatically updated CIS benchmark initiative that maps policies to controls and continuously evaluates compliance.

128
MCQhard

A company uses Microsoft Entra ID with P2 licenses. They want to implement a Zero Trust approach that requires step-up authentication for accessing high-value data in SharePoint. The solution must use risk-based policies and minimize user friction. Which combination should you recommend?

A.Microsoft Entra Conditional Access with trusted locations policy
B.Microsoft Entra Conditional Access with sign-in risk policy and authentication context for sensitive data
C.Azure AD Conditional Access with MFA for all SharePoint access
D.Microsoft Entra Identity Protection user risk policy with MFA
AnswerB

Risk-based step-up with granular context.

Why this answer

Option B is correct because it combines Conditional Access with a sign-in risk policy (from Identity Protection) and an authentication context that is applied to sensitive SharePoint data. This enforces step-up authentication only when risk is detected and the user accesses high-value data, minimizing friction for low-risk sessions while meeting Zero Trust requirements.

Exam trap

The trap here is that candidates often confuse user risk policies (which are based on historical user behavior) with sign-in risk policies (which evaluate the current session in real time), and they overlook the role of authentication context in scoping enforcement to specific data rather than all SharePoint access.

How to eliminate wrong answers

Option A is wrong because a trusted locations policy only checks the network location (e.g., corporate IP range) and does not evaluate user or sign-in risk, nor does it enforce step-up authentication based on data sensitivity. Option C is wrong because requiring MFA for all SharePoint access is not risk-based; it applies friction to every session regardless of risk level, violating the 'minimize user friction' requirement. Option D is wrong because a user risk policy with MFA triggers based on user-level risk (e.g., leaked credentials) but does not use authentication context to scope enforcement to specific high-value data in SharePoint, and it does not leverage sign-in risk for real-time step-up.

129
Multi-Selectmedium

You are planning a security baseline for Azure resources using Microsoft Defender for Cloud. Which THREE recommendations are part of the Azure Security Benchmark?

Select 3 answers
A.Implement role-based access control (RBAC) for resource management
B.Enable multi-factor authentication for all privileged accounts
C.Disable TLS 1.0 and enable TLS 1.2
D.Use Point-to-Site VPN for remote access
E.Enable network security groups on subnets to restrict traffic
AnswersA, B, E

Core identity and access control recommendation.

Why this answer

Option A is correct because the Azure Security Benchmark (ASB) includes identity and access control recommendations, specifically recommending role-based access control (RBAC) to manage resource access. RBAC is a foundational security control that enforces the principle of least privilege, and it is explicitly listed in the ASB under the Identity Management (IM) control family.

Exam trap

The trap here is that candidates often confuse the Azure Security Benchmark with general security best practices or the Azure Well-Architected Framework, leading them to select recommendations like disabling TLS 1.0 or using VPNs, which are not part of the benchmark's specific control set.

130
MCQmedium

A company is using Microsoft Intune to manage devices. They need to ensure that only devices with a specific operating system version can access corporate resources. Which Intune policy should they use?

A.App protection policy
B.Enrollment restriction
C.Compliance policy
D.Device configuration policy
AnswerC

Compliance policies enforce OS version requirements to grant access.

Why this answer

Compliance policies in Microsoft Intune define the rules that devices must meet to be considered compliant, such as requiring a specific operating system version. When a device is marked non-compliant, Conditional Access policies can block access to corporate resources. This directly enforces the requirement that only devices with the correct OS version can access company data.

Exam trap

The trap here is confusing the purpose of Compliance policies (which enforce ongoing access rules based on device health) with Enrollment restrictions (which only gate initial enrollment) or Device configuration policies (which apply settings but do not evaluate compliance).

How to eliminate wrong answers

Option A is wrong because App protection policies (MAM) manage how apps handle data (e.g., preventing copy/paste) and do not enforce device-level OS version requirements. Option B is wrong because Enrollment restrictions control which devices can enroll in Intune (e.g., by platform or manufacturer) but do not enforce ongoing compliance with OS version after enrollment. Option D is wrong because Device configuration policies push settings (e.g., Wi-Fi, VPN, certificates) to devices but do not evaluate or enforce OS version compliance; they are not used for access control decisions.

131
MCQmedium

A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They need to ensure that all resources are compliant with the Payment Card Industry Data Security Standard (PCI DSS). What should they do?

A.Create Azure Policy initiatives to enforce PCI DSS controls
B.Use Microsoft Purview to classify data and apply PCI DSS labels
C.Deploy Azure Blueprints that include PCI DSS policies
D.Enable the PCI DSS regulatory compliance standard in Microsoft Defender for Cloud
AnswerD

Defender for Cloud includes built-in regulatory compliance standards with continuous assessment.

Why this answer

Microsoft Defender for Cloud includes built-in regulatory compliance standards, such as PCI DSS, that can be enabled directly. Once enabled, Defender for Cloud continuously assesses your Azure subscriptions against the PCI DSS controls and provides a compliance score with detailed remediation steps. This is the simplest and most effective method to monitor compliance without creating custom policies or blueprints.

Exam trap

The trap here is that candidates often confuse Azure Policy or Blueprints as the primary tool for compliance assessment, when in fact Defender for Cloud's built-in regulatory compliance standards are the correct, out-of-the-box solution for monitoring against frameworks like PCI DSS.

How to eliminate wrong answers

Option A is wrong because Azure Policy initiatives enforce custom or built-in policies for resource configuration, but they do not natively map to PCI DSS controls; you would need to create or import a custom initiative, which is more complex and less accurate than using the built-in standard. Option B is wrong because Microsoft Purview is a data governance and classification service, not a compliance assessment tool for PCI DSS; it cannot evaluate resource configurations or provide a compliance score against PCI DSS. Option C is wrong because Azure Blueprints can include policies and resource templates, but they are used for deploying consistent environments, not for ongoing compliance assessment; the PCI DSS standard in Defender for Cloud already provides the necessary policy mappings and continuous monitoring.

132
MCQmedium

Your company is migrating on-premises Active Directory to Microsoft Entra ID. The security team requires that users must use passwordless authentication methods for all sign-ins. Which Microsoft Entra ID feature should you enable to support passwordless authentication?

A.Microsoft Entra ID passwordless authentication methods
B.Password hash synchronization
C.Seamless Single Sign-On (Seamless SSO)
D.Pass-through authentication
AnswerA

Passwordless methods include Windows Hello, FIDO2 keys, and Authenticator app, eliminating passwords.

Why this answer

Option A is correct because Microsoft Entra ID passwordless authentication methods (such as Windows Hello for Business, FIDO2 security keys, and Microsoft Authenticator) are the native features designed to eliminate passwords entirely. These methods satisfy the security team's requirement by enabling users to sign in without a password, using biometrics or cryptographic keys instead.

Exam trap

The trap here is that candidates often confuse 'passwordless authentication' with features that reduce password usage (like Seamless SSO or PHS) rather than understanding that only the dedicated passwordless methods in Entra ID actually remove the password requirement entirely.

How to eliminate wrong answers

Option B is wrong because Password hash synchronization (PHS) synchronizes password hashes from on-premises AD to Entra ID for authentication, but it does not enable passwordless methods; it still relies on passwords. Option C is wrong because Seamless SSO provides automatic sign-in when users are on domain-joined devices connected to the corporate network, but it does not eliminate the need for passwords—it just skips the password prompt in certain scenarios. Option D is wrong because Pass-through authentication (PTA) validates passwords directly against on-premises AD, but it still requires a password to be entered and does not support passwordless authentication.

133
Multi-Selectmedium

Which TWO Microsoft Purview solutions are used to discover and protect sensitive data across Microsoft 365, Azure, and on-premises environments?

Select 2 answers
A.Microsoft Purview Audit
B.Microsoft Purview Data Map
C.Microsoft Purview eDiscovery
D.Microsoft Purview Information Protection
E.Microsoft Purview Data Loss Prevention (DLP)
AnswersB, E

Data Map discovers and classifies data across sources.

Why this answer

Microsoft Purview Data Map (B) is correct because it provides automated scanning and classification of sensitive data across Microsoft 365, Azure, and on-premises sources, creating a unified map of data assets and their sensitivity labels. Microsoft Purview Data Loss Prevention (DLP) (E) is correct because it enforces policies to detect and prevent unauthorized sharing or leakage of sensitive data across these same environments, integrating with the classification from Data Map. Together, they discover sensitive data via classification and protect it through policy enforcement.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Information Protection (which handles labeling and encryption) with the discovery capability provided by Data Map, leading them to select D instead of B, even though Information Protection relies on Data Map for automated scanning and classification across hybrid environments.

134
MCQhard

Your organization is deploying Microsoft Copilot for Security and wants to ensure that the AI model does not expose sensitive data in its responses. You need to configure data loss prevention (DLP) policies that apply to Copilot interactions. Which Microsoft Purview capability should you use?

A.eDiscovery
B.Data Loss Prevention policies
C.Information Protection and sensitivity labels
D.Communication Compliance
AnswerD

Communication Compliance can monitor AI chat interactions for policy violations.

Why this answer

Communication Compliance in Microsoft Purview is specifically designed to detect and prevent sensitive data exposure in communication channels, including Microsoft Copilot for Security interactions. It allows you to configure policies that scan AI prompts and responses for sensitive information, such as credit card numbers or confidential business data, and take automated actions like blocking or alerting. This makes it the correct capability for DLP in Copilot contexts, as it directly addresses the risk of AI models inadvertently leaking sensitive data.

Exam trap

The trap here is that candidates assume standard Data Loss Prevention policies (Option B) are the obvious choice for any DLP scenario, but Microsoft specifically designed Communication Compliance to handle the unique risks of AI interactions, including Copilot for Security, making it the correct answer for this context.

How to eliminate wrong answers

Option A is wrong because eDiscovery is used for legal and investigative searches of content across Microsoft 365, not for real-time data loss prevention in AI interactions. Option B is wrong because standard Data Loss Prevention policies apply to traditional data-at-rest and data-in-transit scenarios (e.g., email, SharePoint), but they do not natively extend to Copilot for Security interactions without Communication Compliance integration. Option C is wrong because Information Protection and sensitivity labels classify and protect data through encryption and labeling, but they do not provide the real-time scanning and policy enforcement needed to prevent sensitive data exposure in Copilot responses.

135
MCQhard

Your organization is migrating to Microsoft 365 and wants to implement a data classification strategy. The compliance team needs to automatically detect and label documents containing personal data (e.g., Social Security numbers) in SharePoint Online. Which Microsoft Purview solution should you use?

A.Auto-labeling policies
B.Records Management
C.eDiscovery
D.Data Loss Prevention policies
AnswerA

Auto-labeling uses sensitive info types to automatically apply labels.

Why this answer

Auto-labeling policies in Microsoft Purview are designed to automatically detect sensitive data types (e.g., Social Security numbers) using built-in or custom sensitive information types and apply sensitivity labels to documents in SharePoint Online. This meets the requirement for automatic detection and labeling without user intervention, as the compliance team needs.

Exam trap

The trap here is confusing Data Loss Prevention (DLP) policies with auto-labeling policies, as both can detect sensitive data, but DLP policies enforce protective actions (block/alert) while auto-labeling policies apply sensitivity labels for classification and downstream protection.

How to eliminate wrong answers

Option B (Records Management) is wrong because it focuses on managing retention and disposition of content, not on automatic detection and labeling of sensitive data. Option C (eDiscovery) is wrong because it is used for searching and exporting content for legal or investigative purposes, not for applying classification labels. Option D (Data Loss Prevention policies) is wrong because DLP policies are designed to prevent unauthorized sharing or leakage of sensitive data by blocking or alerting on activities, not to automatically apply sensitivity labels to documents at rest.

136
MCQmedium

A company deploys Microsoft Defender for Cloud Apps. They need to detect anomalous behavior in user activities across multiple cloud apps. Which feature should they enable?

A.Session policies
B.Anomaly detection policies
C.Data loss prevention policies
D.App governance
AnswerB

This is the correct feature for detecting anomalous user activities.

Why this answer

Anomaly detection policies in Microsoft Defender for Cloud Apps are specifically designed to identify unusual patterns in user activities across connected cloud apps, such as impossible travel, mass file downloads, or ransomware-like behavior. These policies leverage machine learning and behavioral analytics to establish a baseline of normal user behavior and trigger alerts when deviations occur, making them the correct choice for detecting anomalous behavior.

Exam trap

The trap here is that candidates often confuse session policies (which enforce real-time access controls) with anomaly detection policies (which analyze historical patterns), leading them to select session policies when the question specifically asks for detecting anomalous behavior rather than controlling it.

How to eliminate wrong answers

Option A is wrong because session policies are used for real-time control of user sessions based on risk level, not for detecting anomalous behavior patterns over time. Option C is wrong because data loss prevention policies focus on preventing unauthorized sharing or leakage of sensitive data, not on detecting behavioral anomalies in user activities. Option D is wrong because app governance provides visibility and control over app permissions and compliance, but it does not include the behavioral anomaly detection capabilities needed for user activity monitoring.

137
MCQmedium

Your organization is migrating on-premises applications to Azure and needs to secure secrets (database connection strings, API keys) used by these applications. You are required to rotate secrets automatically without downtime. Which Azure service should you use?

A.Microsoft Purview Information Protection
B.Azure App Configuration with feature flags
C.Azure Key Vault with managed identity and certificate auto-rotation
D.Azure AD Application Proxy
AnswerC

Key Vault stores secrets, managed identity provides secure access, and auto-rotation rotates certificates.

Why this answer

Azure Key Vault with managed identity and automatic rotation is the correct solution because Key Vault stores secrets securely, managed identity eliminates hard-coded credentials, and Key Vault can rotate certificates automatically. Option B (Azure App Configuration) is for configuration management, not secrets. Option C (Microsoft Purview) is for data governance.

Option D (Azure AD Application Proxy) is for remote access to on-prem apps.

138
MCQmedium

Refer to the exhibit. You are reviewing a conditional access policy. What is the effect of this policy?

A.The policy is disabled and has no effect
B.Blocks access for all users
C.Requires multifactor authentication for all users
D.Requires multifactor authentication for Global Administrators and Security Administrators
AnswerD

The policy includes those roles and requires MFA.

Why this answer

Option D is correct because the exhibit shows a conditional access policy that targets the 'Global Administrators' and 'Security Administrators' directory roles, and the policy is configured to 'Require multifactor authentication' for those roles. The policy is enabled (as indicated by the 'On' toggle), so it actively enforces MFA for members of those two admin roles, blocking access if they do not complete MFA. This aligns with the principle of securing high-privilege roles with stronger authentication.

Exam trap

The trap here is that candidates may overlook the specific role targeting in the policy and assume it applies to all users, leading them to choose option C, or they may mistakenly think the policy is disabled because they misread the toggle state, choosing option A.

How to eliminate wrong answers

Option A is wrong because the policy is enabled (the 'On' toggle is visible in the exhibit), so it is not disabled and does have an effect. Option B is wrong because the policy targets only specific directory roles (Global Administrators and Security Administrators), not all users, so it does not block access for everyone. Option C is wrong because the policy does not apply to all users; it is scoped to only the two specified admin roles, so it does not require MFA for all users.

139
MCQmedium

A company uses Microsoft Entra ID Governance. They need to automate the process of granting access to a SaaS application based on the user's department attribute. Which feature should they use?

A.Lifecycle workflows
B.Entitlement management
C.Access reviews
D.Privileged identity management
AnswerB

Entitlement management can automate access assignment based on attributes like department.

Why this answer

Entitlement management in Microsoft Entra ID Governance allows you to create access packages that define collections of resources (like SaaS apps) and policies for who can request access. By configuring a dynamic membership rule based on the user's department attribute, you can automate granting access to the SaaS application without manual intervention. This directly meets the requirement to automate access based on a user attribute.

Exam trap

The trap here is that candidates confuse Lifecycle workflows (which automate HR-driven provisioning events) with Entitlement management (which automates attribute-based access requests), leading them to choose Option A incorrectly.

How to eliminate wrong answers

Option A is wrong because Lifecycle workflows automate joiner, mover, and leaver processes (e.g., account provisioning, email forwarding) but do not handle attribute-based access requests to SaaS applications. Option C is wrong because Access reviews are periodic attestation processes to review existing access, not an automated mechanism to grant access based on a user attribute. Option D is wrong because Privileged identity management (PIM) provides just-in-time privileged access to Azure AD roles and Azure resources, not automated entitlement to a SaaS application based on a department attribute.

140
MCQeasy

Your security team needs to receive alerts when a user is assigned a privileged role in Microsoft Entra ID. Which service should you use to create an alert for privileged role assignments?

A.Microsoft Entra ID Privileged Identity Management (PIM)
B.Microsoft Defender for Identity
C.Microsoft Sentinel
D.Microsoft Defender for Cloud Apps
AnswerA

PIM provides alerts for privileged role assignments and activations.

Why this answer

Microsoft Entra ID Privileged Identity Management (PIM) is the correct service because it provides built-in alerting capabilities specifically for privileged role assignments in Microsoft Entra ID. PIM can generate alerts when a user is assigned a privileged role, such as Global Administrator, without requiring additional configuration or external data sources. This aligns directly with the requirement to receive alerts for privileged role assignments within the identity platform.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Identity or Microsoft Sentinel as the primary alerting tool for Entra ID role assignments, but PIM is the native, purpose-built service for this specific identity governance task.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Identity is a security solution that monitors on-premises Active Directory signals and hybrid identities for threats like lateral movement and compromised accounts, not for generating alerts on Entra ID role assignments. Option C is wrong because Microsoft Sentinel is a SIEM/SOAR platform that ingests logs from multiple sources, including Entra ID, but it requires custom analytics rules and log ingestion to create alerts for role assignments, making it an indirect and more complex solution compared to PIM's native alert. Option D is wrong because Microsoft Defender for Cloud Apps focuses on cloud application discovery, session controls, and anomaly detection for SaaS apps, not on monitoring Entra ID privileged role assignments.

141
MCQhard

A company uses Microsoft Sentinel and wants to implement a security orchestration, automation, and response (SOAR) solution. They need a playbook that automatically blocks a user in Microsoft Entra ID when a high-severity incident is created. What should they use?

A.Microsoft Defender XDR automated investigation and response
B.Power Automate cloud flows
C.Azure Logic Apps integrated with Microsoft Sentinel
D.Microsoft Purview Compliance Manager
AnswerC

Sentinel playbooks are built on Azure Logic Apps.

Why this answer

Option C is correct because Azure Logic Apps provides the native integration with Microsoft Sentinel to create automated playbooks that trigger on incident creation. Logic Apps connectors allow direct interaction with Microsoft Entra ID to block a user via the Microsoft Graph API, enabling a seamless SOAR workflow without additional licensing or services.

Exam trap

The trap here is that candidates often confuse Power Automate with Logic Apps for Sentinel playbooks, but Power Automate lacks the native Sentinel incident trigger and security-specific connectors required for SOAR workflows in this context.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender XDR automated investigation and response is designed for endpoint and workload-level remediation (e.g., isolating devices, blocking files), not for user account management in Microsoft Entra ID. Option B is wrong because Power Automate cloud flows are intended for business process automation and lack the deep security-specific triggers and connectors (e.g., Sentinel incident trigger, Entra ID user block action) required for a SOAR playbook in Sentinel. Option D is wrong because Microsoft Purview Compliance Manager focuses on compliance posture management and risk assessments, not on real-time security incident response or user blocking.

142
Multi-Selectmedium

Which THREE components are part of the Microsoft Zero Trust architecture? (Choose three.)

Select 3 answers
A.Networks
B.Devices
C.Data
D.Applications
E.Identities
AnswersA, B, E

Network segmentation and micro-perimeters are part of zero trust.

Why this answer

Networks are a core component of the Microsoft Zero Trust architecture because the model assumes that the network is always hostile and should not be implicitly trusted. Instead of relying on a traditional perimeter, Zero Trust enforces micro-segmentation, real-time threat protection, and end-to-end encryption to control traffic between resources. Microsoft implements this through Azure Firewall, Azure Virtual Network security groups, and Microsoft Defender for Cloud to monitor and filter network traffic based on identity and device posture.

Exam trap

The trap here is that candidates may confuse the six pillars of Microsoft Zero Trust (Identities, Devices, Applications, Networks, Infrastructure, Data) with the three components asked in the question, leading them to select Applications or Data instead of recognizing that the question specifically requires Networks, Devices, and Identities as the correct trio.

143
MCQeasy

A company uses Microsoft Defender for Endpoint (MDE) and needs to ensure that all devices report their security configuration to Microsoft Defender XDR. Which setting should they verify?

A.Devices are enrolled in Microsoft Intune
B.Microsoft Sentinel is connected to Defender for Endpoint
C.Microsoft Purview Information Protection is enabled
D.Devices are onboarded to Microsoft Defender XDR
AnswerD

Onboarding ensures devices report to the unified XDR experience.

Why this answer

Devices must be onboarded to Microsoft Defender XDR to report their security configuration. Onboarding registers the device with the Defender for Endpoint service, enabling the collection and forwarding of security telemetry to the Microsoft 365 Defender portal. Without onboarding, the device cannot communicate its security state, regardless of other integrations.

Exam trap

The trap here is that candidates confuse Intune enrollment with Defender for Endpoint onboarding, but Intune only manages policies and compliance, while onboarding is the specific process that enables security telemetry reporting to Defender XDR.

How to eliminate wrong answers

Option A is wrong because Intune enrollment manages device compliance and configuration policies but does not automatically onboard devices to Defender for Endpoint; a separate onboarding step is required. Option B is wrong because connecting Microsoft Sentinel to Defender for Endpoint ingests alerts and incidents into Sentinel for SIEM purposes, but it does not cause devices to report their security configuration to Defender XDR. Option C is wrong because Microsoft Purview Information Protection focuses on data classification and labeling, not device-level security configuration reporting.

144
MCQeasy

A company is implementing a Zero Trust security model. Which principle requires verifying every access request as if it originates from an uncontrolled network?

A.Least privilege
B.Micro-segmentation
C.Assume breach
D.Verify explicitly
AnswerD

This is the correct Zero Trust principle: always authenticate and authorize based on all available data points.

Why this answer

The 'Assume breach' principle is not about verifying requests. 'Verify explicitly' is the Zero Trust principle that mandates authenticating and authorizing every access request. 'Least privilege' limits access rights. 'Micro-segmentation' is a network isolation technique.

145
Multi-Selecteasy

Which TWO Microsoft services can be used to implement a cloud security posture management (CSPM) solution? (Select exactly two correct options.)

Select 2 answers
A.Microsoft Purview
B.Microsoft Defender for Cloud
C.Microsoft Intune
D.Microsoft Entra Permissions Management
E.Microsoft Sentinel
AnswersB, D

Provides CSPM across multi-cloud environments.

Why this answer

Options A and C are correct. Microsoft Defender for Cloud provides CSPM across Azure, AWS, and GCP. Microsoft Entra Permissions Management is a Cloud Infrastructure Entitlement Management (CIEM) tool that helps manage permissions.

Option B is wrong because Microsoft Intune is for device management. Option D is wrong because Microsoft Sentinel is a SIEM. Option E is wrong because Microsoft Purview is for data governance.

146
MCQhard

Your organization has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You need to design a solution that ensures all user authentication requests are evaluated by Conditional Access policies before granting access to cloud apps. However, some legacy apps still require basic authentication. What should you recommend?

A.Enable authentication policies in Microsoft Entra ID to block legacy authentication
B.Configure Active Directory Federation Services (AD FS) as the identity provider
C.Deploy Microsoft Entra Application Proxy for all legacy apps
D.Enable pass-through authentication (PTA) to forward authentication requests
AnswerA

Blocking legacy authentication ensures all requests use modern auth, which is required for Conditional Access evaluation.

Why this answer

Option A is correct because enabling authentication policies in Microsoft Entra ID to block legacy authentication ensures that all user authentication requests are evaluated by Conditional Access policies before granting access to cloud apps. Legacy authentication protocols (e.g., POP3, IMAP, SMTP, basic auth) bypass modern authentication and Conditional Access, so blocking them forces clients to use modern protocols (OAuth 2.0, OpenID Connect) that are subject to Conditional Access evaluation. This directly addresses the requirement while allowing legacy apps to be updated or replaced over time.

Exam trap

The trap here is that candidates often confuse 'blocking legacy authentication' with 'disabling basic authentication' in Exchange Online or other services, but the correct approach is to use the tenant-wide Conditional Access policy to block all legacy authentication protocols, which is a distinct setting in Microsoft Entra ID.

How to eliminate wrong answers

Option B is wrong because configuring AD FS as the identity provider does not inherently block legacy authentication; AD FS can still accept legacy authentication requests unless explicitly configured to block them, and it does not enforce Conditional Access policies for cloud apps as effectively as Entra ID. Option C is wrong because deploying Microsoft Entra Application Proxy for all legacy apps provides secure remote access but does not block legacy authentication protocols; the apps themselves may still use basic authentication, which bypasses Conditional Access. Option D is wrong because enabling pass-through authentication (PTA) forwards authentication requests to on-premises AD but does not block legacy authentication; PTA works with modern authentication but legacy protocols still bypass Conditional Access unless explicitly blocked.

147
MCQhard

A company uses Microsoft Defender for Endpoint to protect endpoints. They want to configure attack surface reduction rules to block executable files from running unless they meet a specific prevalence, age, or trust level. Which ASR rule should they enable?

A.Block Office communication application from creating child processes
B.Block credential stealing from the Windows local security authority subsystem
C.Block untrusted and unsigned processes that run from USB
D.Block executable files from running unless they meet a prevalence, age, or trusted list criteria
AnswerD

This ASR rule uses cloud-delivered reputation to block risky executables.

Why this answer

Option D is correct because the ASR rule 'Block executable files from running unless they meet a prevalence, age, or trusted list criteria' (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) is specifically designed to block executables that do not meet Microsoft's cloud-based prevalence, age, or trustworthiness criteria. This rule uses the Microsoft Intelligent Security Graph to evaluate files against global telemetry, blocking those that are new, rare, or unsigned, which directly matches the requirement to block executables based on prevalence, age, or trust level.

Exam trap

The trap here is that candidates confuse the USB-specific rule (Option C) with the global executable prevalence rule (Option D), because both mention 'untrusted' or 'unsigned', but only Option D explicitly includes prevalence, age, and trusted list criteria as stated in the question.

How to eliminate wrong answers

Option A is wrong because 'Block Office communication application from creating child processes' (GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869) targets child processes spawned by Office communication apps (e.g., Outlook, Skype) to prevent lateral movement via macro-based attacks, not executable file prevalence or trust. Option B is wrong because 'Block credential stealing from the Windows local security authority subsystem' (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) protects LSASS memory from credential theft tools like Mimikatz, not executable file execution policies. Option C is wrong because 'Block untrusted and unsigned processes that run from USB' (GUID: b2b3f03d-6a4c-4b7e-8c97-3f0e5c7b8a9d) only applies to USB-removable media, not all executable files, and does not consider prevalence or age criteria.

148
MCQmedium

A global retail company, Northwind Traders, is adopting a cloud-first strategy using Azure and Microsoft 365. They have a large number of temporary seasonal workers who need access to specific applications and data for limited periods. The security team wants to minimize the risk of standing privileges and ensure that access is granted only when needed and for a limited duration. They also need to audit all privileged access actions. The environment includes Microsoft Entra ID, Azure resources, and Microsoft 365 services. You need to design a privileged access strategy that follows the principle of least privilege and aligns with Microsoft's best practices for privileged identity management. What should you recommend?

A.Use Microsoft Entra Privileged Identity Management (PIM) to grant just-in-time access to Azure AD roles and Azure resources. Configure approval workflows for high-privilege roles. Set maximum activation durations. For non-Azure resources, use Privileged Access Groups (PAG) to manage access. Enable audit logging to a Log Analytics workspace for monitoring.
B.Create a custom role in Azure AD with limited permissions. Assign the role to a security group. Have users request access via a manual email process. The IT team approves and assigns the group membership temporarily.
C.Assign permanent roles to seasonal workers for the duration of their contract. Use Azure AD access reviews to periodically confirm access. Enable Azure AD audit logs. Use Conditional Access to require MFA for privileged roles.
D.Create separate Azure AD roles for each seasonal worker with granular permissions. Use Azure AD Identity Governance to automate access requests. Do not enable PIM to reduce complexity.
AnswerA

Provides JIT, approval workflows, and auditing for privileged access.

Why this answer

Option A is correct because it leverages Microsoft Entra Privileged Identity Management (PIM) to enforce just-in-time (JIT) access for Azure AD roles and Azure resources, aligning with the principle of least privilege and minimizing standing privileges. It includes approval workflows for high-privilege roles, maximum activation durations to limit exposure, and Privileged Access Groups (PAG) to manage access to non-Azure resources like Microsoft 365 workloads. Audit logging to a Log Analytics workspace provides comprehensive monitoring of all privileged actions, meeting the auditing requirement.

Exam trap

The trap here is that candidates may assume permanent role assignments with periodic access reviews are sufficient, but this fails to eliminate standing privileges between reviews, which is the core risk the question targets.

How to eliminate wrong answers

Option B is wrong because a manual email process for access requests is insecure, lacks automation, and does not enforce just-in-time activation or time-bound access, violating the requirement to minimize standing privileges. Option C is wrong because assigning permanent roles to seasonal workers for the duration of their contract creates standing privileges, which contradicts the goal of granting access only when needed and for a limited duration; access reviews alone do not prevent persistent access between reviews. Option D is wrong because creating separate Azure AD roles for each seasonal worker is administratively unsustainable and violates least privilege by not using PIM, which is essential for JIT activation and approval workflows; disabling PIM increases complexity and risk.

149
MCQeasy

A company wants to enforce that all administrators use just-in-time (JIT) access to privileged roles in Microsoft Entra ID. Which feature should they enable?

A.Microsoft Entra ID Conditional Access
B.Microsoft Entra ID Privileged Identity Management (PIM)
C.Microsoft Entra ID Access Reviews
D.Microsoft Entra ID Protection
AnswerB

PIM enables just-in-time, time-bound access to privileged roles.

Why this answer

Microsoft Entra ID Privileged Identity Management (PIM) provides just-in-time (JIT) privileged access by enabling time-bound and approval-based role activation. This directly meets the requirement to enforce JIT access for administrators, as PIM allows roles to be activated only when needed and for a limited duration, reducing standing access.

Exam trap

The trap here is that candidates often confuse Conditional Access (which controls access to apps) with PIM (which controls privileged role activation), leading them to select Option A because they think JIT access is a policy-based access control feature.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Conditional Access enforces access policies based on signals like location or device state, but it does not provide time-bound role activation or JIT privileged access. Option C is wrong because Microsoft Entra ID Access Reviews are used to periodically audit and recertify group memberships or role assignments, not to grant or activate privileged roles on demand. Option D is wrong because Microsoft Entra ID Protection detects and responds to identity-based risks (e.g., leaked credentials) but does not manage privileged role activation or JIT access.

150
Multi-Selecthard

Your organization uses Microsoft Defender for Cloud to protect a multi-cloud environment (Azure, AWS, GCP). You need to ensure that security configurations are assessed against industry benchmarks like CIS and PCI DSS. Which THREE actions should you take?

Select 3 answers
A.Enable the regulatory compliance dashboard in Defender for Cloud and select the desired standards (CIS, PCI DSS).
B.Deploy Azure Firewall in each cloud environment to filter traffic.
C.Use Azure Policy to enforce security configurations based on the benchmark recommendations.
D.Configure continuous export of assessment data to a Log Analytics workspace for custom reporting.
E.Deploy the Log Analytics agent to all VMs in the multi-cloud environment.
AnswersA, C, D

The regulatory compliance dashboard assesses against selected standards.

Why this answer

Option A is correct because the regulatory compliance dashboard in Microsoft Defender for Cloud allows you to add built-in standards such as CIS and PCI DSS. Once enabled, Defender for Cloud automatically assesses your multi-cloud resources against the selected benchmarks and provides a compliance score with detailed recommendations for remediation.

Exam trap

The trap here is that candidates often confuse network security controls (like Azure Firewall) or agent-based monitoring (Log Analytics agent) with the configuration assessment and compliance reporting capabilities that are native to Defender for Cloud's regulatory compliance dashboard and Azure Policy.

← PreviousPage 2 of 3 · 180 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design solutions that align with security best practices and priorities questions.