CCNA Design security solutions for infrastructure Questions

75 of 231 questions · Page 1/4 · Design security solutions for infrastructure · Answers revealed

1
MCQeasy

You are a security architect for a retail company that uses Microsoft 365 and Azure. The company has a large number of remote employees who use both company-managed and personal devices. You need to design a solution to ensure that only compliant devices can access corporate email (Exchange Online) and files (SharePoint Online). The company has Microsoft Intune and Microsoft Entra ID P1 licenses. You need to implement device-based conditional access. What should you do?

A.Deploy app protection policies (MAM) in Intune to protect data in Exchange Online and SharePoint Online.
B.Enroll devices in Intune, create compliance policies, and configure Conditional Access policies in Entra ID to require compliant devices.
C.Require all devices to be enrolled in Intune using automatic enrollment via Group Policy.
D.Use Microsoft Endpoint Configuration Manager to manage device compliance and integrate with Entra ID.
AnswerB

Combines device compliance with conditional access.

Why this answer

Option B is correct because Intune compliance policies define device health requirements, and Conditional Access policies enforce access based on compliance. Option A is wrong because app protection policies are for mobile application management (MAM) without device enrollment, but the requirement is device-based. Option C is wrong because device enrollment itself does not enforce compliance.

Option D is wrong because Configuration Manager is for on-premises management, not cloud devices.

2
MCQhard

Refer to the exhibit. An administrator is reviewing a just-in-time (JIT) access request in Microsoft Entra Privileged Identity Management (PIM) for Azure resources. The request was approved. What does the roleDefinitionId 'b24988ac-6180-42a0-ab88-20f7382dd24c' correspond to?

A.Storage Blob Data Contributor
B.Storage Account Contributor
C.Contributor
D.Reader
AnswerB

Correct: The GUID matches the built-in Storage Account Contributor role.

Why this answer

The roleDefinitionId 'b24988ac-6180-42a0-ab88-20f7382dd24c' is the GUID for the 'Storage Account Contributor' role in Azure RBAC. This is a built-in role that allows management of storage accounts, including access to storage account keys. The request is for temporary access to a storage account, and the role provides the necessary permissions.

3
MCQeasy

Refer to the exhibit. You are deploying an ARM template that creates a network security group (NSG) named nsg-backend. What is the effect of this NSG on inbound traffic?

A.Only inbound traffic on port 80 is denied
B.All inbound traffic is allowed because no default deny rule is present
C.Only inbound traffic from 10.0.1.0/24 on port 80 is allowed; all other inbound traffic is denied
D.All inbound traffic is allowed except from 10.0.1.0/24
AnswerC

The allow rule permits specific traffic, and the deny rule blocks everything else.

Why this answer

Option B is correct. The NSG has two rules: AllowHTTPFromFrontend with priority 100 allows TCP 80 from 10.0.1.0/24, and DenyAllInbound with priority 1000 denies all other inbound traffic. Since the allow rule has a higher priority (lower number), traffic from the frontend subnet on port 80 is allowed, and all other inbound traffic is denied.

Option A is wrong because traffic from 10.0.1.0/24 on port 80 is allowed. Option C is wrong because the explicit deny rule exists. Option D is wrong because the deny rule is not the only rule.

4
MCQmedium

You are designing a secure hybrid network architecture for a company that uses Azure and an on-premises datacenter. The company requires that all traffic between Azure and on-premises traverses Microsoft's backbone network and never the public internet. Additionally, the solution must provide automatic failover if the primary connection fails. Which Azure service should you include in the design?

A.Azure ExpressRoute with redundant circuits
B.Azure Virtual WAN
C.Azure Front Door
D.Azure VPN Gateway
AnswerA

ExpressRoute uses Microsoft's backbone and redundant circuits provide automatic failover.

Why this answer

Azure ExpressRoute with redundant circuits meets the requirement of using Microsoft's backbone and automatic failover. VPN Gateway uses the public internet. Azure Virtual WAN can use ExpressRoute but is not a direct answer.

Azure Front Door is for global load balancing of web applications.

5
MCQhard

A multinational corporation is designing a secure infrastructure for their Azure Kubernetes Service (AKS) clusters. They require network policies to restrict pod-to-pod communication based on namespaces and label selectors. They also need to integrate with Azure Policy for compliance. Which network policy engine should they use?

A.kubenet
B.Cilium
C.Calico through Azure Policy add-on
D.Azure Firewall
AnswerC

Correct: Azure Policy for AKS uses Calico for network policies.

Why this answer

Azure Policy for AKS supports the Calico network policy engine for advanced network policies. Cilium is not natively integrated with Azure Policy. Azure Firewall is for cluster ingress/egress, not pod-level policies. kubenet is a basic networking plugin that does not support network policies.

6
Multi-Selectmedium

Which TWO actions should you take to protect Azure Virtual Machines from ransomware attacks? (Choose two.)

Select 2 answers
A.Configure Azure Firewall to block all outbound traffic.
B.Enable Azure Backup for all VMs.
C.Use auto-shutdown schedules for VMs.
D.Disable RDP access from the internet.
E.Deploy Microsoft Defender Antivirus with real-time protection.
AnswersB, E

Backups allow recovery from ransomware.

Why this answer

Options A and C are correct. Option A: Backups (Azure Backup) are essential for recovery. Option C: Antimalware (Microsoft Defender Antivirus) helps prevent infection.

Option B is wrong because disabling public RDP reduces attack surface but is not specific to ransomware. Option D is wrong because Azure Firewall is for network segmentation, not direct ransomware protection. Option E is wrong because auto-shutdown does not prevent ransomware.

7
MCQmedium

Your organization uses Microsoft Defender for Identity (MDI) to protect on-premises Active Directory. You need to integrate MDI with Microsoft Sentinel to centralize detection and response. What is the required configuration?

A.Deploy the MDI sensor on an Azure VM to send data to Sentinel.
B.Integrate Microsoft Entra ID Protection with Sentinel instead.
C.Enable the Microsoft Defender for Identity data connector in Microsoft Sentinel.
D.Configure MDI to forward logs to a Syslog server, then use the Syslog connector in Sentinel.
AnswerC

This connector ingests MDI alerts into Sentinel.

Why this answer

Option A is correct because the MDI data connector in Sentinel enables ingestion of MDI alerts. Option B is wrong because MDI does not use Syslog for its native alerts; it uses a specific connector. Option C is wrong because Azure AD Identity Protection is for cloud identities, not on-premises AD.

Option D is wrong because the MDI sensor is already deployed on-premises; no need to deploy it in Azure.

8
Multi-Selecthard

You are designing a secure access strategy for Azure SQL Database. The solution must use Microsoft Entra authentication and ensure that only specific client IP addresses can connect. Additionally, all connections must be encrypted in transit. Which THREE components should you configure?

Select 3 answers
A.Enable Always Encrypted for sensitive columns
B.Microsoft Entra authentication for the SQL server
C.Enforce TLS 1.2 for connections
D.A server-level firewall rule allowing specific client IP ranges
E.Configure an Azure Private Endpoint for the SQL server
AnswersB, C, D

Required for identity-based access control.

Why this answer

Microsoft Entra authentication is required for identity-based access. A server-level firewall rule allows specific IPs. Enforcing TLS 1.2 ensures encryption in transit.

Private endpoint is not required for IP-based filtering. Azure AD admin is a user, not a component. Always Encrypted is for column-level encryption, not network security.

9
MCQeasy

Your organization is planning to deploy a new web application on Azure VMs. The security team requires that all incoming traffic to the VMs be inspected by a network virtual appliance (NVA) before reaching the VMs. Which Azure networking solution should you use to route traffic through the NVA?

A.Azure Firewall
B.Azure Load Balancer
C.Network Security Groups (NSGs)
D.User Defined Routes (UDRs)
AnswerD

UDRs allow custom routing to force traffic through an NVA.

Why this answer

Option B is correct because User Defined Routes (UDRs) allow you to override Azure's default routing to force traffic through an NVA. Option A is wrong because Azure Firewall is a managed firewall service, not a routing mechanism. Option C is wrong because Azure Load Balancer distributes traffic but does not enforce routing through an NVA.

Option D is wrong because NSGs filter traffic but do not route it.

10
MCQmedium

Your company uses Microsoft Intune to manage devices. You need to ensure that corporate data is wiped from a device if it reports a jailbroken status. What is the best approach?

A.Create a device compliance policy that marks jailbroken devices as noncompliant, then use Conditional Access to require compliance
B.Use the remote wipe action from Intune when a jailbreak is reported
C.Deploy an app protection policy that wipes data if jailbreak is detected
D.Configure a device configuration policy to block jailbroken devices
AnswerA

Noncompliant devices can be blocked from access; you can also configure a wipe action as part of the policy.

Why this answer

Option C is correct because a compliance policy can mark the device as noncompliant if jailbroken, and a conditional access policy can then trigger a wipe. Option A is too broad. Option B is incorrect because remote wipe is manual.

Option D is incorrect because app protection policies target app data, not device.

11
MCQmedium

Refer to the exhibit. You are reviewing an Azure Policy definition. What is the effect of this policy?

A.Denies creation of Windows VMs that have automatic updates enabled
B.Audits Windows VMs that have automatic updates disabled
C.Audits Linux VMs that have automatic updates enabled
D.Denies creation of Windows VMs without automatic updates enabled
AnswerD

Denies if the property 'enableAutomaticUpdates' does not exist.

Why this answer

Option B is correct: The policy denies the creation of virtual machines that do not have automatic updates enabled on Windows. Option A is wrong because the policy applies to all VMs, not just Linux. Option C is wrong because the effect is deny, not audit.

Option D is wrong because the condition checks for the absence of the property, not its value being false.

12
MCQeasy

Refer to the exhibit. You are reviewing an Azure Policy definition. What does this policy do?

A.Denies creation of any virtual machine that has a network interface attached to a specific subnet.
B.Denies creation of any virtual machine that is attached to a public IP address.
C.Denies creation of any virtual machine that does not have a network interface.
D.Allows creation of virtual machines only if they have a network interface attached to a specific subnet.
AnswerB

The policy denies VMs where the NIC field is present, which implies public IP attachment.

Why this answer

Option A is correct because the policy denies creation of virtual machines that have any network interface (NIC) attached to a public IP (by checking the NIC's id field, which would be present if attached). Option B is wrong because the policy does not target VMs without a NIC. Option C is wrong because the policy denies VMs with NICs, not VMs without NICs.

Option D is wrong because the policy does not check for a specific subnet.

13
MCQmedium

Refer to the exhibit. You are reviewing an Azure Policy definition. What does this policy do?

A.Requires all virtual machines to use encryption at host
B.Allows only virtual machines with unmanaged disks
C.Denies virtual machines with managed disks if the OS disk type is not Standard_LRS or Premium_LRS
D.Denies all virtual machines without managed disks
AnswerC

The policy denies non-compliant disk types.

Why this answer

Option D is correct. The policy rule denies virtual machines if the OS disk managed disk storage account type is not Standard_LRS or Premium_LRS. It checks if the VM uses managed disks, and if so, only allows Standard_LRS or Premium_LRS.

Option A is wrong because it does not deny all VMs, only those with non-allowed disk types. Option B is wrong because it does not allow any disk type. Option C is wrong because it does not require encryption.

14
Multi-Selectmedium

Which TWO actions should you take to protect Azure Virtual Machines from ransomware? (Choose two.)

Select 2 answers
A.Deploy Azure Firewall to block all inbound traffic.
B.Configure Azure Site Recovery for all VMs.
C.Enable Azure Backup with immutable vault.
D.Assign Azure Policy to require encryption at rest.
E.Enable Microsoft Defender for Servers.
AnswersC, E

Immutable backups prevent deletion and modification by ransomware.

Why this answer

Option A is correct because Azure Backup provides immutable backups that cannot be deleted, protecting against ransomware. Option C is correct because Microsoft Defender for Servers (in Defender for Cloud) provides threat detection and alerts for ransomware. Option B is wrong because Azure Site Recovery is for disaster recovery, not backup.

Option D is wrong because Azure Firewall is a network firewall, not a backup or detection solution. Option E is wrong because Azure Policy enforces compliance, not direct ransomware protection.

15
MCQeasy

You need to ensure that Azure SQL Database always encrypts data at rest and in transit. Which features should you enable?

A.Firewall rules and Azure Active Directory authentication
B.Transparent Data Encryption (TDE) and enforce TLS connections
C.Always Encrypted and firewall rules
D.Azure Defender for SQL and vulnerability assessment
AnswerB

TDE encrypts data at rest; enforcing TLS encrypts data in transit.

Why this answer

Option B is correct because Transparent Data Encryption (TDE) encrypts data at rest, and enforcing TLS encrypts data in transit. Option A is wrong because Always Encrypted encrypts specific columns, not the entire database. Option C is wrong because Azure Defender for SQL provides threat detection.

Option D is wrong because firewall rules control access.

16
MCQeasy

You need to design a solution to protect Azure VMs from malware and provide security recommendations. Which Azure service should you enable?

A.Azure Sentinel
B.Microsoft Intune
C.Azure Monitor
D.Microsoft Defender for Cloud
AnswerD

Provides antimalware and security recommendations.

Why this answer

Option C is correct because Microsoft Defender for Cloud provides antimalware and security recommendations. Option A is wrong because Azure Sentinel is a SIEM. Option B is wrong because Azure Monitor collects logs.

Option D is wrong because Microsoft Intune manages endpoints.

17
MCQmedium

Your organization uses Azure SQL Database and needs to protect sensitive data from being exported by unauthorized users. You must implement a solution that prevents users from copying data to clipboard or taking screenshots of query results, while allowing legitimate business operations. What should you implement?

A.Apply Azure Information Protection labels to the database.
B.Use Dynamic Data Masking to obscure sensitive columns.
C.Enable Azure SQL Database Auditing and threat detection.
D.Configure a session policy in Microsoft Defender for Cloud Apps to block clipboard and screenshot actions.
AnswerD

Session policies can control data exfiltration in real-time.

Why this answer

Option C is correct because Microsoft Defender for Cloud Apps session policies can monitor and control data exfiltration via reverse proxy, including blocking clipboard and screenshot actions. Option A is incorrect because Azure SQL Database Auditing logs activities but does not prevent them. Option B is incorrect because Dynamic Data Masking obfuscates data but does not prevent export.

Option D is incorrect because Azure Information Protection labels files but does not prevent clipboard actions in a browser.

18
MCQeasy

You are designing a backup strategy for Azure virtual machines that host a mission-critical application. The solution must support daily backups with a retention of 30 days for daily backups, weekly backups retained for 12 weeks, and monthly backups retained for 3 years. What should you use?

A.Azure Files backup with a custom script.
B.Azure Disk Backup with a snapshot schedule.
C.Azure Site Recovery with a recovery plan.
D.Azure Backup with a backup policy that specifies daily, weekly, and monthly retention.
AnswerD

Azure Backup policies support multi-tier retention.

Why this answer

Option A is correct because Azure Backup allows you to define backup policies with multiple retention points (daily, weekly, monthly, yearly). Option B is incorrect because Azure Site Recovery is for disaster recovery, not long-term retention. Option C is incorrect because Azure Disk Backup is for disk-level backups and does not support complex retention.

Option D is incorrect because Azure Files backup is for file shares.

19
Multi-Selecteasy

Which TWO Microsoft Purview solutions should you use to protect sensitive data in Microsoft 365? (Choose two.)

Select 2 answers
A.Microsoft Purview Audit.
B.Insider Risk Management.
C.Sensitivity labels and policies.
D.Microsoft Purview eDiscovery.
E.Data Loss Prevention (DLP) policies.
AnswersC, E

Labels classify and protect data with encryption and markings.

Why this answer

Option A is correct because Data Loss Prevention (DLP) policies prevent sensitive data from being shared inappropriately. Option B is correct because Sensitivity Labels classify and protect data across M365. Option C is wrong because Insider Risk Management detects risky user activities but does not directly protect data.

Option D is wrong because eDiscovery is for legal discovery. Option E is wrong because Audit logs track activities but do not protect data.

20
MCQeasy

A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They want to receive alerts when a resource is deployed without encryption enabled. What should they configure?

A.Azure Blueprints
B.Microsoft Defender for Cloud regulatory compliance dashboard
C.Microsoft Defender for Cloud security alerts
D.Azure Policy definition to audit or deny resources without encryption
AnswerD

Correct: Azure Policy enforces encryption requirements.

Why this answer

Azure Policy with a custom policy definition can audit or deny resources without encryption. Defender for Cloud's regulatory compliance dashboard shows compliance status. Security alerts are for threats, not configuration drift.

Azure Blueprints are for packaging resources.

21
MCQeasy

Your company uses Microsoft Entra ID for identity management. You need to implement a solution to automatically detect and remediate risky sign-ins using machine learning. What should you configure?

A.Configure Microsoft Entra Connect to sync on-premises identities.
B.Configure Conditional Access policies with session controls.
C.Configure Microsoft Entra ID Protection and enable risk-based policies.
D.Configure Privileged Identity Management (PIM) for admin roles.
AnswerC

Identity Protection detects risky users and sign-ins and can auto-remediate.

Why this answer

Option C is correct because Identity Protection uses ML to detect risks and can automatically remediate (e.g., require MFA, block sign-in). Option A is wrong because Conditional Access policies enforce access controls but do not detect risks. Option B is wrong because Privileged Identity Management (PIM) manages privileged roles.

Option D is wrong because Azure AD (Entra ID) Connect syncs identities, not risk detection.

22
Multi-Selectmedium

Your company uses Azure Backup to protect VMs. You need to ensure that backup data is encrypted at rest and during transit. Which features should you enable? (Choose three.)

Select 3 answers
A.Azure Disk Encryption (BitLocker/DM-Crypt)
B.Azure Backup using Storage Service Encryption (SSE) or customer-managed keys
C.HTTPS for backup traffic
D.Azure Information Protection
E.Soft delete for Azure Backup
AnswersB, C, E

Encrypts backup data at rest.

Why this answer

Options A, C, and D are correct: Azure Backup encrypts data at rest using SSE or customer-managed keys, encrypts in transit using HTTPS, and soft delete prevents accidental deletion. Option B is wrong because Azure Disk Encryption encrypts OS/data disks but is not required for backup encryption. Option E is wrong because Azure Information Protection is for labeling, not backup encryption.

23
MCQmedium

Refer to the exhibit. You run the PowerShell command to retrieve information about a Managed HSM in Azure. The output shows that the HSM is in 'Provisioned' state and has two security domains. What is the purpose of the security domains?

A.To manage the HSM's private endpoint connections.
B.To back up and restore the HSM's key material and configuration.
C.To enable role-based access control (RBAC) for the HSM.
D.To define the HSM's network access and firewall rules.
AnswerB

Security domains contain the HSM's master key and are required for disaster recovery.

Why this answer

Option A is correct because Managed HSM security domains are used to back up the HSM's key material for disaster recovery. Option B is wrong because HSM pools are for standard Key Vault, not Managed HSM. Option C is wrong because private endpoints are configured separately.

Option D is wrong because security domains are not for RBAC; RBAC is managed via Azure RBAC.

24
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Sentinel analytics rule in your workspace. The output shows the rule 'MFA Disabled' is enabled with severity Medium. The query returns events where MFA is absent. What is the primary issue with this rule?

A.The rule should be disabled until tuned.
B.The severity should be High.
C.The trigger threshold is too low.
D.The query does not include a time range, which will cause excessive alerts.
AnswerD

Without a time filter, the rule will fire on all historical data.

Why this answer

Option C is correct because the query is too broad and will generate excessive alerts (no time filter). Option A is wrong because the severity is Medium, which is acceptable. Option B is wrong because the rule is enabled.

Option D is wrong because the threshold and operator are defined.

25
MCQmedium

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to design a solution to detect brute-force attacks against Azure virtual machines. The solution should use Azure Activity Logs and Windows Security Events. What should you configure in Sentinel?

A.Create a threat intelligence watchlist
B.Create a workbook
C.Create a scheduled analytics rule
D.Create a playbook
AnswerC

Scheduled analytics rules run queries at intervals to detect threats.

Why this answer

Option C is correct because Sentinel can ingest Azure Activity Logs and Windows Events, and then use analytics rules to detect brute-force patterns. Option A is wrong because watchlists are for reference data, not detection logic. Option B is wrong because workbooks visualize data, not detect.

Option D is wrong because playbooks automate responses, not detect.

26
MCQmedium

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that devices must have a minimum OS version and cannot be jailbroken. Which configuration profile type should you assign?

A.Device configuration policy.
B.Device restrictions profile.
C.Enrollment restriction.
D.Compliance policy.
AnswerD

Compliance policies define conditions like min OS version and jailbreak status.

Why this answer

Option B is correct because compliance policies define requirements like OS version and jailbreak detection. Option A is wrong because device restrictions enforce settings, not compliance. Option C is wrong because configuration policies are for settings.

Option D is wrong because enrollment restrictions apply during enrollment.

27
MCQeasy

You need to secure Azure Blob Storage by encrypting data at rest using customer-managed keys stored in Azure Key Vault. What should you configure?

A.Enable Azure Purview to manage encryption keys.
B.Enable Azure Disk Encryption for the storage account.
C.Configure encryption with customer-managed keys in Azure Key Vault and enable infrastructure encryption.
D.Enable Azure Information Protection for the storage account.
AnswerC

This provides double encryption with CMK.

Why this answer

Option C is correct because Azure Storage encryption with customer-managed keys uses Key Vault and requires enabling 'Infrastructure encryption' for double encryption. Option A is wrong because Azure Information Protection is for classification, not storage encryption. Option B is wrong because Azure Disk Encryption is for VM disks.

Option D is wrong because Azure Purview is for data governance, not encryption.

28
MCQeasy

Your company is deploying a critical application on Azure App Service. You need to secure the application by restricting access to only users within your organization. The application should be accessible from both corporate-managed devices and personal devices that are enrolled in Microsoft Intune. You want to use Microsoft Entra ID for authentication and require that users authenticate using multi-factor authentication (MFA). What should you configure?

A.Use Azure AD B2B collaboration to allow only users from your organization.
B.Configure a Conditional Access policy in Microsoft Entra ID that targets the application, requires MFA, and requires a compliant device.
C.Enable App Service authentication and authorization with Microsoft Entra ID as the identity provider.
D.Create an app registration in Microsoft Entra ID and assign users to the enterprise application.
AnswerB

Conditional Access can enforce MFA and device compliance via Intune.

Why this answer

Option A is correct because a Conditional Access policy can require MFA and compliant devices (via Intune) for access to the App Service app. Option B is wrong because App Service authentication alone does not enforce device compliance. Option C is wrong because an app registration alone does not enforce MFA.

Option D is wrong because Azure AD B2B is for external users, not internal.

29
MCQhard

Refer to the exhibit. You are deploying an ARM template for a network security group. What is the security implication of this configuration?

A.The rule only allows traffic on port 443 from a specific IP range
B.The rule allows outbound traffic from the subnet to the Internet
C.The rule allows inbound HTTPS traffic from any Internet source to the subnet, which may be overly permissive
D.The rule blocks all inbound traffic from the Internet
AnswerC

Allowing Internet access to a subnet without restrictions is a security concern.

Why this answer

Option C is correct because the rule allows HTTPS from the Internet to the subnet 10.0.1.0/24, making the frontend accessible from anywhere, which is a security risk if not intended. Option A is wrong because the rule does allow Internet traffic. Option B is wrong because the rule is inbound, not outbound.

Option D is wrong because the rule allows traffic on port 443.

30
MCQmedium

Your company is designing a secure DevOps pipeline using Azure DevOps. You need to ensure that secrets (e.g., API keys) are stored securely and scanned for leaks in code repositories. The solution must integrate with Azure Policy to prevent deployment if secrets are exposed. You also need to enforce that only approved branches can deploy to production. What should you implement?

A.Store secrets in a file in a private Git repo. Use a custom script to scan for secrets. Use Azure Policy to enforce branch policy.
B.Use variable groups in Azure DevOps to store secrets. Use Azure Policy to block deployments if secrets are in code. Use release gates.
C.Store secrets in Azure Key Vault with a service connection. Use GitHub Advanced Security (secret scanning) integrated with Azure DevOps. Use branch policies to require pull requests for production.
D.Use Azure Key Vault with managed identities. Use Defender for Cloud to scan for secrets in repos. Use branch policies.
AnswerC

Key Vault securely stores secrets; GitHub Advanced Security scans for leaks; branch policies enforce approval.

Why this answer

Option A uses Key Vault for secrets, GitLeaks for scanning, and branch policies for control. Option B uses GitHub only; Option C lacks scanning; Option D uses wrong scanning tool.

31
MCQmedium

Your company uses Microsoft Purview to govern data across Azure and on-premises. You need to classify sensitive data such as credit card numbers in Azure SQL Database and apply automatic retention labels. What should you configure?

A.Create a scan in Microsoft Purview Data Map and apply retention labels based on classifications.
B.Enable Microsoft Defender for Cloud Apps to classify and label data in Azure SQL.
C.Configure sensitivity labels in Microsoft Purview Information Protection.
D.Use Microsoft Sentinel to detect credit card numbers and trigger a retention policy.
AnswerA

Data Map scans data sources and can automatically apply retention labels to classified data.

Why this answer

Option B is correct because Microsoft Purview Data Map can scan Azure SQL Database for sensitive data types like credit card numbers, and then apply retention labels automatically. Option A is wrong because Sensitivity labels are for classification, not retention. Option C is wrong because Microsoft Sentinel is for security analytics.

Option D is wrong because Microsoft Defender for Cloud Apps is for cloud app security.

32
MCQmedium

Your organization is implementing a privileged access workstation (PAW) strategy for administrators managing Azure resources. The PAWs are Windows 11 devices enrolled in Intune. You need to ensure that only approved applications can run on PAWs, and that device users cannot disable security features. The solution must also enforce that PAWs are used exclusively for administrative tasks. What should you configure?

A.Enable Azure AD B2B collaboration for external admins. Use Intune to enforce device encryption.
B.Configure Windows Defender Application Control (WDAC) and AppLocker policies in Intune to allow only approved administrative tools. Use Intune compliance policies to block non-compliant devices. Use Azure AD Conditional Access to require PAW as compliant.
C.Assign privileged roles using Azure AD Privileged Identity Management (PIM). Use Azure Policy to audit admin actions.
D.Use Azure AD Conditional Access to require multi-factor authentication and device compliance. Use Microsoft Defender for Cloud to monitor for admin activities.
AnswerB

WDAC and AppLocker restrict apps; Intune enforces settings; Conditional Access ensures only PAWs can access admin portals.

Why this answer

Option A uses Windows Defender Application Control (WDAC) and AppLocker to restrict apps, and Intune to enforce settings. Option B uses conditional access but not app control; Option C uses Azure AD roles but not device control; Option D is for guest access.

33
MCQmedium

Your organization plans to use Microsoft Defender for Cloud to protect a hybrid environment with servers in Azure and on-premises. You need to ensure that security policies are consistently applied across all servers. What should you configure?

A.Onboard all servers to Azure Arc and assign Defender for Cloud policies.
B.Deploy Azure Automation State Configuration (DSC) to all servers.
C.Connect all servers to Microsoft Sentinel and use analytics rules.
D.Use Azure Policy with guest configuration on all servers.
AnswerA

Azure Arc extends Azure management to non-Azure servers, enabling consistent policy assignment.

Why this answer

Option D is correct because Azure Arc allows non-Azure servers to be managed with the same Azure Policy and Defender for Cloud policies as Azure VMs. Option A is wrong because Azure Automation State Configuration is for configuration management, not policy enforcement. Option B is wrong because Azure Policy guest configuration requires Azure Arc for non-Azure machines.

Option C is wrong because Microsoft Sentinel is a SIEM, not a policy enforcement tool.

34
MCQhard

A company uses Microsoft Sentinel for SIEM and SOAR. You need to design a solution to detect and automatically respond to ransomware attacks involving mass file encryption on Windows servers. The response must include isolating the compromised server from the network, creating a backup of affected files, and resetting the user account's password. Which automation approach minimizes manual intervention?

A.Use a Logic Apps playbook to create a VM snapshot and send an email to the security team.
B.Create an alert rule that triggers an Azure Automation runbook to isolate the VM.
C.Set up an automation rule that runs a playbook to isolate the VM, trigger a backup, and reset the user password.
D.Configure a manual incident response plan that includes password reset.
AnswerC

Automation rule with a multi-step playbook covers all required actions.

Why this answer

Option D is correct because Microsoft Sentinel's automation rules can trigger a playbook (Logic App) that performs all three actions: isolate VM via Azure Automation runbook, trigger backup via Azure Backup APIs, and reset password via Microsoft Graph. Option A is incorrect because it only isolates. Option B is incorrect because it only creates backups.

Option C is incorrect because it only resets the password.

35
MCQeasy

You are designing a secure remote access solution for on-premises web applications using Microsoft Entra ID. The solution must support multifactor authentication (MFA) and conditional access. Which service should you use?

A.Microsoft Entra application proxy
B.Windows Server DirectAccess
C.VPN gateway with RADIUS authentication
D.Microsoft Entra ID (Azure AD)
AnswerA

Application proxy publishes on-premises apps with MFA and Conditional Access.

Why this answer

Microsoft Entra Application Proxy provides secure remote access to on-premises web apps with MFA and Conditional Access. Option A is correct. Option B is incorrect because VPN does not integrate with Entra ID MFA.

Option C is incorrect because Azure AD (Entra ID) alone doesn't provide proxying. Option D is incorrect because DirectAccess is Windows-only and doesn't support MFA natively.

36
MCQmedium

Your company has an Azure subscription that contains multiple virtual machines (VMs) running Windows Server. You need to ensure that all VMs are compliant with your organization's security baseline. The security baseline includes specific registry key settings, password policies, and service configurations. You want to continuously monitor and automatically remediate non-compliant VMs. What should you implement?

A.Deploy Azure Automation State Configuration to apply Desired State Configuration (DSC) to the VMs.
B.Use Azure Policy with Guest Configuration extension to audit and remediate the VM settings.
C.Use Azure Update Manager to ensure VMs are up to date.
D.Enable Microsoft Defender for Cloud and review the security recommendations.
AnswerB

Guest Configuration can audit and remediate OS settings.

Why this answer

Option A is correct because Azure Policy with Guest Configuration extension allows you to audit and remediate settings inside VMs, including registry keys and services. Option B is wrong because Azure Automation State Configuration is for DSC, but it requires more manual setup and does not integrate natively with Azure Policy for compliance. Option C is wrong because Microsoft Defender for Cloud provides security recommendations but not granular configuration remediation.

Option D is wrong because Azure Update Manager focuses on patching, not configuration.

37
Multi-Selecteasy

A company wants to secure its Azure Kubernetes Service (AKS) cluster. They need to ensure that pods cannot communicate with each other unless explicitly allowed, and that secrets are encrypted at rest. Which TWO security controls should they implement?

Select 2 answers
A.Use Azure Key Vault with Secrets Store CSI driver for secret management.
B.Apply Azure Policy to restrict container image sources.
C.Define Kubernetes network policies to restrict pod-to-pod traffic.
D.Enable Container insights for monitoring.
E.Enable Azure AD integration for the AKS cluster.
AnswersA, C

Provides encryption and secure storage.

Why this answer

Correct answers: A and C. Network policies in Kubernetes can restrict pod-to-pod communication, and Azure Key Vault with CSI driver allows secrets to be encrypted and stored externally. Option B is incorrect: Azure AD integration is for authentication, not network or encryption.

Option D is incorrect: Azure Policy can enforce image source, not pod communication. Option E is incorrect: Container insights is for monitoring.

38
MCQhard

Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You are designing a solution to protect against password spray attacks. You need to implement a solution that can detect and block malicious authentication attempts in real-time. What should you use?

A.Microsoft Entra ID Protection with Conditional Access policies.
B.Microsoft Defender for Identity with a VPN integration.
C.Azure AD Multi-Factor Authentication (MFA) enforced for all users.
D.Password hash synchronization with Azure AD Connect.
AnswerA

Detects and blocks risky sign-ins in real-time.

Why this answer

Option A is correct because Entra ID Identity Protection provides real-time risk detection and conditional access policies to block risky sign-ins, including password spray. Option B is wrong because Microsoft Defender for Identity focuses on on-premises AD attacks, not cloud authentication. Option C is wrong because Azure AD MFA is a verification method, not a detection mechanism.

Option D is wrong because password hash sync is for synchronization, not detection.

39
MCQhard

You are designing a secure DevOps pipeline for a critical application using GitHub Actions and Microsoft Defender for Cloud. You need to ensure that container images are scanned for vulnerabilities before being deployed to Azure Kubernetes Service (AKS). What should you implement?

A.Integrate Microsoft Defender for Containers with the CI/CD pipeline to scan images in Azure Container Registry.
B.Enable GitHub Advanced Security for the repository.
C.Configure Azure Policy to require vulnerability assessment.
D.Use Azure Container Registry Tasks to build images.
AnswerA

Defender for Containers scans images for vulnerabilities.

Why this answer

Option C is correct because Defender for Cloud can scan container images in registries and integrate with CI/CD. Option A is wrong because GitHub Advanced Security scans code, not images. Option B is wrong because Azure Policy can enforce compliance but does not scan.

Option D is wrong because Azure Container Registry Tasks build images but do not scan.

40
Multi-Selecthard

Which TWO actions should you take to improve the security posture of an Azure subscription using Microsoft Defender for Cloud? (Select two.)

Select 2 answers
A.Assign Azure Policy to enforce resource compliance
B.Enable Azure Defender plans for all supported resource types
C.Implement the top security recommendations from the Secure Score
D.Create custom security policies
E.Deploy vulnerability assessment solution to all VMs
AnswersB, C

Enabling plans provides advanced threat protection.

Why this answer

Options A and B are correct because enabling Defender plans and implementing recommendations improve security. Option C is wrong because Defender for Cloud already provides recommendations. Option D is wrong because vulnerability assessment for VMs is a feature, not a specific action.

Option E is wrong because assigning Azure Policy is a method, but the most direct actions are enabling plans and implementing recommendations.

41
MCQeasy

Your company uses Azure DevOps to deploy infrastructure. You need to ensure that all deployed resources have specific tags for cost tracking. Which Azure policy effect should you use to prevent deployment of untagged resources?

A.Disabled
B.Deny
C.DeployIfNotExists
D.Audit
AnswerB

Deny prevents creation of non-compliant resources.

Why this answer

Option B is correct because the 'Deny' effect prevents creation of non-compliant resources. Option A is wrong because 'Audit' only logs compliance, does not block. Option C is wrong because 'DeployIfNotExists' can add tags after creation but does not prevent deployment.

Option D is wrong because 'Disabled' turns off the policy.

42
Multi-Selectmedium

Your company uses Microsoft Intune to manage Windows 10 devices. You need to design a security baseline that ensures devices meet the organization's security requirements, including BitLocker encryption, Windows Defender Firewall rules, and Microsoft Defender for Endpoint settings. Which TWO Intune features should you use to apply these configurations?

Select 2 answers
A.Device enrollment restrictions
B.Endpoint security policies for Antivirus, Firewall, and Disk Encryption
C.Compliance policies for Windows 10
D.Custom configuration profiles using OMA-URI
E.Security Baselines for Windows 10
AnswersB, E

Endpoint security policies provide dedicated sections for configuring Defender, firewall, and BitLocker.

Why this answer

Option A (Security Baselines) provides pre-configured settings for security features. Option D (Endpoint security policies) allows granular configuration for antivirus, firewall, and BitLocker. Option B (Compliance policies) enforce but not configure; Option C (Configuration profiles) can do settings but not as comprehensive; Option E (Device enrollment restrictions) are for enrollment control.

43
MCQmedium

Your organization is migrating on-premises Active Directory to Microsoft Entra ID. You need to ensure that users can authenticate to on-premises resources using their Entra ID credentials. Which feature should you implement?

A.Active Directory Federation Services (AD FS)
B.Password Hash Sync with Microsoft Entra Connect
C.Microsoft Entra Connect Health
D.Pass-through Authentication
AnswerB

Synchronizes password hashes for authentication to on-premises.

Why this answer

Option A is correct because Microsoft Entra ID with Password Hash Sync allows users to use the same password for cloud and on-premises resources. Option B is wrong because Pass-through Authentication does not sync passwords. Option C is wrong because Federation requires an on-premises identity provider.

Option D is wrong because Microsoft Entra Connect Health monitors synchronization health.

44
MCQmedium

Your organization is deploying Microsoft Defender for Cloud to secure a hybrid environment with workloads in Azure and on-premises. You need to ensure that all servers are covered by Defender for Cloud's plans. Which two actions should you take?

A.Install the Azure Connected Machine agent (Azure Arc) on on-premises servers.
B.Enable only the foundational cloud security posture management (CSPM) on the subscription.
C.Enable the Defender for Cloud plans (e.g., Defender for Servers) on the Azure subscription.
D.Deploy the Azure Monitor Agent to all on-premises servers.
AnswerA, C

Brings on-premises servers under Defender for Cloud management.

Why this answer

Option A is correct because enabling the appropriate Defender plans (e.g., Servers) on the Azure subscription covers Azure VMs. Option C is correct because deploying the Azure Arc agent on on-premises servers allows them to be managed by Defender for Cloud. Option B is wrong because enabling just the foundational CSPM doesn't include the server-specific protections.

Option D is wrong because Defender for Cloud doesn't require Azure Monitor agents for basic coverage, though it's recommended for advanced features.

45
MCQmedium

Refer to the exhibit. You are reviewing an ARM template that deploys a storage account. The compliance team requires that all storage accounts use TLS 1.2 or higher. Does this template meet the requirement?

A.Yes, because Standard_GRS automatically enforces TLS 1.2.
B.Yes, because minimumTlsVersion is set to TLS1_2.
C.No, because supportsHttpsTrafficOnly only allows HTTPS but does not enforce TLS 1.2.
D.No, because the apiVersion is outdated and does not support TLS setting.
AnswerB

The property enforces TLS 1.2 as the minimum version.

Why this answer

Option A is correct because the template sets minimumTlsVersion to TLS1_2, which meets the requirement. Option B is wrong because the property is set correctly. Option C is wrong because the template uses a valid apiVersion.

Option D is wrong because Standard_GRS is not related to TLS version.

46
MCQmedium

You are designing a secure hybrid network connectivity solution between an on-premises datacenter and Azure. The requirement is to have encrypted traffic and high availability. Which service should you use?

A.Azure Front Door
B.Azure ExpressRoute
C.Azure VPN Gateway
D.Azure Bastion
AnswerC

VPN Gateway provides IPsec encryption and supports active-active for HA.

Why this answer

Option C is correct because VPN Gateway provides encrypted site-to-site VPN with active-active configuration for high availability. Option A is wrong because ExpressRoute offers private connectivity but encryption is optional. Option B is wrong because Azure Bastion is for RDP/SSH access.

Option D is wrong because Azure Front Door is a global load balancer.

47
MCQmedium

A multinational corporation uses Microsoft Entra ID with hybrid identities. They need to design a solution that automatically remediates risky sign-ins without user intervention. Which feature should you enable?

A.Entra ID Governance (Access Reviews)
B.Privileged Identity Management (PIM)
C.Microsoft Defender for Identity
D.Identity Protection with Conditional Access policies
AnswerD

Identity Protection detects risk and Conditional Access can enforce automated actions like blocking or requiring MFA.

Why this answer

Option B is correct because Entra ID Identity Protection with conditional access policies can block or require MFA automatically based on risk. Option A is wrong because PIM is for privileged identity management, not risk-based remediation. Option C is wrong because Entra ID Governance is for access reviews and entitlement management.

Option D is wrong because Microsoft Defender for Identity is for on-premises identity protection, not automatic remediation.

48
Multi-Selecteasy

Your organization is adopting a Zero Trust security model. You need to design a solution for secure remote access to on-premises applications that eliminates VPNs. Which TWO Microsoft technologies should you use?

Select 2 answers
A.Azure Bastion
B.Microsoft Intune
C.Microsoft Entra Application Proxy
D.Microsoft Defender for Cloud Apps
E.Azure VPN Gateway
AnswersC, D

Application Proxy publishes on-premises apps securely without VPN, using conditional access.

Why this answer

Option C (Microsoft Entra Application Proxy) provides secure remote access to on-premises apps without VPN. Option E (Microsoft Defender for Cloud Apps) provides conditional access and session control. Option A (Azure VPN Gateway) is VPN; Option B (Azure Bastion) is for RDP/SSH to VMs; Option D (Microsoft Intune) is for device management.

49
MCQhard

You are designing a secure access solution for an on-premises application that uses legacy authentication protocols. The organization plans to migrate to Microsoft Entra ID but the application vendor has not yet provided a modern authentication update. The solution must enable single sign-on (SSO) and support multifactor authentication (MFA) for this application without modifying the application code. Which approach should you recommend?

A.Integrate the application with the Microsoft Authentication Library (MSAL)
B.Federate the on-premises Active Directory with Microsoft Entra ID
C.Use Microsoft Entra Conditional Access policies to require MFA
D.Deploy Microsoft Entra Application Proxy with pre-authentication
AnswerD

Application Proxy acts as a reverse proxy, handling modern auth with Entra ID and relaying to the legacy app.

Why this answer

Option C is correct because Microsoft Entra Application Proxy allows publishing on-premises apps with legacy authentication, and it can integrate with Entra ID for pre-authentication, enabling SSO and MFA without code changes. Option A is wrong because Entra ID Conditional Access policies require modern authentication to enforce MFA. Option B is wrong because the Microsoft Authentication Library (MSAL) requires app code changes.

Option D is wrong because federation with ADFS still requires modern auth at the app level.

50
MCQhard

Your organization uses Microsoft Sentinel to monitor security events. You need to design a solution that alerts when a user account is created and then used to log in from a different country within 1 hour. Which KQL query structure should you use?

A.Use a single table filter with where clause
B.Use summarize with timechart
C.Use a join operation on AccountName with a time window
D.Use union to combine events
AnswerC

Join allows correlating account creation and login events within a time window.

Why this answer

Option C is correct because a join operation on AccountName and a time window can correlate account creation and login events. Option A is wrong because a simple filter cannot correlate two events. Option B is wrong because a union just combines tables, no correlation.

Option D is wrong because a summarize with timechart shows aggregation, not specific account correlation.

51
MCQmedium

Refer to the exhibit. You are reviewing an Azure Policy definition. What will this policy do when assigned to a subscription?

A.Deny creation of all virtual machines.
B.Audit existing virtual machines for compliance.
C.Enforce Premium SSD on data disks.
D.Prevent creation of virtual machines with OS disks that are not Premium SSD.
AnswerD

The policy denies VMs where the OS disk storage type is not Premium_LRS.

Why this answer

Option A is correct because the policy denies creation of VMs whose OS disk is not Premium_LRS. Option B is wrong because it only denies if the OS disk type is not Premium_LRS, not all VMs. Option C is wrong because it checks OS disk, not data disks.

Option D is wrong because it evaluates at creation time.

52
MCQhard

A multinational corporation uses Microsoft Entra ID for identity and Microsoft Defender for Cloud Apps for SaaS app governance. The security team wants to deploy a conditional access policy that blocks access from untrusted locations for all cloud apps except Microsoft 365, which should only be blocked if the device is not compliant. How should you configure the policy?

A.Use a session policy in Defender for Cloud Apps to monitor non-compliant devices.
B.Create two conditional access policies: one for all cloud apps except Microsoft 365 blocking untrusted locations, and one for Microsoft 365 requiring compliant device.
C.Create one conditional access policy that includes all cloud apps and requires compliant device for Microsoft 365 only.
D.Configure a conditional access policy that blocks access from untrusted locations for all apps.
AnswerB

Two policies achieve the desired granularity.

Why this answer

Option D is correct because you can use two policies: one targeting 'All cloud apps' blocking untrusted locations (excluding Microsoft 365), and another targeting 'Office 365' requiring compliant device. Option A is incorrect because a single policy cannot have different conditions for different apps. Option B is incorrect because session controls are for monitoring, not blocking.

Option C is incorrect because blocking access would be too restrictive.

53
Multi-Selectmedium

You are designing a secure access solution for on-premises applications using Microsoft Entra ID. The solution must support modern authentication, single sign-on (SSO), and Conditional Access. Which TWO technologies should you implement?

Select 2 answers
A.Azure AD B2C
B.Microsoft Entra Domain Services
C.Microsoft Entra application proxy
D.Microsoft Entra ID as the identity provider
E.Site-to-Site VPN
AnswersC, D

Publishes on-premises apps with modern authentication and SSO.

Why this answer

Option A and C are correct. Microsoft Entra application proxy publishes on-premises apps with modern authentication and SSO. Microsoft Entra application gallery provides pre-integrated SSO for SaaS apps, but for on-premises apps, the proxy is used.

Option B is wrong because VPN does not provide modern authentication or Conditional Access. Option D is wrong because Microsoft Entra Domain Services is for domain join, not app access. Option E is wrong because Azure AD B2C is for customer-facing apps.

54
Multi-Selectmedium

You are designing a security solution for Azure resources using Azure Policy. You need to ensure that all storage accounts enforce HTTPS traffic and that only certain virtual networks can access them. Which THREE policy effects can you use to achieve this?

Select 3 answers
A.DeployIfNotExists
B.Append
C.Modify
D.Deny
E.Audit
AnswersA, D, E

DeployIfNotExists can deploy network rules to storage accounts.

Why this answer

Option A, D, and E are correct. Deny prevents creation of non-compliant resources, Audit logs non-compliant resources, and DeployIfNotExists can deploy network rules. Option B is wrong because Append adds to existing resources but not for network rules.

Option C is wrong because Modify changes properties, but not suitable for enforcing HTTPS.

55
MCQhard

Your organization has a multi-region Azure deployment with ExpressRoute connections to on-premises. You need to design a solution that ensures all traffic between on-premises and Azure is inspected by a firewall for both inbound and outbound connections. The solution must minimize latency and avoid a single point of failure. What design should you recommend?

A.Deploy Azure Firewall in each region with forced tunneling enabled
B.Deploy Azure Firewall in one central hub region and route all traffic through it
C.Use Network Security Groups (NSGs) on subnets to filter traffic
D.Deploy a third-party NVA in a hub-and-spoke topology with a single hub
AnswerA

Regional firewalls avoid single point of failure and minimize latency with forced tunneling for inspection.

Why this answer

Option D is correct because deploying Azure Firewall in each region in an active-active configuration with forced tunneling provides inspection for all traffic without a single point of failure. Option A is wrong because a single firewall is a single point of failure and adds latency for all traffic. Option B is wrong because NSGs do not inspect traffic, they filter based on rules.

Option C is wrong because a third-party NVA in a single hub introduces a single point of failure and potential licensing complexity.

56
MCQhard

Refer to the exhibit. You run the PowerShell script to check compliance of the 'RequireSQLEncryption' policy assignment. The script returns no output. What is the most likely reason?

A.The Get-AzPolicyState cmdlet is not a valid Azure PowerShell cmdlet; it should be Get-AzPolicyStateSummary.
B.The policy assignment is scoped to a management group, not a resource group.
C.All resources are compliant, so the Where-Object filter returns empty.
D.There are no resources in the resource group InfrastructureRG.
AnswerA

The correct cmdlet is Get-AzPolicyStateSummary for compliance summary. Get-AzPolicyState does not exist.

Why this answer

Option A is correct because Get-AzPolicyState requires the PolicyState parameter to be specified, or the result will be empty if no non-compliant resources exist. However, the script uses the Scope property from the policy assignment, which may not be correct. But more importantly, the cmdlet Get-AzPolicyState is not a standard Azure PowerShell cmdlet; the correct cmdlet is Get-AzPolicyStateSummary or Get-AzPolicyState with the -PolicyAssignmentName parameter.

Since the cmdlet name is wrong, it will fail or return nothing. Option B is wrong because the script does not check if resources exist. Option C is wrong because compliance state is not 'Compliant' but the cmdlet is wrong.

Option D is wrong because resource group scope is valid.

57
MCQmedium

Your company has a Microsoft 365 E5 subscription and uses Microsoft Defender for Office 365. You need to protect users from phishing attacks that use malicious links in email messages. The solution should allow users to report suspicious emails to the security team for analysis. You also want to automatically block repeated phishing attempts from the same sender. What should you configure?

A.Configure anti-spam policies and enable the Report Message add-in.
B.Configure Safe Links policies and enable the Report Message add-in for user reporting.
C.Configure Safe Attachments policies and enable the Report Message add-in.
D.Enable the Report Message add-in for Outlook and configure a mailbox for submissions.
AnswerB

Safe Links protects against malicious links, and reporting allows analysis.

Why this answer

Option B is correct because Safe Links protects users from clicking malicious links in real time, and the user reporting add-in allows reporting. Attack simulation training helps educate users but is not the primary protection mechanism. Option A is wrong because only the reporting add-in does not protect against links.

Option C is wrong because Safe Attachments protects attachments, not links. Option D is wrong because anti-spam policies are for spam, not phishing links.

58
MCQmedium

A company uses Azure Front Door to publish a web application globally. They need to protect against DDoS attacks and web application attacks (SQL injection, XSS). Which two services should they enable in combination?

A.Azure DDoS Protection Standard and Azure Firewall
B.Azure WAF on Application Gateway and Network Security Groups
C.Azure Firewall and Azure DDoS Protection Basic
D.Azure DDoS Protection Standard and Azure WAF policy on Front Door
AnswerD

Correct: DDoS Protection handles volumetric attacks; WAF handles application attacks.

Why this answer

Azure DDoS Protection protects against volumetric DDoS attacks. Azure Web Application Firewall (WAF) in Front Door protects against application-layer attacks. Azure Firewall is for network-layer filtering.

Network Security Groups (NSGs) are for subnet-level filtering. Azure DDoS Protection Standard is the correct tier.

59
MCQhard

You are designing a zero-trust network architecture for a hybrid environment using Azure Virtual WAN. You need to secure all traffic between on-premises sites and Azure virtual networks using Microsoft's security services. The solution should include next-generation firewall capabilities and TLS inspection. What should you deploy?

A.Deploy a third-party NVA in a spoke virtual network and route traffic through it.
B.Deploy Azure Firewall Standard as the secured hub in Virtual WAN.
C.Deploy Azure Application Gateway with WAF in each virtual network.
D.Deploy Azure Firewall Premium as the secured hub in Virtual WAN.
AnswerD

Azure Firewall Premium offers TLS inspection, IDPS, and integrates natively with Virtual WAN.

Why this answer

Option D is correct because Azure Firewall Premium provides next-generation firewall features including TLS inspection and IDPS, and it can be integrated with Azure Virtual WAN as a secured hub. Option A is wrong because Azure Firewall Standard lacks TLS inspection. Option B is wrong because NVAs in a hub require manual routing and do not integrate natively.

Option C is wrong because Application Gateway is for web traffic, not for general network traffic inspection.

60
MCQhard

Refer to the exhibit. You are reviewing an Azure Policy definition in JSON. What does this policy do?

A.Denies SQL servers from using Azure AD authentication
B.Allows SQL servers to use Azure AD authentication
C.Denies SQL servers that do not have a firewall rule
D.Enforces that all SQL servers must have an Azure AD admin
AnswerA

The policy denies if the administrator type is ActiveDirectory.

Why this answer

The policy checks if the SQL server administrator type is 'ActiveDirectory' and denies (deny) if true. This means it blocks the use of Azure AD authentication for SQL servers. Option B is correct.

Option A is incorrect because it denies, not allows. Option C is incorrect because it checks the administrator type, not firewall. Option D is incorrect because it does not enforce AD admin; it denies if AD admin is set.

61
MCQmedium

Your organization uses Microsoft Defender for Cloud to assess security posture. You need to design a solution that automatically applies a security baseline to new Azure VMs. Which feature should you use?

A.Microsoft Defender for Cloud regulatory compliance dashboard
B.Azure Update Management
C.Azure Automation State Configuration (DSC)
D.Azure Policy with Guest Configuration
AnswerD

Azure Policy can enforce guest configuration baselines automatically on VMs.

Why this answer

Option D is correct because Azure Policy with Guest Configuration can apply security baselines to VMs at scale. Option A is wrong because Defender for Cloud provides recommendations but does not automatically apply baselines. Option B is wrong because Azure Automation State Configuration (DSC) can apply configurations but Azure Policy is more integrated.

Option C is wrong because Azure Update Management handles patching, not baselines.

62
MCQeasy

Your company uses Microsoft 365 Defender (XDR) for endpoint detection and response. You need to design a solution to automatically remediate malware infections on Windows 10 devices. The solution should isolate the device from the network, run a full antivirus scan, and reset the device if the infection cannot be cleaned. What should you configure?

A.Create a manual incident response process where analysts remotely connect and run scripts.
B.Enable automated investigation and remediation in Microsoft Defender for Endpoint with action settings: isolate, run AV, and reset.
C.Deploy a third-party EDR tool that integrates with Microsoft Sentinel.
D.Configure Intune compliance policies to mark infected devices as non-compliant and require user action.
AnswerB

Automated investigation can isolate, run scan, and reset devices automatically.

Why this answer

Option C uses automated investigation and remediation in Defender for Endpoint. Option A is manual; Option B uses Intune for compliance, not remediation; Option D uses third-party tool.

63
Multi-Selecthard

Which TWO Azure services can you use to implement a zero-trust network architecture that verifies identity and device compliance before granting access to on-premises applications? (Choose two.)

Select 2 answers
A.Microsoft Entra Application Proxy
B.Microsoft Entra Conditional Access
C.Azure VPN Gateway
D.Azure Firewall
E.Azure Bastion
AnswersA, B

It provides pre-authentication and conditional access for on-premises applications.

Why this answer

Option A is correct because Microsoft Entra Application Proxy provides pre-authentication and conditional access for on-premises apps. Option C is correct because Microsoft Entra ID Conditional Access evaluates user identity and device compliance before granting access. Option B is wrong because Azure Bastion provides secure RDP/SSH access to VMs, not to applications.

Option D is wrong because Azure Firewall is a network firewall, not an identity-aware access control. Option E is wrong because VPN Gateway provides network-level connectivity without identity verification.

64
Multi-Selectmedium

Your company is deploying Microsoft Sentinel in a government agency that requires strict data residency. You need to ensure that all Sentinel data is stored within the United States. Which THREE actions must you take to meet this requirement?

Select 3 answers
A.Disable cross-region replication in the Log Analytics workspace settings.
B.Create the Log Analytics workspace in an Azure region in the United States (e.g., East US).
C.Configure data export to a storage account in a different region for redundancy.
D.Enable customer-managed keys (CMK) using Azure Key Vault in the same region.
E.Use Azure Policy to audit workspace region for compliance.
AnswersA, B, D

By default, workspaces do not replicate across regions, but disabling any built-in replication ensures data stays in the US.

Why this answer

Option A (Select workspace region) is critical because data is stored in the region where the Log Analytics workspace is created. Option B (Enable customer-managed keys) is required for compliance in many government scenarios. Option D (Disable cross-region data replication) ensures data does not replicate outside the US.

Option C (Enable data export) would send data elsewhere. Option E (Use Azure Policy) can enforce, but it's not a direct data residency action.

65
MCQmedium

You are designing a security solution for containers in Azure Kubernetes Service (AKS). The solution must scan container images for vulnerabilities before deployment and enforce runtime security. Which combination of Microsoft Defender for Cloud features should you enable?

A.Microsoft Defender for Containers
B.Microsoft Defender for App Service
C.Microsoft Defender for Cloud regulatory compliance dashboard
D.Microsoft Defender for Servers
AnswerA

Defender for Containers provides image scanning and runtime protection for AKS.

Why this answer

Option B is correct because Defender for Containers provides vulnerability assessment for images and runtime threat detection for AKS clusters. Option A is wrong because Defender for Servers is for VMs, not containers. Option C is wrong because Defender for App Service protects web apps, not containers.

Option D is wrong because Defender for Cloud's regulatory compliance does not provide vulnerability scanning or runtime protection.

66
MCQeasy

Your company uses Microsoft Sentinel for security operations. You need to detect brute-force attacks against Azure VMs by correlating failed sign-in events from multiple sources. Which data connector should you enable?

A.Azure Active Directory (now Microsoft Entra ID) sign-in logs connector.
B.Syslog connector.
C.Windows Security Events via AMA (Azure Monitor Agent) connector.
D.Azure Activity log connector.
AnswerC

This connector collects Windows security events including failed logins from VMs.

Why this answer

Option C is correct because Windows Security Events via AMA can collect failed sign-in events (Event ID 4625) from Azure VMs. Option A is wrong because Azure Activity logs do not contain VM sign-in events. Option B is wrong because Azure AD sign-in logs are for cloud applications, not VM sign-ins.

Option D is wrong because Syslog is for Linux VMs but the question does not specify OS.

67
MCQmedium

You are designing a secure access solution for a manufacturing company's IoT devices that send telemetry to Azure IoT Hub. The devices run on a private network with no internet access except through a firewall. You need to ensure that device-to-cloud communication is authenticated and encrypted, and that device credentials are rotated regularly. What should you include in the design?

A.Configure Azure Firewall to authenticate and encrypt device traffic.
B.Use X.509 certificates with Azure Device Provisioning Service (DPS) for automatic enrollment and certificate rotation.
C.Use shared access signature (SAS) tokens with a central key management system.
D.Assign managed identities to each IoT device.
AnswerB

X.509 certificates meet authentication, encryption, and rotation requirements.

Why this answer

Option A is correct because X.509 certificates with auto-enrollment via DPS provide strong authentication, encryption (TLS), and automated certificate rotation. Option B is incorrect because SAS tokens require manual rotation and are less secure. Option C is incorrect because managed identities are for Azure resources, not IoT devices.

Option D is incorrect because Azure Firewall is a network security component, not an authentication mechanism.

68
MCQeasy

Your company is deploying Microsoft Sentinel to centralize security logs from Azure, on-premises, and other clouds. You need to ensure logs are ingested cost-effectively while maintaining search performance for the last 30 days. What should you configure?

A.Store logs in Azure Blob Storage and use Azure Data Explorer for queries.
B.Use Log Analytics workspace with 30-day interactive retention and set long-term retention for older data.
C.Use Sentinel's free tier for 30 days and then move to paid tier.
D.Ingest logs into Azure Event Hubs and then into Sentinel.
AnswerB

This provides fast query for recent data and cheaper storage for older data.

Why this answer

Option D is correct because Sentinel uses Log Analytics workspaces; you can set interactive retention to 30 days and long-term retention to lower-cost archival. Option A is wrong because Azure Storage is not optimized for log analytics queries. Option B is wrong because Sentinel cost is based on data ingestion, not separate tiers.

Option C is wrong because Azure Event Hubs is for real-time streaming, not cost-effective storage.

69
MCQmedium

Refer to the exhibit. You are reviewing a PowerShell script that configures network security. What is the effect of the NSG rule created in this script?

A.It blocks all outbound traffic to the internet from the subnet.
B.It blocks inbound traffic only from specific IP ranges.
C.It blocks all inbound traffic from the internet to the subnet.
D.It allows inbound traffic from the internet, then denies it.
AnswerC

The rule denies inbound from the Internet service tag to the entire subnet.

Why this answer

The rule denies all inbound traffic from the 'Internet' service tag to all ports and protocols. 'Internet' includes traffic from outside Azure. The rule is applied at the subnet level. It does not affect outbound traffic, nor traffic from other Azure services unless they originate from the internet.

70
MCQhard

Refer to the exhibit. You are reviewing an ARM template for an Azure App Service configuration. What is the effect of the ipSecurityRestrictions array?

A.It allows all traffic because the deny rule has a higher priority number.
B.It denies traffic from 192.168.0.0/24 and allows all other traffic.
C.It denies all traffic because the deny rule covers any IP.
D.It allows traffic from 192.168.0.0/24 and denies all other traffic.
AnswerD

The first rule allows the corporate subnet, the second denies everything else.

Why this answer

The rules are evaluated in priority order. The first rule allows traffic from 192.168.0.0/24. The second rule denies all other traffic (Any).

This effectively restricts access to only the specified corporate IP range. The order matters because if the deny rule had lower priority, it would block the allowed range.

71
MCQmedium

Your company plans to use Microsoft Sentinel to detect threats across multiple Azure subscriptions. You need to design a cost-effective solution that ingests logs from all subscriptions. What should you use?

A.Use Azure Lighthouse to manage cross-subscription connectivity
B.Deploy a single Sentinel workspace and configure data collection rules to collect logs from all subscriptions
C.Create a separate Sentinel workspace for each subscription
D.Use Azure Policy to assign a Log Analytics workspace to each subscription
AnswerB

Centralized workspace with DCRs is cost-effective.

Why this answer

Option C is correct because a workspace-centric design with data collection rules sends logs from multiple subscriptions to a single workspace, reducing costs. Option A is incorrect because multiple workspaces increase cost. Option B is incorrect because Azure Policy does not centralize ingestion.

Option D is incorrect because a hub-spoke network does not solve log ingestion.

72
MCQeasy

Your company uses Azure Virtual Machines (VMs) running Windows Server. You need to ensure that only approved applications can run on the VMs. Which Azure security feature should you use?

A.Azure Firewall
B.Azure Policy with application control
C.Microsoft Defender for Cloud
D.Just-in-Time VM access
AnswerB

Enforces allowed applications on VMs.

Why this answer

Option C is correct because Azure Policy with application control can enforce allowed applications. Option A is wrong because Microsoft Defender for Cloud provides threat detection but not application whitelisting. Option B is wrong because Azure Firewall is a network firewall.

Option D is wrong because Just-in-Time VM access controls remote access, not applications.

73
MCQhard

You are designing a security solution for an Azure Kubernetes Service (AKS) cluster that runs containerized workloads. The cluster must be integrated with Microsoft Defender for Cloud for threat detection, and you need to ensure that container images are scanned for vulnerabilities before deployment. What should you configure?

A.Enable Microsoft Defender for Cloud Apps to discover and assess container vulnerabilities.
B.Deploy Azure Policy for Kubernetes with built-in policies to enforce image scanning.
C.Enable Azure Defender for Containers in Microsoft Defender for Cloud and integrate with Azure Container Registry for image scanning.
D.Configure Microsoft Sentinel to collect container logs and detect vulnerabilities.
AnswerC

Azure Defender for Containers includes vulnerability assessment for images in ACR.

Why this answer

Option A is correct because Azure Defender for Containers provides vulnerability scanning for images in Azure Container Registry and threat detection for AKS. Option B is wrong because Azure Policy only enforces admission controls, not scanning. Option C is wrong because Microsoft Sentinel is for log analysis.

Option D is wrong because Microsoft Defender for Cloud Apps is for cloud app security, not container scanning.

74
MCQhard

Your organization is designing a secure network infrastructure for a multi-cloud environment that includes Azure, AWS, and on-premises datacenters. The security team requires that all traffic between these environments be inspected for threats and that any malicious traffic be automatically blocked. The solution must minimize complexity and use a single pane of glass for policy management. Which Azure service should you use as the central hub?

A.Azure Front Door
B.Network Security Groups (NSGs)
C.Azure DDoS Protection
D.Azure Firewall
AnswerD

Azure Firewall provides centralized network traffic inspection, threat intelligence, and policy management across hybrid and multi-cloud environments.

Why this answer

Option B is correct because Azure Firewall can be deployed as a central hub in a hub-and-spoke topology, providing network-level traffic inspection for Azure, on-premises (via ExpressRoute or VPN), and even AWS (via VPN or Azure Virtual WAN). It offers integrated threat intelligence and supports routing policies. Option A is wrong because Azure DDoS Protection only mitigates volumetric attacks, not traffic inspection.

Option C is wrong because Network Security Groups (NSGs) provide basic filtering but lack advanced inspection and multi-cloud support. Option D is wrong because Azure Front Door is a global load balancer and web application firewall, not a network firewall for multi-cloud traffic.

75
Multi-Selecteasy

Which TWO of the following are features of Microsoft Defender for Cloud that help secure infrastructure? (Choose two.)

Select 2 answers
A.Secure Score
B.Incident investigation
C.Just-in-time VM access
D.Privileged Identity Management
E.User and Entity Behavior Analytics (UEBA)
AnswersA, C

Secure Score is a core feature of Defender for Cloud.

Why this answer

Secure Score (A) is a feature of Microsoft Defender for Cloud that aggregates security findings across your Azure subscriptions and provides a numerical score based on the implementation of security controls. It helps prioritize remediation actions by showing the potential score improvement for each recommendation, directly enabling infrastructure hardening.

Exam trap

The trap here is that candidates confuse Defender for Cloud's posture management features (Secure Score, JIT) with Microsoft Sentinel's investigation and analytics capabilities (Incident investigation, UEBA), or with Azure AD's identity governance features (PIM), because all are part of the Microsoft security portfolio but serve distinct roles.

Page 1 of 4 · 231 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design security solutions for infrastructure questions.