CCNA Design security solutions for infrastructure Questions

75 of 231 questions · Page 2/4 · Design security solutions for infrastructure · Answers revealed

76
MCQhard

Your organization uses Azure SQL Database for a sensitive financial application. You need to implement a defense-in-depth strategy to protect the database. The requirements are: (1) All connections to the database must be encrypted in transit. (2) Only specific Azure services and on-premises IP ranges should be allowed to connect. (3) Database administrators should be able to view the database schema but not the actual data. (4) Auditing must be enabled for all data access. What combination of features should you implement?

A.Enable VNet service endpoints and firewall rules, and require Azure AD authentication.
B.Enforce TLS 1.2, configure firewall rules, enable Dynamic Data Masking, and enable auditing.
C.Configure firewall rules, enable Azure AD authentication, and enable auditing.
D.Enable Always Encrypted, configure firewall rules, and enable auditing.
AnswerB

All requirements are met.

Why this answer

Option D is correct because: (1) Enforce TLS 1.2 ensures encryption in transit. (2) Firewall rules restrict access by IP. (3) Dynamic Data Masking hides sensitive data from admins. (4) Auditing logs data access. Option A is wrong because Always Encrypted encrypts data at rest and in use but does not restrict network access. Option B is wrong because VNet service endpoints provide network isolation but do not enforce TLS.

Option C is wrong because Azure AD authentication does not restrict network access or mask data.

77
Multi-Selecthard

Which THREE components are required to implement a zero-trust network architecture in Azure using Microsoft security solutions?

Select 3 answers
A.Microsoft Sentinel
B.Azure Bastion
C.Microsoft Defender for Cloud Apps
D.Microsoft Entra ID Conditional Access
E.Azure Policy
AnswersC, D, E

Correct: Provides visibility and control over cloud apps as a CASB.

Why this answer

Azure AD Conditional Access enforces access policies. Microsoft Defender for Cloud Apps provides cloud access security broker (CASB) functionality. Azure Policy ensures compliance.

Azure Bastion is for secure connectivity. Microsoft Sentinel is for SIEM, not a core zero-trust component.

78
MCQeasy

You are designing a secure access solution for an Azure Kubernetes Service (AKS) cluster that hosts a critical application. You need to ensure that only authorized users can access the Kubernetes API server. Which authentication method should you use?

A.Use Kubernetes service account tokens.
B.Use AKS managed identities for each user.
C.Use Azure RBAC for Kubernetes authorization.
D.Integrate AKS with Microsoft Entra ID for authentication.
AnswerD

Provides secure, managed authentication.

Why this answer

Option B is correct because Microsoft Entra ID integration provides robust authentication and authorization for the AKS API server. Option A is wrong because local accounts (service principal or client certificate) are less secure and do not integrate with identity management. Option C is wrong because Azure RBAC for Kubernetes is authorization, not authentication.

Option D is wrong because managed identities are for pod authentication, not for users.

79
MCQmedium

Refer to the exhibit. You run the PowerShell cmdlet and see that EnabledForDiskEncryption is false. You need to ensure that this key vault can be used for Azure Disk Encryption. What should you do?

A.Re-create the key vault with -EnabledForDiskEncryption parameter
B.Run Set-AzKeyVaultAccessPolicy with the -EnabledForDiskEncryption parameter
C.Run Set-AzKeyVaultAccessPolicy with the -EnabledForDeployment parameter
D.Run Set-AzKeyVaultAccessPolicy with the -EnabledForTemplateDeployment parameter
AnswerB

Set-AzKeyVaultAccessPolicy -EnabledForDiskEncryption enables the vault for disk encryption.

Why this answer

Azure Disk Encryption requires the key vault to have EnabledForDiskEncryption set to true. Option A is correct. Option B is incorrect because the parameter is for deployment.

Option C is incorrect because the parameter is for template deployment. Option D is incorrect because the cmdlet sets the property for an existing vault.

80
MCQhard

A financial services company is designing a secure infrastructure for their Azure SQL Database. They need to encrypt data at rest using customer-managed keys (CMK) stored in a key vault with soft-delete and purge protection enabled. The encryption must be transparent to applications. What should they configure?

A.Azure Information Protection
B.Dynamic Data Masking
C.Always Encrypted
D.Transparent Data Encryption (TDE) with Azure Key Vault
AnswerD

Correct: TDE with CMK provides transparent encryption at rest.

Why this answer

Azure SQL Database supports Transparent Data Encryption (TDE) with CMK in Azure Key Vault. Always Encrypted is for column-level encryption. Dynamic Data Masking is for masking, not encryption.

Azure Information Protection is for classification.

81
Multi-Selectmedium

Which TWO of the following are valid methods to secure Azure Kubernetes Service (AKS) workloads?

Select 2 answers
A.Integrate Azure AD for cluster authentication
B.Apply Network Security Groups to pod subnets
C.Deploy Azure Firewall in front of the AKS cluster
D.Use Azure Front Door to protect API endpoints
E.Use Azure Policy with Azure Policy for AKS (Gatekeeper)
AnswersA, E

Enables identity-based access control.

Why this answer

Option A is correct because Azure AD integration enables authentication for AKS clusters. Option C is correct because Azure Policy with Gatekeeper can enforce security policies on AKS. Option B is wrong because Network Security Groups apply to VMs, not AKS pods.

Option D is wrong because Azure Firewall is for network-level filtering, not workload security. Option E is wrong because Azure Front Door is for global load balancing, not AKS workload security.

82
Multi-Selectmedium

Which TWO Azure services can be used to protect a virtual network from inbound DDoS attacks at the network layer?

Select 2 answers
A.Azure DDoS Protection Standard
B.Azure Web Application Firewall (WAF)
C.Azure Traffic Manager
D.Network Security Groups (NSGs)
E.Azure Firewall
AnswersA, E

Correct: Specifically designed for DDoS mitigation at network layer.

Why this answer

Azure DDoS Protection Standard provides defense against volumetric DDoS attacks. Azure Firewall can filter traffic at the network layer, but its DDoS capabilities are limited; Azure DDoS Protection is the primary service. WAF is for application layer.

NSGs can filter traffic but not mitigate DDoS. Traffic Manager is for load balancing.

83
MCQeasy

A company is planning to deploy a multi-tier application in Azure. The web tier must be accessible from the internet, while the database tier must be accessible only from the web tier and management jump boxes. The solution should minimize exposure to the internet. Which Azure architecture should you recommend?

A.Use Azure Bastion for management and VNet peering between web and database subnets.
B.Place web and database tiers in the same virtual network and use Network Security Groups (NSGs) to restrict access.
C.Use Azure Application Gateway to expose the web tier and place the database tier in a separate subnet with a deny-all NSG.
D.Deploy Azure Firewall in a hub virtual network and peer spoke virtual networks for each tier, routing traffic through the firewall.
AnswerD

Hub-spoke with Azure Firewall provides centralized security and forced tunneling.

Why this answer

Azure Firewall in a hub virtual network with forced tunneling through a firewall provides centralized control and minimizes exposure. NSGs cannot inspect traffic, and Application Gateway alone does not restrict database access. VNet peering without firewall does not enforce inspection.

84
MCQeasy

A company plans to migrate their on-premises Active Directory to Microsoft Entra ID. They need to ensure that legacy applications using NTLM authentication continue to work during the transition. What should they configure?

A.Microsoft Entra Connect with PTA and enable NTLM support for on-premises applications
B.Microsoft Entra Connect with password hash synchronization (PHS) and seamless single sign-on (SSO)
C.Microsoft Entra Connect with Active Directory Federation Services (AD FS)
D.Microsoft Entra Connect with pass-through authentication (PTA)
AnswerA

Correct: PTA can be configured to allow NTLM authentication for hybrid users.

Why this answer

Microsoft Entra Connect syncs identities and can be configured to allow NTLM authentication for hybrid identities. PTA or ADFS are for authentication, but not specifically for NTLM support. PHS alone doesn't handle NTLM.

Cloud Kerberos trust is for Kerberos, not NTLM.

85
MCQhard

Your company is migrating to a cloud-native security operations center (SOC) using Microsoft Sentinel. You need to design a solution that automatically investigates and remediates common incidents like brute-force attacks on Azure VMs. The solution should use playbooks triggered by analytics rules. Which Microsoft service should you use to create the playbooks, and what is the recommended authentication method?

A.Power Automate with user account
B.Azure Automation with service principal
C.Azure Logic Apps with managed identity
D.Azure Functions with API key
AnswerC

Logic Apps supports managed identity for secure, credential-free authentication to Azure resources.

Why this answer

Azure Logic Apps is the recommended platform for Sentinel playbooks. Managed identity is the preferred authentication method because it avoids credential management and supports automation. Azure Automation is for runbooks, not playbooks.

Service principal is possible but not recommended due to credential management.

86
MCQmedium

Refer to the exhibit. You are reviewing an Azure Policy definition. What does this policy accomplish?

A.Requires that all network security rules have destination port range between 22 and 3389
B.Denies all inbound traffic except SSH and RDP
C.Allows only SSH and RDP inbound traffic
D.Denies creation of network security rules that allow traffic to ports other than 22 and 3389
AnswerD

The policy uses 'deny' effect on security rules where destinationPortRange is not in [22,3389].

Why this answer

Option C is correct because the policy denies security rules that allow ports other than 22 (SSH) and 3389 (RDP) as destination ports. Option A is wrong because it allows only specific ports. Option B is wrong because it allows those ports.

Option D is wrong because it doesn't enforce a specific range.

87
MCQeasy

Your company uses Azure DevOps to manage CI/CD pipelines. You need to ensure that secrets such as API keys are securely stored and automatically injected into pipeline tasks without being exposed in logs. What should you use?

A.Azure DevOps variable groups
B.Azure Key Vault linked to Azure DevOps
C.Azure App Configuration
D.Azure Policy
AnswerB

Provides secure secret storage and injection.

Why this answer

Option B is correct because Azure Key Vault securely stores secrets and Azure DevOps can retrieve them without exposing secrets in logs. Option A is wrong because Azure App Configuration is for application configuration, not secrets. Option C is wrong because variable groups can store secrets but they are not as secure as Key Vault.

Option D is wrong because Azure Policy is for governance, not secret management.

88
MCQmedium

You are designing a hybrid identity solution for an organization that uses Microsoft Entra ID and an on-premises Active Directory. The organization requires that users who are located in a remote office without a direct VPN connection to the main office can authenticate against on-premises resources using their Entra ID credentials. The solution must minimize latency and support passwordless authentication. Which feature should you implement?

A.Configure Microsoft Entra Application Proxy
B.Implement Microsoft Entra Kerberos authentication
C.Enable Microsoft Entra Conditional Access policies
D.Deploy Microsoft Entra Connect Sync with password hash synchronization
AnswerB

Entra Kerberos authentication allows users to authenticate to on-premises resources using their Entra ID identity, supporting passwordless methods and reducing latency.

Why this answer

Option C is correct because Microsoft Entra Kerberos authentication enables users to access on-premises resources using their Entra ID credentials without requiring a VPN, and it supports passwordless methods like FIDO2 and Windows Hello for Business. Option A is wrong because Entra ID Application Proxy is for publishing on-premises web apps, not general authentication. Option B is wrong because Entra Connect Sync synchronizes identities but does not provide real-time authentication without VPN.

Option D is wrong because Entra ID Conditional Access policies control access but do not enable passwordless authentication.

89
MCQeasy

A small business uses Microsoft 365 Business Premium and wants to secure their Windows 10 devices with Microsoft Intune. They need to ensure that only devices compliant with the company's security policies can access corporate email. What should they configure?

A.Azure AD Application Proxy
B.Windows Defender Firewall rules
C.Microsoft Defender for Cloud Apps session policy
D.Conditional Access policy requiring compliant device
AnswerD

Correct: Blocks non-compliant devices from accessing email.

Why this answer

Conditional Access in Microsoft Entra ID can require device compliance before granting access to Exchange Online. Device compliance policies in Intune define the security requirements. Azure AD Application Proxy is for on-prem apps.

Microsoft Defender for Cloud Apps is for cloud app security. Windows Defender Firewall is for network security.

90
MCQmedium

Your organization is migrating on-premises Active Directory to Microsoft Entra ID. You need to design the authentication method to support hybrid identities with seamless single sign-on (SSO) for legacy applications that require Kerberos authentication. What should you implement?

A.Federate Microsoft Entra ID with on-premises Active Directory using ADFS.
B.Use password hash synchronization (PHS) only.
C.Deploy pass-through authentication (PTA).
D.Enable Microsoft Entra Seamless SSO via Microsoft Entra Connect.
AnswerD

This provides Kerberos-based SSO for hybrid users.

Why this answer

Option D is correct because Microsoft Entra Connect with Seamless SSO enables Kerberos-based authentication for hybrid users. Option A is wrong because federation with ADFS is not required for Kerberos. Option B is wrong because PHS does not support Kerberos delegation.

Option C is wrong because PTA does not support Kerberos.

91
Multi-Selectmedium

Your organization has deployed Microsoft Defender for Cloud with the CSPM (Cloud Security Posture Management) plan enabled. You need to ensure that all Azure subscriptions are covered and that security recommendations are automatically remediated for critical findings. Which two actions should you take? (Choose two.)

Select 2 answers
A.Enable Microsoft Defender for Cloud on all subscriptions.
B.Configure security contact details for each subscription.
C.Configure automatic provisioning of the Log Analytics agent.
D.Set the 'Auto Remediate' toggle to 'On' for all security recommendations.
E.Create Azure Policy assignments with 'deployIfNotExists' effect to auto-remediate critical findings.
AnswersA, C

Required to assess resources across all subscriptions.

Why this answer

Enabling Defender for Cloud on all subscriptions ensures coverage. Configuring automatic provisioning of the Log Analytics agent ensures data collection. To auto-remediate, you need to use Azure Policy with 'deployIfNotExists' or 'modify' effects, not just enable Defender.

The 'Auto Remediate' setting in Defender for Cloud applies only to certain recommendations, but for custom remediation, Azure Policy is needed. The security contacts are for notifications, not remediation.

92
MCQhard

Refer to the exhibit. You are deploying an ARM template for a Windows VM. The adminPassword parameter references a secret in Key Vault. However, the deployment fails with an access denied error. What is the most likely cause?

A.The secret value contains special characters that need to be escaped.
B.The template should use the secret's URI directly instead of a parameter reference.
C.The deployment principal lacks 'Get' and 'List' permissions on the Key Vault secret.
D.The Key Vault is in a different resource group than the deployment.
AnswerC

The deployment principal must have these permissions to retrieve the secret.

Why this answer

Option C is correct because when referencing a Key Vault secret in an ARM template parameter, the user or service principal deploying the template must have 'Get' and 'List' permissions on the secret. If the deployment principal does not have those permissions, access is denied. Option A is wrong because secrets can be used as strings.

Option B is wrong because the resource group is specified, and if the KV is in a different resource group, it's fine as long as permissions are granted. Option D is wrong because the template uses a parameter reference, not a direct secret value.

93
MCQhard

Your organization uses Microsoft Defender for Cloud to secure a hybrid environment. You need to ensure that security recommendations are automatically remediated for virtual machines. The solution must use Azure Policy and must be deployed at scale. What should you configure?

A.Create a custom Azure Policy definition with deployIfNotExists effect
B.Create a remediation task for the policy that needs auto-remediation
C.Assign a built-in policy initiative to the management group
D.Enable auto-provisioning for the Log Analytics agent
AnswerB

Remediation tasks automatically fix non-compliant resources.

Why this answer

Option C is correct because implementing a remediation task via Azure Policy can automatically remediate non-compliant resources. Defender for Cloud integrates with Azure Policy to allow automatic remediation. Option A is wrong because just assigning a policy initiative does not enable automatic remediation; a remediation task is needed.

Option B is wrong because enabling auto-provisioning for Log Analytics deploys the agent, but does not remediate security configurations. Option D is wrong because custom Azure Policy definitions require manual assignment and remediation setup.

94
MCQhard

You are designing a security solution for Azure API Management. The requirements include: protecting APIs from abuse, throttling requests, and validating JSON payloads. Which combination of features should you use?

A.Managed Identities and Azure AD authentication
B.Azure Web Application Firewall (WAF) on Application Gateway
C.Rate limiting policies, validate-json policy, and OAuth 2.0
D.Azure Firewall and Network Security Groups
AnswerC

Rate limiting throttles, validate-json validates payloads, OAuth secures access.

Why this answer

Option D is correct: rate limiting throttles requests, policies validate JSON, and OAuth 2.0 secures access. Option A is wrong because Azure Firewall does not integrate with API Management for payload validation. Option B is wrong because WAF protects at the network edge, not per-API.

Option C is wrong because Managed Identity is for authentication, not throttling or validation.

95
Multi-Selecteasy

Your company uses Microsoft Defender for Endpoint and Microsoft Intune to manage endpoints. You need to ensure that devices are healthy before they can access corporate resources. Which TWO settings should you configure in Microsoft Intune compliance policies to enforce device health?

Select 2 answers
A.Require device encryption (BitLocker) on Windows devices
B.Require a minimum password length of 8 characters
C.Require that the device is not jailbroken or rooted
D.Require the device to be on a specific OS version
E.Require that Windows Defender Antivirus is active and up to date
AnswersA, E

Encryption protects data if the device is lost or stolen.

Why this answer

Requiring antivirus (Windows Defender) to be active ensures protection against malware. Requiring encryption (BitLocker) protects data at rest on lost devices. Password length and OS version are important but not the most direct health checks for threat protection.

Jailbreak detection is for mobile devices.

96
MCQmedium

Refer to the exhibit. The NSG is applied to a subnet containing a web server. The web server is not receiving HTTP traffic. What is the most likely cause?

A.The DenyAllOther rule has a lower priority than AllowHTTP
B.The rule direction is Inbound, but the traffic is outbound
C.The sourceAddressPrefix 'Internet' does not include all source IPs
D.The priority of the AllowHTTP rule is too low (100)
AnswerC

'Internet' service tag may not cover all public IPs.

Why this answer

Option B is correct because the rule uses 'Internet' as sourceAddressPrefix, which is a service tag that does not include all public IPs. The actual source IPs may not be covered. Option A is wrong because priority 100 is high enough (lower number = higher priority).

Option C is wrong because the rules are correct for inbound traffic. Option D is wrong because the DenyAllOther rule has a higher priority number (1000) than AllowHTTP (100), so it is evaluated after AllowHTTP.

97
MCQhard

A global enterprise uses Azure Firewall and Azure Virtual Network Manager (AVNM) to manage network security. They want to deploy a new spoke virtual network that must be isolated from all other spokes except one specific shared services hub. The hub uses Azure Firewall to inspect traffic. What is the most secure and scalable way to enforce this isolation?

A.Apply a custom Azure Policy definition that denies VNet peering between the new spoke and any VNet other than the hub.
B.Configure direct VNet peering between the new spoke and the hub, and use route tables to block traffic to other spokes.
C.Deploy a network virtual appliance (NVA) in the new spoke and route all traffic through it.
D.Use AVNM to create a network group for the new spoke and apply security admin rules to block inter-spoke traffic except to the hub.
AnswerD

Correct: AVNM provides scalable, centrally managed isolation.

Why this answer

Using AVNM connectivity and security admin rules allows central management of network groups and firewall policies, ensuring isolation while scaling. Direct peering with route tables is less scalable and lacks central management. NSG on the subnet is not scalable and can be overridden.

Enforcing via Azure Policy with deny is possible but less integrated for network topology.

98
MCQhard

You are designing a privileged access solution for your Azure infrastructure. You need to ensure that just-in-time (JIT) access is required for all administrative actions on Azure VMs. What should you configure?

A.Microsoft Entra Privileged Identity Management (PIM) for Azure VM roles
B.Just-in-time VM access in Microsoft Defender for Cloud
C.Network security groups with service tags
D.Azure Bastion with Conditional Access
AnswerB

JIT VM access locks down inbound traffic and requests temporary access.

Why this answer

Option B is correct because Microsoft Defender for Cloud's JIT VM access provides time-bound access to VMs. Option A is incorrect because PIM is for role-based access, not VM access. Option C is incorrect because Azure Bastion provides secure RDP/SSH but not JIT.

Option D is incorrect because NSGs alone do not enforce JIT.

99
MCQhard

You are designing a network security solution for a multi-tier application in Azure that must meet PCI DSS compliance. You need to restrict traffic between tiers to only necessary ports and protocols. You also need to log all denied traffic for auditing. What is the most efficient design?

A.Deploy Azure Application Gateway in front of each tier. Use WAF policies to filter traffic.
B.Use network security groups (NSGs) on each subnet to allow/deny traffic by IP and port. Enable NSG flow logs for auditing.
C.Deploy Azure Firewall in a hub virtual network. Use application rules to allow specific FQDNs between tiers. Enable diagnostic logs and send them to a Log Analytics workspace.
D.Deploy a third-party NVA (e.g., Palo Alto) in the hub. Configure inter-tier routing through the NVA.
AnswerC

Provides L7 filtering and logging.

Why this answer

Option A is correct because Azure Firewall with application rules provides L7 filtering, and diagnostic logs capture denied traffic. Option B is wrong because NSGs lack L7 filtering and logging of denied traffic is not as comprehensive. Option C is wrong because Application Gateway is a load balancer, not a firewall for inter-tier traffic.

Option D is wrong because NVAs add complexity and cost without clear benefit over Azure Firewall for this use case.

100
MCQhard

Refer to the exhibit. You run the PowerShell command against an Azure SQL Database. The command returns a baseline object for rule VA2108. What does this indicate about the database's vulnerability assessment configuration?

A.The vulnerability assessment scan is automatically remediating findings for rule VA2108
B.The security team has approved the current state of rule VA2108 as acceptable
C.Vulnerability assessment is disabled for this database
D.The database has no vulnerability findings
AnswerB

Setting a baseline indicates acceptance of the current state.

Why this answer

Option C is correct. The presence of a baseline for rule VA2108 means that previous findings for that rule have been approved, so the rule will not be flagged as a vulnerability in future scans. Option A is wrong because it does not mean automatic remediation.

Option B is wrong because a baseline is set for specific rules, not all. Option D is wrong because vulnerability assessment is still enabled.

101
MCQmedium

You are designing a security solution for containers running on Azure Kubernetes Service (AKS). The requirements include: scanning container images for vulnerabilities, enforcing runtime security, and generating alerts for suspicious activities. Which combination of services should you use?

A.Azure Security Center and Azure Policy
B.Azure Container Registry and Azure Monitor
C.Azure Policy and Azure Firewall
D.Microsoft Defender for Cloud with Defender for Containers plan
AnswerD

Provides image scanning, runtime security, and alerts.

Why this answer

Option B is correct because Microsoft Defender for Containers provides image scanning and runtime threat detection integrated with AKS. Option A is wrong because Azure Security Center is now part of Defender for Cloud but the specific plan is Defender for Containers. Option C is wrong because Azure Policy can enforce configurations but not runtime security.

Option D is wrong because Azure Container Registry provides image storage, not scanning.

102
MCQeasy

A company is implementing a zero-trust network for their Azure environment. They want to ensure that only authenticated and authorized users can access specific VMs, regardless of network location. Which Azure service should they use?

A.Just-in-Time (JIT) VM Access
B.Azure Bastion
C.Site-to-Site VPN
D.Network Security Groups (NSGs)
AnswerB

Provides secure, identity-based access to VMs without exposing public IPs.

Why this answer

Option A is correct because Azure Bastion provides secure, RDP/SSH access to VMs without public IPs, and integrates with Entra ID for authentication. Option B is wrong because site-to-site VPN requires network connectivity, not zero-trust. Option C is wrong because Just-in-Time (JIT) VM access reduces exposure but still requires a public IP.

Option D is wrong because NSGs filter by IP, not user identity.

103
MCQhard

You are designing a secure hybrid network architecture that connects an on-premises data center to Azure. The requirements include: encrypted traffic, high availability across two Azure regions, and automatic failover. You need to recommend a connectivity solution that meets these requirements. What should you use?

A.Azure Point-to-Site VPN
B.Azure ExpressRoute with VPN gateway failover
C.Azure Site-to-Site VPN with active-passive configuration
D.Azure ExpressRoute with Microsoft Peering
AnswerB

Provides encrypted, highly available connectivity with automatic failover.

Why this answer

Option D is correct because ExpressRoute with VPN gateway failover provides encrypted connectivity with high availability and automatic failover across regions. Option A is wrong because Site-to-Site VPN alone may not meet high availability requirements. Option B is wrong because ExpressRoute alone does not encrypt traffic by default.

Option C is wrong because Point-to-Site VPN is for individual clients, not site-to-site.

104
MCQmedium

You are designing a security solution for Azure Kubernetes Service (AKS). You need to ensure that only authorized container images from a private container registry can run in the cluster. What should you configure?

A.Use Azure Policy to enforce that containers run only from allowed registries.
B.Implement Azure Container Registry tasks to scan images.
C.Configure network policies in AKS to block outbound traffic to public registries.
D.Enable Microsoft Defender for Containers to block unauthorized images.
AnswerA

Azure Policy for Kubernetes has a built-in policy to restrict container images.

Why this answer

Option B is correct because Azure Policy for Kubernetes can enforce using only images from specific registries via built-in policy 'Ensure only allowed container images'. Option A is wrong because AKS network policies control traffic, not image source. Option C is wrong because Azure Container Registry tasks build images, not enforce usage.

Option D is wrong because Microsoft Defender for Containers provides threat detection, not image authorization.

105
Multi-Selecthard

Which THREE components are required to implement a Zero Trust network architecture using Microsoft Entra Internet Access (formerly Microsoft 365 Network Connectivity)?

Select 3 answers
A.Conditional Access policies
B.Azure AD Application Proxy
C.Site-to-site VPN
D.Microsoft Intune device compliance policies
E.Microsoft Entra Internet Access (Microsoft Global Secure Access)
AnswersA, D, E

Enforces access controls based on user, device, and location.

Why this answer

Options A, B, and D are correct because Entra Internet Access, Conditional Access, and Intune compliance are core Zero Trust components. Option C is wrong because VPN is traditional perimeter security. Option E is wrong because Azure AD Application Proxy (now Entra Application Proxy) is for legacy app publishing.

106
MCQhard

Your company is designing a Zero Trust network for a hybrid workforce. Remote users connect via VPN to on-premises resources, while cloud apps use Microsoft Entra ID. You need to enforce conditional access based on device compliance and user risk. Which Microsoft security solution should you integrate with Entra ID to provide real-time device posture signals?

A.Microsoft Purview
B.Microsoft Intune
C.Microsoft Defender for Cloud Apps
D.Microsoft Sentinel
AnswerB

Intune manages device compliance and provides signals to Entra ID for conditional access.

Why this answer

Option C is correct because Microsoft Intune provides device compliance policies that integrate with Entra ID Conditional Access. Option A is wrong because Microsoft Defender for Cloud Apps is a CASB, not a device management solution. Option B is wrong because Microsoft Purview focuses on data governance.

Option D is wrong because Microsoft Sentinel is a SIEM/SOAR, not a device management tool.

107
MCQhard

You are designing a secure access strategy for a manufacturing plant using Azure IoT Hub and Azure Defender for IoT. The plant has unpatched legacy PLCs that cannot be updated. What is the best approach to prevent these devices from being compromised and used as an entry point into the corporate network?

A.Use Azure VPN Gateway to connect PLCs to the virtual network.
B.Implement network micro-segmentation using Azure Firewall and NSGs to isolate the PLCs from the corporate network.
C.Install the Microsoft Defender for IoT micro-agent on each PLC.
D.Enforce TLS 1.2 for all PLC communications.
AnswerB

Isolation limits the blast radius if a device is compromised.

Why this answer

Option D is correct because micro-segmentation with network security groups (NSGs) and Azure Firewall isolates the legacy devices, limiting lateral movement. Option A is wrong because unpatched devices cannot be hardened with Defender for IoT agents. Option B is wrong because TLS is often not supported on legacy PLCs.

Option C is wrong because VPN would expose the devices to more traffic.

108
Multi-Selecthard

Your organization is implementing Microsoft Defender for Identity to protect on-premises Active Directory. Which THREE activities does Defender for Identity monitor?

Select 3 answers
A.Privilege escalation attempts
B.Lateral movement paths using Pass-the-Hash
C.File integrity changes on domain controllers
D.Reconnaissance attacks using LDAP queries
E.Network traffic to external IP addresses
AnswersA, B, D

Defender for Identity monitors for privilege escalation.

Why this answer

Option A, C, and D are correct. Defender for Identity monitors lateral movement paths, reconnaissance attacks, and privilege escalation. Option B is wrong because file integrity monitoring is a feature of Defender for Servers or Azure Policy.

Option E is wrong because network traffic to internet is monitored by Defender for Network or network security groups.

109
MCQeasy

Your organization is deploying a new application on Azure Kubernetes Service (AKS). You need to ensure that only authorized containers can run in the cluster and that any unauthorized containers are automatically blocked. What should you configure?

A.Implement network policies to restrict communication between pods.
B.Apply an Azure Policy that restricts container images to only those from approved registries.
C.Enable Azure AD integration for the AKS cluster.
D.Configure Azure RBAC roles to limit who can deploy containers.
AnswerB

Azure Policy for AKS can enforce allowed container images.

Why this answer

Option A is correct because Azure Policy for AKS, using the built-in 'Kubernetes cluster containers should only use allowed images' policy, ensures that only images from approved registries can run. Option B is wrong because Azure RBAC controls who can manage the cluster, not which containers run. Option C is wrong because network policies control traffic, not container authorization.

Option D is wrong because Azure AD integration controls authentication, not container image approval.

110
Multi-Selecteasy

Which TWO features of Microsoft Defender for Cloud help you identify and remediate misconfigurations in your Azure environment? (Choose two.)

Select 2 answers
A.File integrity monitoring (FIM).
B.Security recommendations.
C.Just-in-time (JIT) VM access.
D.Adaptive application controls.
E.Secure score.
AnswersB, E

Recommendations identify misconfigurations and suggest fixes.

Why this answer

Options B and D are correct. B: Security recommendations provide actionable steps to fix misconfigurations. D: Secure score measures overall security posture and guides prioritization.

Option A is wrong because JIT is for VM access. Option C is wrong because FIM is for file integrity. Option E is wrong because adaptive application controls are for allowed apps.

111
MCQeasy

You are designing a security solution for a small business that uses Azure App Services to host a web application. The business has the following requirements: - The web application must be protected against common web vulnerabilities like SQL injection and cross-site scripting (XSS). - All traffic to the application must be encrypted. - The solution should be cost-effective and require minimal management overhead. - The application must be able to scale automatically based on demand. Which Azure service should you use to meet these requirements?

A.Use Azure Firewall to inspect traffic to the App Service.
B.Use Azure CDN with custom domain and HTTPS.
C.Deploy Azure Front Door with WAF policies.
D.Deploy Azure Application Gateway with Web Application Firewall (WAF) in front of the App Service.
AnswerD

WAF protects against common web attacks, provides TLS, and autoscales.

Why this answer

Option A is correct: Azure Web Application Firewall (WAF) on Application Gateway protects against web vulnerabilities, provides TLS termination, and supports autoscaling. Option B is incorrect: Azure Front Door also provides WAF but is more expensive and suited for global scenarios. Option C is incorrect: Azure CDN does not include WAF.

Option D is incorrect: Azure Firewall is a network firewall, not a web application firewall.

112
Multi-Selecteasy

Which TWO Azure services should you use to implement a defense-in-depth strategy for protecting Azure virtual machines?

Select 2 answers
A.Network Security Groups (NSGs)
B.Azure Logic Apps
C.Azure Backup
D.Azure Automation
E.Azure Front Door
AnswersA, C

NSGs filter traffic at the network layer.

Why this answer

Options A and D are correct because NSGs provide network segmentation and Azure Backup provides data protection. Option B is wrong because Azure Front Door is for global load balancing. Option C is wrong because Azure Logic Apps is an integration service.

Option E is wrong because Azure Automation is for process automation.

113
MCQmedium

Refer to the exhibit. You are reviewing an Azure Policy definition that is assigned to a subscription containing several virtual machines. After the assignment, users report that they cannot create new VMs. What is the most likely reason?

A.The policy denies creation of VMs with a specific size.
B.The policy denies creation of VMs that do not use managed disks.
C.The policy denies creation of VMs that use managed disks.
D.The policy denies creation of VMs that do not use premium SSDs.
AnswerB

The policy rule denies if managed disk does not exist for OS disk.

Why this answer

Option A is correct because the policy denies creation of VMs that do not use managed disks. The condition checks if the osDisk.managedDisk field does not exist, and if so, denies the request. Therefore, any attempt to create a VM with unmanaged disks will be denied.

Option B is wrong because the policy only denies creation, it does not affect existing VMs. Option C is wrong because the policy denies all VMs without managed disks, not just those with a specific size. Option D is wrong because the policy does not require premium SSDs; it only requires managed disks.

114
MCQhard

Your organization is planning to use Microsoft Sentinel for security information and event management (SIEM). The security team wants to ensure that Sentinel can ingest logs from on-premises servers that are not connected to the internet. The solution must use Azure Arc for management. Which data connector should you use?

A.Azure Monitor Agent
B.Common Event Format (CEF) via AMA
C.Syslog via AMA
D.Log Analytics agent (MMA)
AnswerA

AMA can be installed on Arc-enabled servers and send logs to Log Analytics, which Sentinel uses.

Why this answer

Option A is correct because the Azure Monitor Agent (AMA) can be deployed via Azure Arc to on-premises servers, collecting logs and forwarding them to Sentinel via a Log Analytics workspace. Option B is wrong because the Log Analytics agent (MMA) is being deprecated. Option C is wrong because the Syslog connector typically requires direct connectivity or a forwarder.

Option D is wrong because the Common Event Format (CEF) connector also requires a forwarder with internet access.

115
Multi-Selecthard

Your company is planning to use Azure Policy to enforce security compliance across multiple subscriptions. You need to define a set of policies that will be applied to all subscriptions. Which THREE components should you include in your policy assignment?

Select 3 answers
A.Parameters.
B.Policy definition.
C.Assignment scope.
D.Initiative definition.
E.Remediation task.
AnswersA, B, C

Parameters allow customization of policies at assignment.

Why this answer

Option A is correct because policy definitions are the rules that enforce compliance. Option C is correct because assignment scope defines where the policy applies (e.g., management group, subscription). Option D is correct because parameters allow customization of policy definitions at assignment time.

Option B is wrong because initiative definitions are groups of policies, but the question asks for components of a single policy assignment; an initiative is a separate artifact. Option E is wrong because remediation tasks are actions taken after assignment, not part of the assignment itself.

116
MCQmedium

Your organization is deploying Azure Kubernetes Service (AKS) and plans to use Azure Policy to enforce security controls on the cluster. The security team wants to automatically audit and deny the creation of privileged containers. Which Azure Policy initiative should you assign?

A.Azure RBAC roles for AKS
B.Azure Policy for Kubernetes (preview)
C.Microsoft Defender for Containers
D.AKS Pod Identity
AnswerB

This initiative includes policies to restrict privileged containers, host networking, and other security settings.

Why this answer

Option A is correct because the Azure Policy for Kubernetes initiative (preview) includes built-in policies to enforce security constraints like preventing privileged containers. Option B is wrong because Defender for Cloud's workload protection provides monitoring but not policy enforcement. Option C is wrong because Azure RBAC roles control permissions, not container security.

Option D is wrong because AKS Pod Identity is for pod authentication to Azure resources.

117
MCQeasy

Your organization uses Microsoft Intune to manage endpoints. The security team wants to ensure that devices that cannot be enrolled in Intune (e.g., unmanaged BYOD devices) are still subject to security policies when accessing corporate resources. Which Microsoft Entra ID feature should you use?

A.Microsoft Entra Conditional Access policies
B.Microsoft Intune enrollment policies
C.Windows Defender Application Control
D.Microsoft Defender for Endpoint
AnswerA

Conditional Access can block or limit access from unmanaged devices, enforcing MFA or session controls.

Why this answer

Option B is correct because Microsoft Entra Conditional Access policies can enforce access controls based on device compliance, including requiring MFA or blocking access from unmanaged devices. Option A is wrong because Intune enrollment is only for managed devices. Option C is wrong because Microsoft Defender for Endpoint (now part of Defender XDR) provides threat detection but not access policy enforcement.

Option D is wrong because Windows Defender Application Control is for code integrity on managed devices.

118
MCQeasy

Your organization uses Microsoft Intune to manage iOS and Android devices. You need to ensure that corporate data on these devices is protected in case the device is lost or stolen. The security policy requires that corporate data be automatically removed from the device when it is reported lost, while personal data remains intact. The devices are enrolled in Intune with user affinity. What should you configure?

A.Configure a selective wipe (retire) action that can be triggered via a Power Automate flow when a device is reported lost through a custom app.
B.Create a compliance policy that marks the device as non-compliant after 30 days of inactivity.
C.Configure a device wipe action in Intune that can be triggered manually from the console.
D.Enable conditional access to require the device to be compliant before accessing data.
AnswerA

Selective wipe removes only corporate data; automation via Power Automate allows immediate response.

Why this answer

Option C uses selective wipe, which removes only corporate data. Option A is a full wipe; Option B is not automatic; Option D is for conditional access, not data removal.

119
MCQeasy

Refer to the exhibit. You need to ensure that the storage account 'seccorpstorage' is only accessible from a specific Azure virtual network. What should you do?

A.Add a virtual network rule for the specific VNet
B.Enable the service endpoint for Microsoft.Storage on the VNet subnet
C.Enable firewall and add an IP rule for the VNet's public IP
D.Enable public network access and add a firewall rule
AnswerA

Adding a VNet rule allows traffic from that VNet while blocking all other traffic.

Why this answer

Option B is correct because you need to add a virtual network rule to allow traffic from the VNet. The current configuration has no rules, so all traffic is denied. Option A is wrong because the storage account already has public network access disabled.

Option C is wrong because enabling firewall and adding IP rules would allow specific IPs, not a VNet. Option D is wrong because adding a service endpoint alone is incomplete without the rule.

120
Multi-Selecthard

Which THREE components are required to implement a secure hybrid network architecture using Azure VPN Gateway? (Choose three.)

Select 3 answers
A.A local network gateway resource in Azure.
B.A connection resource with a shared key.
C.An ExpressRoute circuit.
D.A virtual network gateway in Azure.
E.An Azure Firewall.
AnswersA, B, D

Represents the on-premises VPN device.

Why this answer

Options A, B, and C are correct. A: Local network gateway represents on-premises VPN device. B: Virtual network gateway (VPN Gateway) is the Azure side.

C: Connection object ties them together with shared key. Option D is wrong because ExpressRoute is a different connectivity method. Option E is wrong because Azure Firewall is not required for VPN.

121
MCQeasy

Your organization is deploying Microsoft Intune to manage Windows 11 devices. You need to ensure that devices automatically receive security updates and that users cannot defer updates. Which configuration profile setting should you configure?

A.Create a device configuration profile to enable automatic updates.
B.Create a Windows 10/11 Update Rings policy with a deadline for quality and feature updates.
C.Create a compliance policy that requires the device to have the latest updates installed.
D.Create an endpoint security policy for Windows Defender Antivirus to enforce update installation.
AnswerB

Update rings allow setting deadlines and grace periods to enforce automatic updates.

Why this answer

Option A is correct because the Update rings policy in Intune allows configuring Windows Update settings, including setting deadlines for updates to prevent deferral. Option B is wrong because Compliance policies enforce device compliance but do not control update deferral. Option C is wrong because Device configuration policies are for settings like BitLocker, not update rings.

Option D is wrong because Endpoint security policies include antivirus and firewall, not update rings.

122
MCQeasy

A company plans to use Microsoft Defender for Cloud to secure a multi-cloud environment including Azure, AWS, and GCP. What is the first step to enable multi-cloud visibility?

A.Enable all Defender plans for subscription
B.Connect AWS and GCP accounts using the cloud connectors in Defender for Cloud
C.Create custom compliance policies
D.Deploy Azure Arc agents on all cloud VMs
AnswerB

Defender for Cloud provides native connectors to onboard AWS and GCP accounts.

Why this answer

Option C is correct because you must first onboard the AWS/GCP accounts into Defender for Cloud by connecting them via the native cloud connectors. Option A is wrong because deploying Azure Arc agents is for on-premises servers, not cloud accounts. Option B is wrong because enabling Defender plans is done after onboarding.

Option D is wrong because custom policies are optional.

123
MCQeasy

Your company uses Microsoft Sentinel as a SIEM. You need to ensure that all Azure subscription activity logs are ingested into Sentinel. What is the most efficient way to configure this?

A.Configure diagnostic settings on the subscription to send logs to a Log Analytics workspace.
B.Create an Azure Logic App to periodically pull activity logs.
C.Enable the 'Azure Activity' data connector in Sentinel.
D.Manually export activity logs to a storage account and connect to Sentinel.
AnswerC

This automatically streams activity logs.

Why this answer

Option B is correct because the data connector for Azure Activity is designed for this purpose. Option A is wrong because manual export is not efficient. Option C is wrong because diagnostic settings export to a Log Analytics workspace, but Sentinel requires the data connector.

Option D is wrong because Logic Apps are unnecessary overhead.

124
MCQmedium

Refer to the exhibit. You are reviewing an Azure Policy definition that denies deployment of virtual machines without encryption at host enabled. A developer reports they cannot deploy a VM that already has encryption at host enabled. What is the most likely cause?

A.The policy applies to all VMs regardless of encryption setting.
B.The policy effect is 'audit' instead of 'deny', so it does not block deployment.
C.The policy definition uses an incorrect field path for encryptionAtHost.
D.The policy is missing an exemption for the developer's subscription.
AnswerC

The field path 'Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost' uses a dot instead of a slash; the correct path uses slashes. An invalid path may cause the policy to evaluate incorrectly.

Why this answer

Option D is correct because the policy rule uses an incorrect field path for encryptionAtHost. The correct property path is 'Microsoft.Compute/virtualMachines/securityProfile/encryptionAtHost'. Option A is wrong because the effect is deny, not audit.

Option B is wrong because the policy applies to all VMs, not just those without encryption. Option C is wrong because the deny effect is correctly targeting VMs with encryptionAtHost false, but the field path is wrong.

125
MCQhard

Your organization is planning to use Azure Bastion for secure RDP/SSH access to Azure VMs. You need to ensure that Bastion can reach the VMs in a spoke virtual network that is connected to a hub via VNet peering. The hub has an Azure Firewall. What is the minimal configuration required?

A.Assign a public IP address to each VM. Deploy Azure Bastion in the hub VNet.
B.Deploy Azure Bastion in the hub VNet. Ensure the spoke VNet is peered to the hub VNet.
C.Deploy Azure Bastion in the spoke VNet. Configure Azure Firewall to allow traffic from Bastion to the VMs.
D.Deploy Azure Bastion in the hub VNet. Ensure the spoke VNet has a route to the Bastion subnet.
AnswerB

Bastion in hub can connect to peered spoke VMs using private IPs.

Why this answer

Option D is correct because Azure Bastion does not require public IPs on VMs nor does it need to traverse the firewall; it uses private IPs and the Bastion host in the same or peered VNet. Option A is wrong because VMs do not need public IPs with Bastion. Option B is wrong because Bastion does not need to go through the firewall; it uses direct private IP connectivity.

Option C is wrong because Bastion does not need a public IP on the VM.

126
MCQeasy

Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You need to ensure that user passwords are synchronized securely and that password changes on-premises are reflected in the cloud quickly. Which tool should you configure?

A.Microsoft Entra Connect
B.Azure AD Connect
C.Active Directory Federation Services (AD FS)
D.Microsoft Identity Manager
AnswerA

Entra Connect synchronizes passwords securely.

Why this answer

Option B is correct because Azure AD Connect synchronizes identities and passwords with hash synchronization. Option A is wrong because Microsoft Entra Connect is the same as Azure AD Connect. Option C is wrong because AD FS is for federation, not password synchronization.

Option D is wrong because Microsoft Identity Manager is for identity governance, not synchronization.

127
Multi-Selecthard

You are designing a secure CI/CD pipeline for deploying infrastructure as code (ARM templates) to Azure. The solution must detect drift from the desired state and prevent deployment of non-compliant resources. Which THREE Azure services should you incorporate?

Select 3 answers
A.Azure Blueprints
B.Azure Monitor
C.Azure DevOps with policy checks in pipeline
D.Azure Policy
E.Azure Resource Graph
AnswersA, C, D

Defines the desired state of resources.

Why this answer

Correct answers: A, B, D. Azure Policy can evaluate compliance before deployment, Azure Blueprints (or its replacement, deployment stacks) define the desired state, and Azure DevOps pipelines can run pre-deployment checks. Option C is incorrect: Azure Resource Graph is for querying resources, not enforcing.

Option E is incorrect: Azure Monitor is for monitoring, not drift detection.

128
MCQmedium

An organization uses Microsoft Sentinel to monitor their hybrid infrastructure. They need to detect brute-force attacks against their on-premises Windows servers. Which data source should they connect to Sentinel?

A.Azure Activity Log
B.Windows Security Events via Azure Monitor Agent
C.DNS Events
D.Sysmon Events
AnswerB

Correct: Event ID 4625 logs failed logon attempts.

Why this answer

Windows Security Events from Event ID 4625 (failed logon) are the primary source for detecting brute-force attacks. Azure Activity Log is for resource management events. DNS events are for DNS queries.

Sysmon is for process activity, not logon failures.

129
Multi-Selectmedium

Which TWO Azure policies should you assign to enforce secure configuration of Azure SQL Database? (Select two.)

Select 2 answers
A.Ensure that 'Auditing' is set to 'On' for SQL Database
B.Ensure that 'TDE' is enabled for SQL Server VMs
C.Audit SQL Server level audit setting
D.Ensure that 'Firewall and virtual network settings' for SQL Database are configured
E.Ensure secure transfer to storage accounts is enabled
AnswersA, D

This policy enables auditing for Azure SQL Database.

Why this answer

Option A is correct because enabling Auditing on Azure SQL Database captures all database events and writes them to an audit log in your Azure storage account, Log Analytics workspace, or Event Hubs. This is a fundamental security control for compliance and forensic analysis, as it provides a record of who did what and when, which is essential for detecting and investigating unauthorized access or changes.

Exam trap

The trap here is that candidates confuse SQL Server VM policies (like TDE or SQL Server-level audit settings) with Azure SQL Database policies, or they mistakenly apply storage account policies to SQL Database, which is a separate Azure service with its own security controls.

130
MCQeasy

Refer to the exhibit. A security analyst runs the following KQL query in Microsoft Sentinel. What is the purpose of this query?

A.List all accounts that have been locked out
B.Identify successful logins from multiple IP addresses
C.Detect brute-force attacks against Windows servers
D.Find users who logged in after hours
AnswerC

Correct: The query identifies multiple failed logon attempts from the same IP.

Why this answer

The query filters Windows Security Events for failed logon attempts (EventID 4625) in the last hour, groups by user account, computer, and IP address, and then shows only those with more than 10 failures. This is used to detect brute-force attacks.

131
Multi-Selecthard

Which THREE of the following are best practices for designing a secure hybrid network architecture with Azure?

Select 3 answers
A.Use Azure Bastion for secure VM access without public IPs
B.Open all ports to a management subnet for ease of administration
C.Use ExpressRoute with Azure Firewall for traffic inspection
D.Use a single VPN gateway for all regions
E.Enable forced tunneling for all internet-bound traffic
AnswersA, C, E

Eliminates public IP exposure for management.

Why this answer

Option A is correct because using ExpressRoute with Azure Firewall provides secure, dedicated connectivity and inspection. Option B is correct because forcing tunneling ensures all internet-bound traffic goes through the firewall for inspection. Option C is correct because Azure Bastion eliminates the need for public IPs on VMs.

Option D is wrong because opening all ports to a management subnet violates least privilege. Option E is wrong because a single VPN gateway is a single point of failure.

132
MCQhard

Your organization uses Microsoft Sentinel for security operations. You need to design a solution to automatically respond to a confirmed compromise of a domain controller by isolating the affected VM. Which automation feature should you use?

A.Automation rules with a playbook
B.Analytics rules with incident creation
C.Hunting queries
D.Workbooks
AnswerA

Automation rules trigger playbooks for automated response actions.

Why this answer

Option A is correct because automation rules can trigger a playbook that runs a script to isolate the VM. Option B is wrong because analytics rules generate alerts but do not respond. Option C is wrong because workbooks visualize data.

Option D is wrong because hunting queries are for proactive searches.

133
MCQhard

You are designing a secure DevOps pipeline using GitHub Advanced Security and Microsoft Defender for Cloud. The development team uses a mix of Python and JavaScript. Which tool should you integrate to detect secrets (e.g., API keys) committed to the repository?

A.GitHub secret scanning
B.CodeQL code scanning
C.Dependabot alerts
D.Defender for Cloud DevOps security posture management
AnswerA

Secret scanning detects tokens, keys, and other secrets in repositories.

Why this answer

Option A is correct because GitHub secret scanning automatically detects secrets in repositories. Option B is wrong because Dependabot focuses on dependency vulnerabilities. Option C is wrong because CodeQL analyzes code for security vulnerabilities, not secrets.

Option D is wrong because Defender for Cloud’s DevOps security posture management does not replace secret scanning.

134
MCQmedium

Refer to the exhibit. An administrator is deploying an Azure Firewall using the ARM template snippet. After deployment, traffic from the 10.0.0.0/16 subnet to www.microsoft.com on HTTPS is allowed. What is a potential security issue with this configuration?

A.The priority of 100 is too high and could override other rules
B.The firewall SKU tier should be Premium for better security
C.The source address range is too broad
D.Allowing HTTP (port 80) to *.microsoft.com is unnecessary and could be exploited
AnswerD

Correct: HTTP traffic is unencrypted and should not be needed for internal to Microsoft communication.

Why this answer

The rule allows HTTP (port 80) to *.microsoft.com, which is unnecessary and could allow unencrypted traffic. HTTPS (port 443) is sufficient. Allowing HTTP could expose traffic to interception.

Additionally, the rule allows all *.microsoft.com subdomains, which might be overly permissive, but the main issue is the inclusion of HTTP.

135
MCQhard

Your company uses Azure Firewall to secure outbound traffic from a hub virtual network that contains multiple spoke virtual networks. You need to implement a solution that allows traffic from specific spoke VMs to reach a specific external SaaS endpoint, while blocking all other outbound traffic. The SaaS endpoint uses a dynamic set of IP addresses that change frequently. What should you do?

A.Configure Azure Firewall network rules to allow traffic to the SaaS endpoint's current IP range.
B.Deploy Azure Firewall Manager and enable threat intelligence-based filtering.
C.Use Azure Firewall service tags to allow traffic to the SaaS endpoint.
D.Configure Azure Firewall application rules using FQDN tags to allow traffic to the SaaS endpoint.
AnswerD

FQDN tags allow filtering by domain name, handling dynamic IP changes automatically.

Why this answer

Option B is correct because using Azure Firewall with fully qualified domain name (FQDN) tags allows you to allow traffic to a specific SaaS endpoint by its FQDN, even if IP addresses change dynamically. Option A is wrong because network rules based on IP addresses cannot handle dynamic IP changes. Option C is wrong because service tags are used for Azure services, not external SaaS endpoints.

Option D is wrong because Azure Firewall Manager is for managing multiple firewalls, not for solving dynamic IP filtering.

136
MCQeasy

You are designing a network security solution for a multi-tier application hosted in Azure. The front-end web tier must be accessible from the internet, but the back-end database tier must only accept traffic from the front-end tier. Which Azure service should you use to enforce this restriction?

A.Azure Firewall
B.Network Security Groups (NSGs)
C.Azure Bastion
D.Application Gateway
AnswerB

NSGs filter traffic between subnets based on rules.

Why this answer

Option A is correct because Network Security Groups (NSGs) can be used to filter traffic between subnets. By applying an NSG to the database subnet with a rule allowing inbound traffic only from the front-end subnet's IP range, you restrict access. Option B is wrong because Azure Firewall is a managed firewall service, but for simple subnet-level filtering, NSGs are more appropriate and cost-effective.

Option C is wrong because Application Gateway is a layer 7 load balancer. Option D is wrong because Azure Bastion provides secure RDP/SSH access to VMs.

137
MCQmedium

A multinational corporation is designing a secure access solution for remote employees using company-managed devices. The solution must enforce device compliance before granting access to corporate resources, support single sign-on (SSO) for SaaS applications, and provide conditional access policies based on risk. Which combination of Microsoft security products should you recommend?

A.Microsoft Intune + Microsoft Entra ID + Microsoft Defender for Cloud Apps
B.Microsoft Intune + Microsoft Defender for Endpoint + Microsoft Sentinel
C.Microsoft Entra ID + Microsoft Defender for Cloud Apps + Microsoft Purview
D.Microsoft Configuration Manager + Microsoft Entra ID + Microsoft Defender for Identity
AnswerA

Intune manages device compliance, Entra ID handles SSO and conditional access, Defender for Cloud Apps enforces risk-based policies.

Why this answer

Microsoft Intune provides device compliance, Microsoft Entra ID provides SSO and conditional access, and Microsoft Defender for Cloud Apps provides risk-based access control. The other combinations miss key components.

138
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to design a solution that automatically creates an incident in Sentinel when a Defender XDR alert fires. Which integration should you configure?

A.Azure Logic Apps with Defender XDR connector
B.Microsoft Power Automate flow triggered by Defender XDR alerts
C.Microsoft Defender XDR data connector in Sentinel
D.Microsoft Graph API subscription to Defender XDR alerts
AnswerC

The data connector ingests alerts and automatically creates incidents in Sentinel.

Why this answer

Option C is correct because the Microsoft Defender XDR connector in Sentinel allows alert streaming and incident creation. Option A is wrong because Microsoft Power Automate can be used but is not the primary integration. Option B is wrong because Logic Apps can automate but the connector is the standard method.

Option D is wrong because Microsoft Graph API is programmatic but not the designed integration.

139
MCQhard

You are designing a security solution for an Azure SQL Database that stores sensitive customer data. The solution must encrypt the database at rest and in transit, and also mask sensitive columns from non-privileged users. Which combination of features should you implement?

A.Transparent Data Encryption (TDE) and Dynamic Data Masking (DDM)
B.Always Encrypted and Row-Level Security
C.Always Encrypted and Dynamic Data Masking (DDM)
D.Cell-level encryption and row-level security
AnswerA

TDE encrypts at rest, DDM masks columns for non-privileged users.

Why this answer

Option B is correct because Transparent Data Encryption (TDE) encrypts the database at rest, and Dynamic Data Masking (DDM) masks sensitive columns. Option A is wrong because Always Encrypted encrypts columns at the client side, but does not encrypt the database at rest. Option C is wrong because Always Encrypted does not encrypt at rest fully, and TDE plus DDM is the correct combination.

Option D is wrong because cell-level encryption is complex and not native to Azure SQL.

140
MCQeasy

Your organization is using Microsoft Sentinel to collect security logs from multiple sources, including Azure Activity Logs, Office 365 Audit Logs, and on-premises Windows Event Logs. You need to ensure that security incidents are automatically created when a user from a specific IP address attempts to access a sensitive application. You have already configured the data connectors. What should you create?

A.Create a workbook to visualize the access attempts.
B.Create a watchlist containing the IP address and use it in a query.
C.Create an analytics rule that triggers an incident when access from the IP is detected.
D.Create a playbook that runs when a specific event occurs.
AnswerC

Analytics rules create incidents based on queries.

Why this answer

Option D is correct because an analytics rule in Microsoft Sentinel can be configured to alert on specific activities (e.g., access from a certain IP). Option A is wrong because a watchlist is a data source, not an alerting mechanism. Option B is wrong because a playbook is a response action, not an alert trigger.

Option C is wrong because a workbook is a visualization tool.

141
Multi-Selectmedium

Your organization is designing a Microsoft Sentinel workspace for a multi-region deployment. You need to optimize cost while ensuring that security data is available for investigation in the primary region. Which TWO actions should you take?

Select 2 answers
A.Use a single Sentinel workspace in the primary region and ingest data from all regions via diagnostic settings.
B.Enable Azure Monitor Agent (AMA) with data collection rules to filter logs.
C.Use Azure Lighthouse to manage multiple Sentinel workspaces from a single pane of glass.
D.Use Log Analytics clusters with dedicated clusters to reduce costs.
E.Deploy Sentinel workspaces in each region and use cross-workspace queries.
AnswersA, C

Centralized workspace reduces cost.

Why this answer

Option A is correct because using a single workspace across regions avoids duplicate data ingestion and cost. Option C is correct because using Azure Lighthouse allows centralized management across regions. Option B is wrong because multiple workspaces increase cost and management overhead.

Option D is wrong because it doesn't directly address cost optimization. Option E is wrong because separate workspaces increase cost.

142
MCQhard

Refer to the exhibit. You run the PowerShell script to apply an NSG to a subnet. However, connectivity tests show that the NSG rule is not being applied. What is the most likely reason?

A.The NSG was not associated to the subnet; Set-AzVirtualNetworkSubnetConfig does not associate the NSG.
B.The script is missing the Set-AzVirtualNetwork call after updating the subnet.
C.The rule priority 100 conflicts with an existing rule with lower priority.
D.The NSG should be associated to the network interface instead of the subnet.
AnswerB

The subnet configuration is updated locally, but the VNet is not updated, so the NSG association is not persisted.

Why this answer

Option D is correct because after modifying the subnet configuration with Set-AzVirtualNetworkSubnetConfig, you must apply the changes using Set-AzVirtualNetwork to update the VNet. Without that, the NSG association is not saved. Option A is wrong because the NSG is created and associated to the subnet, but the VNet update is missing.

Option B is wrong because the priority is valid. Option C is wrong because the NSG is applied to the subnet, not the NIC.

143
MCQhard

Refer to the exhibit. You review a PowerShell script that configures an NSG rule. What is the likely security issue with this rule?

A.The source address prefix should be a specific IP range
B.The rule allows HTTPS instead of HTTP
C.The rule is outbound but should be inbound
D.The destination address prefix is 'VirtualNetwork' which allows traffic to all VMs
AnswerD

Should be a specific subnet or IP to restrict access.

Why this answer

Option D is correct: The rule allows HTTP (port 80) from the Internet to the VirtualNetwork address prefix, which effectively allows inbound traffic from any public IP to all VMs in the virtual network on port 80. This is overly permissive. Option A is wrong because the rule allows HTTP, not HTTPS.

Option B is wrong because the rule allows inbound, not outbound. Option C is wrong because the rule allows Internet, not a specific IP.

144
MCQmedium

Your company plans to use Microsoft Sentinel to manage security incidents. You need to design a solution that reduces alert fatigue by grouping related alerts into incidents. Which feature should you enable?

A.Analytics rule with alert grouping enabled
B.Watchlists to filter noisy alerts
C.Automation rules that trigger on alert creation
D.Playbooks that run on alert creation
AnswerA

Alert grouping in analytics rules combines related alerts into incidents.

Why this answer

Sentinel's analytics rules use alert grouping to combine related alerts into a single incident. Option A is correct. Option B is incorrect because automation rules trigger actions but don't group alerts.

Option C is incorrect because watchlists are for reference data. Option D is incorrect because playbooks automate responses, not grouping.

145
Multi-Selecthard

Which THREE components are required to implement a secure Azure DevOps CI/CD pipeline that scans for secrets in code? (Choose three.)

Select 3 answers
A.Azure Artifacts to store packages.
B.GitHub Advanced Security for secret scanning.
C.Credential Scanner in Azure DevOps.
D.Azure Boards for tracking security issues.
E.Azure Key Vault to store secrets used in pipelines.
AnswersB, C, E

It scans repositories for secrets.

Why this answer

Option B is correct because GitHub Advanced Security includes secret scanning for code repositories. Option C is correct because Azure Key Vault can store secrets accessed during pipeline execution. Option D is correct because Credential Scanner is a Microsoft security tool that is integrated into Azure DevOps for scanning secrets.

Option A is wrong because Azure Artifacts is a package management solution. Option E is wrong because Azure Boards is for work item tracking.

146
MCQhard

Your organization has a Microsoft 365 E5 subscription and uses Microsoft Entra ID for identity. You need to implement a solution to secure privileged access to Azure resources, requiring just-in-time access and approval workflows. What should you configure?

A.Microsoft Defender for Identity
B.Azure AD administrative units
C.Microsoft Entra Conditional Access
D.Microsoft Entra Privileged Identity Management (PIM)
AnswerD

PIM enables just-in-time role activation with approval.

Why this answer

Option A is correct because Microsoft Entra Privileged Identity Management (PIM) provides just-in-time access and approval workflows for Azure roles. Option B is wrong because Conditional Access controls access based on conditions, not just-in-time role activation. Option C is wrong because Azure AD (now Entra ID) roles are managed by PIM.

Option D is wrong because Microsoft Defender for Identity identifies threats to on-premises Active Directory.

147
MCQeasy

Your organization is implementing a security baseline for Windows 11 devices using Microsoft Intune. You need to ensure that BitLocker encryption is enabled on all devices and that recovery keys are stored in Microsoft Entra ID. Which policy type should you configure?

A.Device configuration profile for administrative templates.
B.Endpoint security policy for disk encryption.
C.Update rings for Windows 10 and later.
D.Compliance policy for device encryption.
AnswerB

Endpoint security policies include BitLocker configuration and key storage settings.

Why this answer

Option A is correct because Endpoint security policies in Intune include BitLocker settings that can enforce encryption and store recovery keys in Entra ID. Option B is wrong because Device configuration policies are for general settings, not for BitLocker specifically. Option C is wrong because Compliance policies can check for encryption but do not configure it.

Option D is wrong because Update rings are for Windows Update settings.

148
MCQmedium

Your company uses Microsoft Defender for Cloud to manage security across multiple subscriptions. You need to ensure that all subscriptions have at least one Defender plan enabled, and you want to enforce this centrally using Azure Policy. What is the best approach?

A.Use the Defender for Cloud continuous export feature to send compliance data to a Log Analytics workspace and create alerts.
B.Create an Azure Policy that denies creation of subscriptions that do not have Defender plans enabled.
C.Use Azure Blueprints to assign Defender plans to all subscriptions.
D.Create an Azure Policy that audits subscriptions without any Defender plans and then use a remediation task to enable the required plans.
AnswerD

Policy with remediation can enforce the configuration.

Why this answer

Option C is correct because Azure Policy can audit if a subscription has no Defender plans enabled, and then use a remediation task to enable the plans. Option A is wrong because Azure Policy cannot directly enable plans without a remediation task. Option B is wrong because Defender for Cloud's continuous export is for security alerts, not policy enforcement.

Option D is wrong because Azure Blueprints are being deprecated in favor of Azure Policy and deployment stacks.

149
Multi-Selectmedium

Which THREE components are required to implement a Microsoft Sentinel solution that collects security logs from a multi-cloud environment including AWS and Azure? (Choose three.)

Select 3 answers
A.Log Analytics workspace
B.Microsoft Sentinel solution
C.Azure Monitor Agent (AMA)
D.AWS S3 data connector
E.Azure Arc
AnswersA, C, D

Sentinel is built on Log Analytics workspaces.

Why this answer

Option A is correct because Log Analytics workspace is the data store for Sentinel. Option B is correct because the Azure Monitor Agent (AMA) collects logs from Azure VMs. Option D is correct because a data connector for AWS (e.g., AWS CloudTrail) is needed to ingest logs.

Option C is not required because Sentinel itself is the SIEM, not a separate component. Option E is not required because Azure Arc is optional for non-Azure servers but not required for AWS logs.

150
MCQmedium

Your organization plans to use Microsoft Defender for Cloud to protect hybrid workloads across Azure and on-premises servers. You need to ensure that security policies are consistently applied and that compliance status is monitored centrally. What should you configure?

A.Implement Azure Security Benchmark recommendations manually.
B.Create Azure Policy initiatives and assign them to management groups and subscriptions.
C.Configure security policies directly in Microsoft Defender for Cloud.
D.Deploy Azure Blueprints to assign policies to management groups.
AnswerB

Azure Policy enforces rules and effects across resources, including hybrid via Arc.

Why this answer

Option B is correct because Azure Policy allows defining and enforcing security policies across Azure and hybrid environments via Arc-enabled servers. Option A is incorrect because Azure Blueprints are deprecated in favor of deployment stacks. Option C is incorrect because Defender for Cloud's security policies are built on Azure Policy.

Option D is incorrect because Azure Security Benchmark is a set of guidelines, not a configuration mechanism.

← PreviousPage 2 of 4 · 231 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design security solutions for infrastructure questions.