CCNA Design security solutions for infrastructure Questions

75 of 231 questions · Page 3/4 · Design security solutions for infrastructure · Answers revealed

151
Multi-Selecteasy

Which TWO of the following are features of Azure DDoS Protection?

Select 2 answers
A.Cost protection for scaled resources during an attack
B.Web application firewall (WAF) capabilities
C.Site-to-site VPN connectivity
D.SSL termination and offloading
E.Adaptive tuning and mitigation of DDoS attacks
AnswersA, E

Provides cost protection for auto-scaling.

Why this answer

Option B is correct because DDoS Protection provides adaptive tuning and mitigation. Option D is correct because it offers cost protection for scaled resources during an attack. Option A is wrong because DDoS Protection does not provide a web application firewall (WAF is separate).

Option C is wrong because DDoS Protection does not provide SSL termination. Option E is wrong because DDoS Protection is not a VPN service.

152
Multi-Selectmedium

Which TWO actions should you take to secure an Azure Kubernetes Service (AKS) cluster using Microsoft Defender for Cloud?

Select 2 answers
A.Apply built-in Azure Policy initiatives for AKS
B.Enable private cluster mode
C.Configure Network Security Groups (NSGs) on AKS subnets
D.Enable Microsoft Defender for Containers
E.Deploy Azure Firewall in the AKS virtual network
AnswersA, D

Azure Policy ensures cluster compliance with security best practices.

Why this answer

Options A and D are correct because enabling Defender for Containers provides threat detection, and Azure Policy with built-in AKS policies ensures compliance. Option B is wrong because AKS does not support NSGs; network policies are used. Option C is wrong because Azure Firewall is not required for AKS security.

Option E is wrong because private clusters limit public access but are not a Defender feature.

153
MCQhard

Refer to the exhibit. You are designing a security solution for Azure SQL Database. The exhibit shows an Azure Policy definition. When this policy is assigned, which problem might occur?

A.The policy will fail because the audit settings resource name 'default' is invalid.
B.The remediation deployment will fail because the storage account key is missing.
C.The existenceCondition will never evaluate to true because the field name is misspelled.
D.The policy will only audit non-compliant servers without remediation.
AnswerB

When enabling auditing to a storage account, the access key or managed identity must be provided.

Why this answer

Option C is correct because the template uses a parameter for storageEndpoint but does not specify a storageAccountAccessKey or use a managed identity, so the audit logs cannot be written to the storage account. Option A is wrong because 'default' is the correct name for the audit settings child resource. Option B is wrong because the policy uses DeployIfNotExists, not AuditIfNotExists.

Option D is wrong because the existenceCondition checks for 'Enabled', which is correct.

154
MCQeasy

You are designing a secure infrastructure for an e-commerce platform hosted on Azure. The platform must meet PCI DSS compliance. Which Azure service should you use to centrally manage and monitor security policies across subscriptions?

A.Azure Policy
B.Azure Firewall
C.Microsoft Defender for Cloud
D.Azure Blueprints
AnswerA

Azure Policy provides centralized policy management and compliance assessment across Azure subscriptions.

Why this answer

Option A is correct because Azure Policy allows you to enforce compliance rules across subscriptions. Option B is wrong because Azure Blueprints is deprecated; Azure Policy is the current recommendation. Option C is wrong because Azure Firewall is a network security appliance, not a policy management tool.

Option D is wrong because Azure Security Center is now part of Defender for Cloud, which uses policies but the core policy engine is Azure Policy.

155
MCQeasy

A company uses Azure Firewall to protect their virtual network. They need to allow outbound HTTPS traffic to a specific external website while blocking all other outbound traffic. What should they configure?

A.Add an Application Rule with the destination FQDN of the website.
B.Add a Network Rule with the destination IP address and port 443.
C.Add a Threat Intelligence rule to allow the website's domain.
D.Add a DNAT Rule to translate the traffic to the website's IP.
AnswerA

Application Rules use FQDNs to allow outbound HTTP/HTTPS.

Why this answer

Option A is correct because Application Rules filter outbound traffic based on FQDN (e.g., *.contoso.com). Option B is wrong because Network Rules filter based on IP addresses/ports, not FQDNs. Option C is wrong because DNAT rules are for inbound traffic.

Option D is wrong because Threat Intelligence rules block known malicious IPs/FQDNs, not allow specific ones.

156
MCQhard

Your organization is designing a hybrid identity infrastructure with Microsoft Entra ID. You need to ensure that users can access on-premises applications using passwordless authentication and that the solution minimizes latency for authentication requests. What should you implement?

A.Join the on-premises servers to Microsoft Entra Domain Services and use passwordless authentication.
B.Use Microsoft Entra application proxy to publish the on-premises applications and enable passwordless authentication.
C.Install Web Application Proxy (WAP) on-premises and integrate with Microsoft Entra ID for passwordless.
D.Deploy a VPN and use Microsoft Entra ID with passwordless sign-in.
AnswerB

Entra application proxy publishes on-prem apps with SSO and passwordless support, minimizing latency by proxying through Entra ID.

Why this answer

Option C is correct because Microsoft Entra application proxy provides secure remote access to on-premises web applications without requiring a VPN, and it can leverage passwordless authentication through Microsoft Entra ID. Option A is wrong because VPN introduces latency and does not inherently support passwordless. Option B is wrong because Microsoft Entra Domain Services is for domain-joined VMs, not for publishing apps.

Option D is wrong because Web Application Proxy is a legacy on-premises component that does not integrate with passwordless.

157
Multi-Selectmedium

Which THREE of the following are best practices for securing Azure Kubernetes Service (AKS) clusters? (Choose three.)

Select 3 answers
A.Enable Azure Policy for AKS to enforce pod security
B.Use managed identities for pod authentication
C.Store secrets in ConfigMaps
D.Enable network policies to restrict pod traffic
E.Disable Kubernetes RBAC to simplify management
AnswersA, B, D

Azure Policy can enforce security standards.

Why this answer

Option A (enable Azure Policy for AKS), Option C (use managed identities), and Option D (enable network policies) are best practices. Option B is incorrect because RBAC should be enabled, not disabled. Option E is incorrect because secrets should be stored in Azure Key Vault, not in plain text.

158
MCQhard

You are a security architect for a large financial services company. The company has a hybrid identity infrastructure with on-premises Active Directory and Microsoft Entra ID (Azure AD). They have recently suffered a password spray attack that compromised several accounts. Management wants to implement a Zero Trust security model and has mandated the following requirements: 1. All user authentication must be protected by phishing-resistant MFA. 2. Legacy authentication protocols must be blocked. 3. All sign-in risks must be detected and automatically remediated. The current environment includes: - Microsoft 365 E5 licenses for all users. - Microsoft Entra ID P2 licenses. - On-premises Active Directory with password hash sync. - Azure AD Application Proxy for publishing on-premises apps. - A third-party VPN solution for remote access. You need to design a solution that meets the requirements. What should you do?

A.Enable Azure AD MFA with phone call for all users. Use Conditional Access to block legacy authentication. Use Identity Protection to detect risks and require MFA again.
B.Enable Azure AD MFA with the Microsoft Authenticator app (OATH TOTP). Use Conditional Access to block legacy authentication and require MFA. Configure Identity Protection to alert on risky sign-ins.
C.Deploy FIDO2 security keys to all users. Configure Conditional Access to block legacy authentication. Use Identity Protection to detect risks and send alerts to the SOC.
D.Deploy Windows Hello for Business for all users. Configure Conditional Access policies to block legacy authentication and require MFA for all cloud apps. Use Entra ID Protection to detect risky sign-ins and automatically require password change or block access.
AnswerD

Windows Hello for Business is phishing-resistant; Conditional Access blocks legacy auth and enforces MFA; Identity Protection handles risk detection and remediation.

Why this answer

Option A is correct because Windows Hello for Business is a phishing-resistant MFA method. Entra ID Conditional Access can block legacy authentication and enforce risk-based policies. Entra ID Protection detects sign-in risks and can automatically block or require password change.

Option B is wrong because the Authenticator app (OATH TOTP) is not phishing-resistant (vulnerable to MFA fatigue). Option C is wrong because FIDO2 security keys are phishing-resistant but they are hardware tokens, not the recommended for all users; also the scenario doesn't mention hardware deployment. Option D is wrong because Azure AD MFA with phone call is not phishing-resistant.

159
MCQmedium

Your company is designing a hybrid identity solution using Microsoft Entra ID. You need to ensure that users can access on-premises applications using modern authentication methods. The solution must support multi-factor authentication and Conditional Access policies. What should you implement?

A.Microsoft Entra Connect
B.Microsoft Entra application proxy
C.Azure AD Domain Services
D.Microsoft Intune
AnswerB

Microsoft Entra application proxy publishes on-premises apps to external users with modern authentication.

Why this answer

Option B is correct because Microsoft Entra application proxy provides secure remote access to on-premises web applications without requiring a VPN. It supports modern authentication, MFA, and Conditional Access. Option A is wrong because Microsoft Entra Connect is for directory synchronization, not application publishing.

Option C is wrong because Azure AD Domain Services provides domain services like LDAP, not application proxy. Option D is wrong because Microsoft Intune is for device management, not application access.

160
MCQmedium

A company is designing a security solution for their hybrid infrastructure that includes on-premises servers and Azure virtual machines. They need to ensure that all administrative access to servers is just-in-time (JIT) and just-enough-administration (JEA). Which Azure service should they use?

A.Azure Bastion
B.Microsoft Entra ID Privileged Identity Management
C.Azure Policy
D.Microsoft Defender for Cloud
AnswerD

Correct: Provides JIT VM access and JEA via Azure Arc.

Why this answer

Microsoft Defender for Cloud provides JIT VM access and JEA capabilities through Azure Arc for on-premises servers, making it the correct choice. Azure AD Privileged Identity Management (PIM) is for user roles, not server access. Azure Bastion provides secure RDP/SSH access but not JIT.

Azure Policy is for compliance, not JIT access.

161
MCQhard

Refer to the exhibit. You are reviewing an Azure Policy definition that is assigned to a subscription. What is the primary effect of this policy?

A.It modifies the OS disk to use a specific disk encryption set.
B.It deploys a disk encryption set to each virtual machine.
C.It denies creation of virtual machines without the specified disk encryption set.
D.It audits virtual machines that do not use the specified disk encryption set.
AnswerA

The policy adds/replaces the diskEncryptionSet.id field on the OS disk.

Why this answer

The policy uses the 'modify' effect to add or replace the disk encryption set ID on any virtual machine's OS disk managed disk. This ensures VMs use a specific encryption set. 'deployIfNotExists' would deploy a resource, 'audit' would only log, 'deny' would block creation.

162
MCQhard

Refer to the exhibit. You are reviewing a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

A.List all administrator accounts that logged in
B.Identify failed logon attempts across all computers
C.Find the most common event IDs across all computers
D.Count security events per user, per computer, per event type in the last hour
AnswerD

The query groups by Account, Computer, and EventID to count each combination.

Why this answer

The query filters SecurityEvent for user accounts in the last hour, then summarizes the count of events by Account, Computer, and EventID. Option A is correct. Option B is incorrect because it does not filter for failed logins.

Option C is incorrect because it does not filter for admin accounts. Option D is incorrect because it does not filter for specific event IDs.

163
MCQmedium

You are designing a secure CI/CD pipeline for Azure using GitHub Actions. You need to ensure that secrets (e.g., Azure service principal credentials) are stored securely and accessed only by authorized actions. What should you use?

A.Use GitHub Actions secrets to store the credentials.
B.Use Azure AD managed identities for GitHub Actions.
C.Store secrets in Azure Key Vault and access them using a service principal secret stored in GitHub.
D.Store secrets as environment variables in the GitHub repository.
AnswerA

Secrets are encrypted and scoped.

Why this answer

Option B is correct because GitHub Actions secrets are encrypted and can be scoped to repositories or environments. Option A is wrong because storing secrets in code is insecure. Option C is wrong because Key Vault can be accessed from GitHub Actions via a secret, but the primary secure storage for GitHub is secrets.

Option D is wrong because managed identities are not directly usable in GitHub Actions without a secret to authenticate.

164
Multi-Selecthard

You are designing a secure data exfiltration protection solution for Azure Storage accounts. You need to prevent data from being copied to unauthorized external locations. Which THREE controls should you implement?

Select 3 answers
A.Enable Microsoft Defender for Storage and configure alerts for anomalous data extraction.
B.Deploy Azure Firewall with application rules to allow only approved FQDNs.
C.Configure network security groups (NSGs) on subnets to deny outbound traffic to the internet.
D.Use Azure Private Endpoints for all storage accounts.
E.Enable soft delete and versioning for blobs.
AnswersA, B, C

Detects suspicious data transfer patterns.

Why this answer

Option A is correct because NSGs can restrict egress traffic at the subnet level. Option C is correct because Azure Firewall can inspect outbound traffic and block unauthorized destinations. Option E is correct because Microsoft Defender for Storage alerts on anomalous data transfers.

Option B is wrong because private endpoints do not prevent exfiltration; they prevent public access. Option D is wrong because soft delete is for recovery, not exfiltration prevention.

165
MCQeasy

Refer to the exhibit. A KQL query in Microsoft Sentinel is used to detect potential brute-force attacks. What does this query detect?

A.Local logon attempts from multiple accounts
B.Failed logon attempts from multiple IPs
C.Successful remote logon attempts from a single IP exceeding 10
D.Failed logon attempts from a single IP
AnswerC

Filters for successful remote logons grouped by IP and account with count >10.

Why this answer

Option B is correct: The query filters for successful logon events (4624) with LogonType 10 (remote interactive), then summarizes by account and IP address, and filters for more than 10 attempts. This detects potential brute-force attacks. Option A is wrong because it looks for successful logons, not failures.

Option C is wrong because it looks for remote logons (type 10). Option D is wrong because it looks for successful logons, not failures.

166
MCQeasy

Your organization uses Microsoft Purview to classify sensitive data in Azure storage. You need to ensure that a file containing PII is automatically protected when uploaded to an Azure Blob Storage account. What should you use?

A.Microsoft Purview retention labels
B.Microsoft Purview Information Protection sensitivity labels manually applied
C.Microsoft Purview Data Policy with auto-labeling
D.Azure Information Protection unified labeling client
AnswerC

Purview Data Policy can automatically apply sensitivity labels and encryption.

Why this answer

Option A is correct because Purview Data Policy can enforce auto-labeling and protection based on classification. Option B is incorrect because sensitivity labels alone do not trigger protection automatically. Option C is incorrect because Azure Information Protection is now part of Purview.

Option D is incorrect because retention labels are for retention, not protection.

167
Multi-Selecteasy

Your organization uses Microsoft Sentinel for security operations. You need to design a solution to detect and respond to lateral movement attempts using pass-the-hash attacks. Which TWO data sources should you enable in Microsoft Sentinel to best detect this activity?

Select 2 answers
A.Office 365 Audit Logs
B.Windows Security Events via Azure Monitor Agent
C.DNS query logs
D.Microsoft Defender for Identity alerts
E.Azure Activity Log
AnswersB, D

Windows Security Events include Event ID 4624 (logon) and 4625 (failed logon) that can indicate pass-the-hash when combined with anomalous source workstations.

Why this answer

Option A (Windows Security Events) logs NTLM authentication events that can reveal pass-the-hash attempts. Option D (Microsoft Defender for Identity) provides advanced behavioral analytics to detect lateral movement. Option B (Azure Activity) is for Azure resource operations, not on-premises lateral movement.

Option C (Office 365) is for cloud app activity. Option E (DNS) helps with network detection but is not the best for pass-the-hash.

168
Multi-Selectmedium

A company is designing a secure baseline for Azure VMs using Azure Policy and Microsoft Defender for Cloud. Which TWO recommendations should you include to ensure VMs are protected against common threats?

Select 2 answers
A.Configure Azure Backup for all VMs
B.Deploy the Log Analytics agent on all VMs
C.Enable just-in-time (JIT) VM access
D.Enable Azure Site Recovery
E.Use Azure Disk Encryption with Azure Key Vault
AnswersB, C

The agent is required for Defender for Cloud to detect threats and collect security events.

Why this answer

Enabling just-in-time (JIT) VM access reduces attack surface by blocking inbound traffic to management ports. Deploying the Log Analytics agent is required for Defender for Cloud to collect security data. The other options are either not security baselines or not VM-specific.

169
MCQeasy

You need to design a backup and disaster recovery solution for Azure virtual machines that meets a recovery time objective (RTO) of 15 minutes and a recovery point objective (RPO) of 1 hour. Which Azure service should you use?

A.Azure Site Recovery
B.Azure managed disk
C.Azure VM snapshot
D.Azure Backup
AnswerA

Azure Site Recovery supports low RPO and RTO for disaster recovery.

Why this answer

Option B is correct because Azure Site Recovery provides replication with RPO as low as 30 seconds and RTO typically within minutes. Option A is wrong because Azure Backup provides longer RPO and RTO, typically hours. Option C is wrong because Azure VM snapshots are manual.

Option D is wrong because Azure managed disks do not provide replication.

170
Multi-Selecteasy

You are designing a backup strategy for Azure virtual machines using Azure Backup. The solution must support cross-region restore and provide 10 years of retention for compliance. Which THREE features should you enable? (Choose THREE.)

Select 3 answers
A.Cross-Region Restore
B.Azure Site Recovery replication
C.Soft Delete
D.Immutable vault
E.Archive Tier
AnswersA, D, E

Allows restoring backups in a paired Azure region.

Why this answer

Options A, C, and E are correct. Cross-Region Restore (A) enables restoring to a paired region. Archive Tier (C) allows retention up to 10 years.

Immutable vault (E) prevents deletion of backups. Option B is wrong because Azure Site Recovery is for disaster recovery, not backup retention. Option D is wrong because soft delete is for accidental deletion protection, not for long-term retention.

171
MCQmedium

Your organization uses Microsoft Sentinel to monitor hybrid workloads. You need to design a solution to detect lateral movement attempts from compromised on-premises servers to Azure VMs. Which data connector should you prioritize?

A.Syslog via AMA
B.Office 365 Logs
C.Windows Security Events via AMA
D.Azure Activity Log
AnswerC

Captures security events like logons, which are critical for lateral movement detection.

Why this answer

Option B is correct because the Windows Security Events via AMA connector provides the necessary event IDs (e.g., 4624, 4625) for lateral movement detection on Azure VMs. Option A is wrong because Azure Activity Log does not capture OS-level events. Option C is wrong because Syslog via AMA covers Linux but not Windows.

Option D is wrong because Office 365 connector is for cloud app activity.

172
MCQeasy

Your organization uses Microsoft Defender for Office 365. You need to design a solution to protect users from malicious links in email. What should you configure?

A.Anti-spam policy
B.Safe Attachments policy
C.Safe Links policy
D.Anti-phishing policy
AnswerC

Safe Links protects against malicious URLs.

Why this answer

Option A is correct because Safe Links in Defender for Office 365 scans and blocks malicious links in real time. Option B is incorrect because Safe Attachments is for attachments. Option C is incorrect because anti-spam policies handle spam.

Option D is incorrect because anti-phishing policies handle phishing, not links specifically.

173
MCQmedium

Refer to the exhibit. The NSG is applied to a subnet containing Azure SQL databases. You notice that traffic from the internet to the databases is not being denied. What is the most likely reason?

A.The rule should be Allow to deny traffic
B.The destinationAddressPrefix should be '*' instead of 'VirtualNetwork'
C.The priority of the Deny rule is too low (100)
D.The direction should be Outbound
AnswerB

SQL databases are not in a VNet by default; use '*' to cover all destinations.

Why this answer

Option C is correct because the destinationAddressPrefix is 'VirtualNetwork', but SQL databases are not in a virtual network by default; they are PaaS services with a public endpoint. Option A is wrong because priority 100 is high. Option B is wrong because the rule explicitly denies traffic.

Option D is wrong because the direction is inbound.

174
MCQeasy

Your organization is implementing a zero-trust network strategy. You need to ensure that all network traffic between Azure virtual machines is encrypted and authenticated at the IP layer, regardless of the virtual network they are in. Which Azure feature should you configure?

A.Azure Service Endpoints
B.Azure VPN Gateway
C.Azure Private Link
D.Azure Virtual Network encryption
AnswerD

This feature encrypts traffic between VMs using IPsec, meeting zero-trust requirements.

Why this answer

Azure Virtual Network encryption provides IPsec encryption for traffic between VMs within the same virtual network or peered virtual networks. Service endpoints use public IPs. Private Link is for accessing PaaS services privately.

VPN Gateway is for site-to-site.

175
MCQhard

Your organization is a large financial services company with a hybrid infrastructure consisting of on-premises servers and Azure IaaS. You are tasked with designing a security solution for infrastructure that meets the following requirements: - All administrative access to Azure resources must be just-in-time (JIT) and just-enough-access (JEA). - All on-premises servers must be managed centrally with consistent security policies. - All network traffic between on-premises and Azure must be encrypted and inspected for threats. - All privileged access must be monitored and audited. You have the following services available: Microsoft Entra ID, Microsoft Defender for Cloud, Azure Firewall, Azure Bastion, Microsoft Sentinel, Azure Arc, Azure Policy, Microsoft Defender for Identity, and Microsoft Entra Privileged Identity Management (PIM). Which combination of services should you use to meet all requirements?

A.Use Azure Bastion for administrative access, Azure Automation for on-prem management, Azure VPN Gateway for encrypted traffic, and Microsoft Sentinel for monitoring.
B.Use Microsoft Entra PIM for JIT access, Azure Arc to extend Azure Policy to on-prem servers, Azure Firewall with threat intelligence for traffic inspection, and Microsoft Defender for Identity for monitoring privileged access.
C.Use Microsoft Sentinel for all aspects, including JIT via playbooks, Azure Arc for management, Azure Firewall for traffic, and Azure Policy for compliance.
D.Use Microsoft Entra roles with permanent assignments, Azure Site Recovery for on-premises management, Azure ExpressRoute for encrypted traffic, and Microsoft Defender for Cloud for monitoring.
AnswerB

PIM provides JIT/JEA; Arc brings Azure Policy to on-prem; Firewall inspects traffic; Defender for Identity monitors AD.

Why this answer

Option A is correct: PIM provides JIT/JEA for Azure roles; Azure Arc enables management of on-prem servers with Azure Policy; Azure Firewall with threat intelligence can inspect encrypted traffic; Microsoft Defender for Identity monitors on-prem AD for privileged attacks. Option B is incorrect: Azure Bastion provides secure RDP/SSH but does not provide JIT/JEA. Option C is incorrect: Azure VPN Gateway does not inspect traffic.

Option D is incorrect: Microsoft Sentinel is for SIEM, not JIT.

176
MCQmedium

You are designing a security solution for a critical Azure SQL Database that must be protected against data exfiltration by a compromised admin account. The solution must ensure that even a database administrator cannot copy data to an external storage account. Which Azure service should you configure?

A.Always Encrypted
B.Azure SQL Database firewall rules
C.Microsoft Purview Data Loss Prevention
D.Azure Information Protection
AnswerC

DLP policies can monitor and block sensitive data from being copied or exported.

Why this answer

Option D is correct because Microsoft Purview Data Loss Prevention (DLP) policies can be applied to Azure SQL Database to detect and block sensitive data exfiltration attempts. Option A is wrong because Azure SQL Database firewall controls network access, not data exfiltration. Option B is wrong because Always Encrypted protects data at rest and in use but does not prevent copying.

Option C is wrong because Azure Information Protection (now integrated into Purview) is for classification and labeling, not real-time blocking.

177
MCQeasy

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure resources. The security team wants to ensure that all virtual machines are covered by Defender for Cloud's vulnerability assessment capabilities. Which plan must be enabled?

A.Microsoft Defender for Storage
B.Microsoft Defender for Servers Plan 2
C.Microsoft Defender for Cloud Apps
D.Defender Cloud Security Posture Management (CSPM)
AnswerB

Plan 2 includes vulnerability assessment, just-in-time VM access, and other advanced features.

Why this answer

Option D is correct because the Defender for Servers Plan 2 includes the integrated vulnerability assessment powered by Qualys or Microsoft Defender Vulnerability Management. Option A is wrong because Defender CSPM covers cloud security posture management but not VM-specific vulnerability assessment. Option B is wrong because Defender for Cloud Apps (now part of Defender XDR) focuses on SaaS applications.

Option C is wrong because Defender for Storage protects storage accounts.

178
MCQhard

You are the security architect for a company that has a hybrid identity infrastructure with Microsoft Entra ID (formerly Azure AD) and an on-premises Active Directory Domain Services (AD DS) forest. The company is planning to migrate several line-of-business (LOB) applications to Azure Virtual Machines. The applications currently use Windows Integrated Authentication (WIA) and rely on Kerberos delegation. You need to design a solution that allows the Azure VMs to authenticate on-premises users and access on-premises resources using Kerberos constrained delegation (KCD) without exposing on-premises-domain controllers to the internet. The solution must minimize latency and administrative overhead. You have configured Azure ExpressRoute for connectivity between the on-premises network and Azure. What should you do?

A.Deploy domain controllers as Azure VMs in the same virtual network as the application VMs. Configure the application VMs to use these domain controllers for authentication and KCD.
B.Implement Azure AD Application Proxy to publish the applications and use Azure AD for authentication.
C.Use Azure AD Domain Services to provide domain join and KCD capabilities for the Azure VMs.
D.Configure the application VMs to use the on-premises domain controllers over ExpressRoute for authentication and KCD.
AnswerA

This provides low-latency access to domain controllers and supports KCD without exposing on-premises DCs.

Why this answer

Option A is correct because deploying domain controllers as Azure VMs in the same virtual network as the application VMs allows them to use KCD with low latency, and ExpressRoute ensures secure connectivity without exposing on-premises DCs. Option B is wrong because Azure AD Domain Services provides managed domain services but does not support full KCD and may not meet all application requirements. Option C is wrong because using only ExpressRoute means the VMs would have to communicate with on-premises DCs over the WAN, potentially increasing latency.

Option D is wrong because Azure AD Application Proxy is for publishing on-premises apps, not for authentication delegation.

179
MCQhard

Your company uses Azure Firewall to filter outbound traffic from a virtual network. You need to allow only HTTP and HTTPS traffic to specific FQDNs, while blocking all other outbound traffic. Which Azure Firewall rule type should you use?

A.NAT rule
B.Application rule
C.Threat intelligence rule
D.Network rule
AnswerB

Application rules allow filtering by FQDN for HTTP/HTTPS.

Why this answer

Option D is correct because application rules allow filtering based on FQDNs for HTTP/HTTPS. Option A is wrong because network rules filter by IP/port, not FQDN. Option B is wrong because NAT rules only translate addresses.

Option C is wrong because threat intelligence rules block known malicious IPs.

180
MCQhard

You are designing a secure solution for an Azure Kubernetes Service (AKS) cluster that hosts a critical application. You need to ensure that pods can only communicate with specific back-end services and that traffic is encrypted. What should you implement?

A.Implement Kubernetes network policies and enable mTLS using a service mesh like Istio or Linkerd.
B.Use network security groups (NSGs) on the subnet.
C.Configure Azure Application Gateway Ingress Controller.
D.Deploy Azure Firewall and configure application rules.
AnswerA

Network policies restrict communication; mTLS encrypts it.

Why this answer

Option C is correct because network policies in AKS control pod-to-pod communication, and mutual TLS (mTLS) with a service mesh encrypts traffic. Option A is wrong because Azure Firewall controls ingress/egress, not pod-to-pod. Option B is wrong because NSGs are for subnet-level, not pod-level.

Option D is wrong because App Gateway is for ingress.

181
MCQmedium

Your organization plans to deploy Microsoft Defender for Cloud to protect hybrid workloads. You need to design the agentless scanning deployment for Azure VMs running SQL Server. What should you configure?

A.In Microsoft Defender for Cloud, enable the 'defenderForSql' plan and set the 'agentlessScanning' property to 'true'.
B.Deploy the Log Analytics agent on each SQL Server VM.
C.Enable SQL Vulnerability Assessment in Microsoft Defender for Cloud.
D.Configure Azure Policy to assign the 'Enable Defender for Cloud for SQL Servers' initiative.
AnswerA

This directly enables agentless scanning for SQL Server on Azure VMs.

Why this answer

Agentless scanning for SQL Server on Azure VMs is enabled via defenderForSql in the Defender plan, not via Azure Policy or SQL Vulnerability Assessment. Option C is correct because it directly enables agentless scanning. Option A is wrong because Azure Policy can enforce scanning but is not the configuration mechanism.

Option B is wrong because SQL Vulnerability Assessment is a separate feature. Option D is wrong because just enabling Defender for Cloud does not automatically scan SQL.

182
MCQeasy

You need to design a solution to protect Azure VMs from malware and vulnerabilities. Which Microsoft service should you use?

A.Microsoft Defender for Cloud
B.Microsoft Purview
C.Microsoft Sentinel
D.Microsoft Intune
AnswerA

Defender for Cloud offers VM protection features like antimalware and vulnerability scanning.

Why this answer

Option C is correct because Microsoft Defender for Cloud provides threat detection, vulnerability assessment, and antimalware for VMs. Option A is wrong because Microsoft Sentinel is a SIEM. Option B is wrong because Microsoft Intune is for device management.

Option D is wrong because Microsoft Purview is for data governance.

183
MCQeasy

Your company plans to migrate on-premises servers to Azure. You need to ensure that the migrated servers are protected against malware and vulnerabilities. Which Microsoft Defender for Cloud plan should you enable for the Azure VMs?

A.Microsoft Defender for SQL
B.Microsoft Defender for Storage
C.Microsoft Defender for Containers
D.Microsoft Defender for Servers
AnswerD

Defender for Servers protects VMs with malware and vulnerability scanning.

Why this answer

Option A is correct because Microsoft Defender for Servers provides malware protection, vulnerability assessment, and threat detection for Azure VMs. Option B is wrong because Defender for Containers is for container workloads. Option C is wrong because Defender for Storage is for storage accounts.

Option D is wrong because Defender for SQL is for SQL databases.

184
MCQmedium

A company uses Azure Arc to manage on-premises servers. The security team wants to enforce that all servers (on-premises and Azure) have Microsoft Defender for Endpoint installed and running. Which solution should you use to ensure compliance across hybrid environments?

A.Microsoft Intune
B.Azure Policy with Guest Configuration
C.Azure Update Manager
D.Microsoft Defender for Cloud
AnswerB

Azure Policy with Guest Configuration can audit and enforce settings on hybrid servers.

Why this answer

Option C is correct because Azure Policy with Guest Configuration can audit and enforce configurations on Azure Arc-enabled servers. Option A is wrong because Microsoft Intune manages mobile devices and PCs, not servers. Option B is wrong because Microsoft Defender for Cloud provides security recommendations but cannot enforce configuration compliance.

Option D is wrong because Azure Update Manager focuses on patching, not endpoint protection enforcement.

185
MCQmedium

You are a security architect for a software development company. The company uses GitHub for source control and Azure DevOps for CI/CD. They have a large number of repositories and want to ensure that secrets (e.g., API keys, connection strings) are never committed to code. They also want to scan pull requests for secrets before merging. The company has Microsoft Defender for Cloud and Microsoft Purview available. You need to design a solution that prevents secret leaks. What should you use?

A.Enable Microsoft Defender for Cloud's 'Secrets scanning' feature for GitHub repositories.
B.Use Azure Key Vault to store secrets and enforce policies that require developers to use Key Vault references.
C.Use Microsoft Purview Information Protection to scan repositories and classify secrets.
D.Enable GitHub secret scanning for all repositories. Configure push protection to block commits containing secrets. Use custom patterns to scan for company-specific secrets.
AnswerD

GitHub secret scanning can detect and block secrets in code.

Why this answer

Option A is correct because GitHub secret scanning is built into GitHub and can scan for known secret patterns; it can also be extended with custom patterns. It can block pushes that contain secrets. Option B is wrong because Azure Key Vault is a storage for secrets, not a scanning tool.

Option C is wrong because Defender for Cloud does not scan GitHub repositories for secrets. Option D is wrong because Microsoft Purview Information Protection is for data classification, not secret scanning in code.

186
Multi-Selecteasy

Which TWO of the following are valid methods to enforce multifactor authentication (MFA) for users accessing Microsoft 365 services? (Choose two.)

Select 2 answers
A.Privileged Identity Management (PIM)
B.Security defaults
C.Identity Protection policies
D.Per-user MFA in the Microsoft 365 admin center
E.Conditional Access policies
AnswersD, E

Admins can enable MFA for individual users.

Why this answer

Option A is correct because per-user MFA can be enabled in the Microsoft 365 admin center. Option C is correct because Conditional Access policies can require MFA based on conditions. Option B is wrong because security defaults enforce MFA for all users, but it is not a per-user method; it is a tenant-level setting.

Option D is wrong because Privileged Identity Management (PIM) manages role activation, not MFA enforcement. Option E is wrong because Azure AD Identity Protection detects risk, but MFA enforcement is done via Conditional Access.

187
MCQhard

Your company has a Microsoft Defender for Cloud environment with Azure Arc-enabled on-premises servers. The security team wants to ensure that all servers have the Log Analytics agent installed and that missing updates are automatically remediated for critical vulnerabilities. Which policy initiative should you assign to the management group containing these servers?

A.Azure Policy for Kubernetes
B.CIS Microsoft Azure Foundations Benchmark
C.NIST SP 800-53 R5
D.Azure Security Benchmark
AnswerD

This initiative includes policies for deploying the Log Analytics agent and remediating vulnerabilities.

Why this answer

The Azure Security Benchmark initiative includes policies for agent installation and vulnerability remediation. The other options are either not policy initiatives or focus on different aspects like container security or regulatory compliance.

188
Multi-Selectmedium

Your company plans to use Microsoft Defender for Cloud to protect its Azure resources. You need to enable just-in-time (JIT) VM access to reduce the attack surface. Which TWO configurations are required to implement JIT access?

Select 2 answers
A.Enable JIT VM access in Microsoft Defender for Cloud.
B.Deploy Azure Bastion for secure RDP/SSH connectivity.
C.Configure a Log Analytics workspace to collect JIT logs.
D.Assign an Azure Policy that requires JIT access on VMs.
E.Create a network security group (NSG) that allows all inbound traffic.
AnswersA, D

JIT must be enabled in Defender for Cloud for the VMs.

Why this answer

Option B is correct because JIT access requires enabling it in Defender for Cloud for the VMs. Option D is correct because JIT access requires an Azure Policy to enforce the JIT configuration. Option A is wrong because a network security group (NSG) is used, but it is not a separate requirement; JIT automatically configures NSG rules.

Option C is wrong because Azure Bastion is a separate service for secure RDP/SSH access, not required for JIT. Option E is wrong because a Log Analytics workspace is used for monitoring, but not required for JIT.

189
Multi-Selecteasy

Which THREE features of Microsoft Defender for Cloud help secure Azure Kubernetes Service (AKS) clusters? (Select three.)

Select 3 answers
A.Advanced threat protection for Azure Cosmos DB
B.Azure Defender for Kubernetes (cluster hardening)
C.Vulnerability assessment for container images
D.DDoS Protection Standard
E.Runtime threat detection for AKS clusters
AnswersB, C, E

Provides threat detection and hardening recommendations for AKS.

Why this answer

Azure Defender for Kubernetes (now part of Microsoft Defender for Cloud's cloud workload protection) provides cluster hardening recommendations by assessing AKS cluster configurations against industry benchmarks like CIS. It identifies misconfigurations such as overly permissive RBAC roles, insecure network policies, or unencrypted secrets, and offers remediation steps to reduce the attack surface.

Exam trap

The trap here is that candidates may confuse general Azure security services (like DDoS Protection) or unrelated Defender plans (like Cosmos DB) with the specific Defender for Cloud features that directly protect AKS workloads, leading them to select options that are technically valid Azure services but not applicable to AKS cluster security.

190
MCQhard

Your company is implementing a zero-trust network architecture in Azure. You need to ensure that all network traffic between virtual machines is encrypted and authenticated, regardless of the virtual network they reside in. What should you implement?

A.Azure VPN Gateway
B.Azure Virtual Network encryption
C.Network Security Groups (NSGs)
D.Azure Firewall
AnswerB

Virtual Network encryption encrypts all intra-VNet traffic.

Why this answer

Option D is correct because Azure Virtual Network encryption encrypts all traffic between VMs within a virtual network, providing zero-trust encryption. Option A is wrong because VPN gateways provide site-to-site encryption, not intra-VNet encryption. Option B is wrong because Azure Firewall does not encrypt traffic.

Option C is wrong because NSGs filter traffic but do not encrypt.

191
MCQmedium

You are designing security for a multi-region Azure application. You need to ensure that traffic between virtual networks in different regions is encrypted and uses Microsoft backbone. What should you implement?

A.Configure VNet peering with 'Allow gateway transit' and 'Use remote gateways'.
B.Use Azure Firewall in each VNet and route traffic through it.
C.Deploy ExpressRoute circuits and connect each VNet to them.
D.Deploy a site-to-site VPN between the virtual networks.
AnswerA

VNet peering uses Microsoft backbone and can use VPN gateway for encryption if needed.

Why this answer

Option B is correct because VNet peering with 'Use Remote Gateway' enables encrypted transit over Microsoft backbone. Option A is wrong because VPN Gateway is for on-premises or inter-region VPN over internet, not using backbone. Option C is wrong because ExpressRoute is for on-premises to Azure, not VNet-to-VNet.

Option D is wrong because Azure Firewall can inspect traffic but does not provide encrypted peering.

192
MCQmedium

Your company uses Microsoft Sentinel as its SIEM. You need to design a solution to detect lateral movement attempts within the corporate network using Windows Event Logs collected from domain controllers and workstations. Which data source and analytic rule type should you use?

A.Windows Security Events with a Fusion rule
B.Azure Activity logs with an anomaly rule
C.Windows Security Events with a scheduled query rule
D.Sysmon logs with a scheduled query rule
AnswerA

Fusion rules correlate multiple events across different sources to detect lateral movement.

Why this answer

Windows Security Events from domain controllers and workstations, with a Fusion or multi-event analytic rule, can detect lateral movement patterns like pass-the-hash. Sysmon is useful but not the only source. Scheduled query rules are for single events.

Anomaly rules use machine learning but may not be as precise.

193
Multi-Selectmedium

Your organization is planning to deploy Microsoft Defender for Cloud Apps (formerly Cloud App Security). You need to discover shadow IT usage and control access to cloud apps. Which TWO capabilities should you enable? (Choose TWO.)

Select 2 answers
A.Conditional Access App Control
B.Microsoft Intune device compliance policies
C.Data Loss Prevention (DLP) policies
D.On-premises app discovery via Microsoft Defender for Identity
E.Cloud Discovery
AnswersA, E

Conditional Access App Control provides session-level controls to protect access.

Why this answer

Options A and C are correct. Cloud Discovery (A) identifies shadow IT by analyzing traffic logs. Conditional Access App Control (C) enables real-time session controls.

Option B is wrong because DLP policies are for data protection, not discovery or access control. Option D is wrong because device compliance is managed by Intune. Option E is wrong because MCAS does not scan on-premises apps.

194
MCQhard

You are designing a security solution for a financial services company that uses Microsoft 365 E5 and Azure. They have 10,000 users and 500 servers. They need to implement a Zero Trust network strategy that includes microsegmentation, identity-based access, and continuous monitoring. The solution must work across on-premises and cloud workloads. They also require that all access to critical servers is logged and audited. What should you include in your design?

A.Deploy Azure Firewall Premium to segment the network. Use Microsoft Entra ID for identity. Use Azure Monitor for logging.
B.Use site-to-site VPN to connect all on-premises servers to Azure. Place all servers in a single VNet. Use NSGs for segmentation and Azure AD for identity.
C.Use Azure Virtual Network Manager (AVNM) for network groups and security admin rules. Implement Microsoft Entra ID Conditional Access with device compliance. Use Microsoft Defender for Cloud for continuous monitoring and Azure Policy for audit.
D.Deploy a third-party SDN solution in AWS for microsegmentation. Use Microsoft Entra ID for identity. Use CloudWatch for logging.
AnswerC

AVNM provides microsegmentation; Conditional Access enforces identity-based access; Defender for Cloud monitors; Azure Policy audits.

Why this answer

Option B uses Azure Network Manager for microsegmentation, Microsoft Entra ID for identity, and Defender for Cloud for monitoring. Option A uses Azure Firewall for perimeter only; Option C uses AWS; Option D uses VPN (not Zero Trust).

195
Multi-Selecteasy

You are designing a secure infrastructure for an Azure Kubernetes Service (AKS) cluster that will host sensitive workloads. Which TWO configurations should you implement to secure the cluster?

Select 2 answers
A.Enable Azure AD integration for role-based access control (RBAC).
B.Enable Azure Monitor for containers.
C.Enable the HTTP application routing add-on.
D.Use Azure AD pod identity to provide identities for pods.
E.Enable the cluster autoscaler.
AnswersA, D

Azure AD integration provides authentication for cluster access.

Why this answer

Option A is correct because enabling Azure AD integration allows you to use Azure AD identities for cluster authentication. Option C is correct because using pod identity allows pods to authenticate to Azure resources securely. Option B is wrong because cluster autoscaler scales nodes, not security.

Option D is wrong because Azure Monitor provides monitoring, not security. Option E is wrong because the HTTP application routing add-on is for ingress, not security.

196
MCQeasy

Your organization uses Microsoft Defender for Cloud to secure a hybrid environment. You need to ensure that virtual machines running on-premises are assessed for security misconfigurations. What should you deploy?

A.Log Analytics agent on the on-premises servers
B.Microsoft Defender for Cloud's Vulnerability Assessment solution
C.Azure Arc on the on-premises servers
D.Azure Policy guest configuration
AnswerC

Azure Arc connects on-premises servers to Azure, enabling Defender for Cloud assessments.

Why this answer

Azure Arc enables Azure management services, including Defender for Cloud, to be extended to on-premises servers. Option A is correct because Arc-connected machines can be onboarded to Defender for Cloud for assessment. Option B is incorrect because Azure Policy alone does not perform assessments.

Option C is incorrect because Log Analytics agent without Arc does not integrate with Defender for Cloud assessments. Option D is incorrect because just enabling Defender for Cloud does not cover on-premises VMs without Arc.

197
MCQeasy

Your company is deploying Azure Kubernetes Service (AKS) and needs to secure container workloads. You must ensure that only approved container images from a trusted Azure Container Registry (ACR) can be deployed. What should you implement?

A.Enable Azure AD integration for AKS.
B.Apply an Azure Policy initiative to only allow images from a specific ACR.
C.Use Azure Key Vault to store container image credentials.
D.Configure network policies in AKS to restrict egress traffic.
AnswerB

Azure Policy can enforce image source restrictions.

Why this answer

Option C is correct because Azure Policy with the 'Only allow approved container images' built-in initiative enforces that containers in AKS must originate from a specified ACR. Option A is incorrect because network policies control traffic, not image source. Option B is incorrect because Azure AD integration controls authentication, not image source.

Option D is incorrect because Azure Key Vault stores secrets, not image approval.

198
MCQmedium

You are designing a secure hybrid network for a multinational company. They require encrypted communication between on-premises data centers and Azure, with high availability and no single point of failure. Which solution should you recommend?

A.Deploy ExpressRoute with a site-to-site VPN as a failover.
B.Deploy a site-to-site VPN over the internet with two active VPN devices.
C.Deploy Azure Virtual WAN with point-to-site VPN for each data center.
D.Deploy ExpressRoute without encryption and rely on Microsoft backbone security.
AnswerA

ExpressRoute provides a private, dedicated connection; VPN failover ensures high availability and encryption.

Why this answer

Option B is correct because ExpressRoute with a VPN gateway failover provides a private dedicated connection with encrypted site-to-site VPN as backup, meeting high availability and encryption. Option A is wrong because site-to-site VPN alone lacks the private dedicated connection. Option C is wrong because Azure Virtual WAN is a networking service, not a specific connectivity solution, and point-to-site VPN is for remote users.

Option D is wrong because ExpressRoute does not encrypt traffic by default; encryption must be added separately.

199
MCQhard

Your organization has a Microsoft Defender for Cloud Apps policy that detects suspicious OAuth app permissions. You need to ensure that when a high-risk app is detected, the app is automatically disabled and the user is notified. What is the most efficient design?

A.Use the 'Disable app' governance action in the policy, and configure email notification
B.Configure the policy to notify the user via email
C.Send the alert to Microsoft Sentinel and create an incident with a playbook
D.Create a Power Automate flow that triggers on the alert to disable the app
AnswerA

Defender for Cloud Apps can automatically disable the app and notify the user.

Why this answer

Option B is correct because it uses the built-in governance action in Defender for Cloud Apps to disable the app and send email. Option A is incomplete as notification alone doesn't disable. Option C is less efficient because it requires additional automation.

Option D is incorrect because Incident does not automatically disable the app.

200
MCQeasy

Your company uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate Exchange Online mailboxes. Which conditional access policy setting should you configure?

A.Grant: Require device to be marked as compliant.
B.Grant: Require approved client app.
C.Grant: Require multifactor authentication.
D.Grant: Require Intune enrollment.
AnswerA

This enforces device compliance from Intune.

Why this answer

Option B is correct because the 'Require device to be marked as compliant' grant condition enforces compliance. Option A is wrong because requiring multifactor authentication does not check device compliance. Option C is wrong because requiring Intune enrollment is part of compliance but not the compliance state itself.

Option D is wrong because approved client app is for app protection policies.

201
Multi-Selecthard

You are designing a secure access solution for an Azure App Service web application that authenticates users via Microsoft Entra ID. The requirements include: only allowing users from a specific Entra ID tenant, and blocking access from certain countries. Which two features should you combine? (Choose two.)

Select 2 answers
A.App Service authentication with Microsoft Entra ID
B.Network Security Groups (NSGs)
C.Microsoft Entra Conditional Access
D.Managed Identity
E.Azure Front Door with geo-filtering
AnswersA, E

Restricts access to users from a specific tenant.

Why this answer

Options A and D are correct: App Service authentication restricts to a specific tenant, and geo-filtering on Azure Front Door blocks countries. Option B is wrong because NSGs filter network traffic, not user authentication. Option C is wrong because Conditional Access can apply policies but not geo-blocking at the network edge.

Option E is wrong because Managed Identity is for app-to-Azure authentication, not user access.

202
MCQeasy

Your company plans to deploy Microsoft Defender for Cloud to secure a multi-cloud environment that includes Azure, AWS, and GCP. You need to ensure that security recommendations from all three cloud providers are centrally visible. What should you configure?

A.Onboard AWS and GCP accounts to Microsoft Defender for Cloud using the multicloud connectors feature.
B.Deploy Azure Policy on AWS and GCP using Azure Arc to enforce security policies.
C.Ingest security logs from AWS and GCP into Microsoft Sentinel and use workbooks to view recommendations.
D.Connect AWS accounts to AWS Security Hub and GCP accounts to Google Cloud Security Command Center, then view via a single pane of glass.
AnswerA

Defender for Cloud supports AWS and GCP via connectors, providing unified recommendations.

Why this answer

Option B is correct because Microsoft Defender for Cloud can connect AWS and GCP accounts via the multicloud connectors, allowing centralized visibility of security recommendations. Option A is wrong because AWS Security Hub only shows AWS recommendations. Option C is wrong because Azure Policy does not natively assess AWS/GCP resources.

Option D is wrong because Microsoft Sentinel is for SIEM/SOAR, not for CSPM recommendations.

203
MCQhard

Your company uses Microsoft Intune to manage devices. You need to design a solution that prevents users from installing unauthorized applications on corporate Windows 10 devices. Which Intune policy should you configure?

A.Compliance policy
B.App protection policy (MAM)
C.Device restriction policy (Windows 10)
D.Configuration policy (OMA-URI)
AnswerC

Device restrictions include settings to block app installation from untrusted sources.

Why this answer

Option A is correct because Intune device restriction policies can block installation of apps from untrusted sources. Option B is wrong because app protection policies apply to managed apps, not device-wide installation. Option C is wrong because compliance policies assess device state but do not block installation.

Option D is wrong because configuration policies set settings but not app installation control.

204
Multi-Selecthard

Your organization uses Azure Kubernetes Service (AKS) for containerized workloads. You need to design a security solution that includes network segmentation, threat detection, and secret management. Which THREE Azure services should you include?

Select 3 answers
A.Azure Key Vault with CSI driver for secrets store
B.Azure Service Bus
C.Azure Policy for Kubernetes (Azure Policy add-on)
D.Microsoft Defender for Cloud (with Kubernetes threat detection)
E.Azure Firewall Premium
AnswersA, C, D

Key Vault securely stores secrets, and the CSI driver mounts them into pods.

Why this answer

Option A (Azure Policy for AKS) enforces network policies and compliance. Option C (Azure Security Center for Kubernetes, now part of Defender for Cloud) provides threat detection. Option D (Azure Key Vault) stores secrets.

Option B (Azure Firewall) is for perimeter, not AKS-specific; Option E (Azure Service Bus) is messaging.

205
MCQmedium

Refer to the exhibit. A company applies this Azure Policy to their subscription. An administrator tries to create a VM with a public IP address. What will happen?

A.The public IP will be automatically removed
B.The VM creation will be denied
C.The VM will be created, but an alert will be generated
D.The policy will only apply to VMs in a specific resource group
AnswerB

The policy denies creation of NICs with public IP.

Why this answer

Option A is correct because the policy denies creation of network interfaces with a public IP. Option B is wrong because the policy does not audit, it denies. Option C is wrong because the policy applies to all resources.

Option D is wrong because the policy does not create a public IP.

206
Multi-Selectmedium

Your organization uses Microsoft Sentinel for security operations. You need to design a solution to detect and respond to lateral movement using pass-the-hash attacks. Which TWO data sources should you enable for ingestion into Microsoft Sentinel to detect such attacks?

Select 2 answers
A.Microsoft Defender for Identity alerts.
B.DNS events from DNS servers.
C.Azure AD sign-in logs.
D.Windows Security Events (Event ID 4624) from domain controllers.
E.Sysmon logs for process creation.
AnswersA, D

Provides detection of pass-the-hash.

Why this answer

Correct answers: A and D. Windows Security Events (Event ID 4624) can show anomalous logons, and Microsoft Defender for Identity provides detection of pass-the-hash. Option B is incorrect: Azure AD sign-in logs do not capture on-prem NTLM events.

Option C is incorrect: Sysmon is helpful but not specifically for pass-the-hash. Option E is incorrect: DNS logs are for network anomalies.

207
MCQmedium

Your organization is deploying a new web application in Azure and needs to secure it against common web attacks like SQL injection and cross-site scripting. You need to configure a solution that provides centralized protection at the network edge. Which Azure service should you use?

A.Azure Web Application Firewall (WAF) on Azure Application Gateway
B.Network Security Groups (NSGs)
C.Azure DDoS Protection
D.Azure Firewall
AnswerA

WAF provides centralized protection against web attacks at the edge.

Why this answer

Option A is correct because Azure Web Application Firewall (WAF) with Application Gateway provides centralized protection against common web exploits at the network edge. Option B is wrong because Azure Firewall is a network firewall but doesn't have web-specific filtering. Option C is wrong because Azure DDoS Protection only mitigates DDoS attacks.

Option D is wrong because Network Security Groups provide basic network filtering but not web application layer protection.

208
Multi-Selectmedium

Which TWO actions should you take to secure Azure SQL Database against SQL injection attacks?

Select 2 answers
A.Implement Always Encrypted
B.Enable Azure Web Application Firewall (WAF) on Application Gateway
C.Enable Row-Level Security (RLS)
D.Apply Dynamic Data Masking
E.Use parameterized queries in stored procedures
AnswersB, E

Correct: WAF filters SQL injection payloads.

Why this answer

Using parameterized queries in stored procedures prevents SQL injection by separating SQL code from data. Enabling Azure WAF on Application Gateway filters malicious requests at the network edge. Row-Level Security is for access control, not injection.

Always Encrypted protects data at rest. Dynamic Data Masking obfuscates data.

209
MCQhard

A global company with branches worldwide wants to secure access to Azure resources using a zero-trust approach. They require that all access requests be authenticated, authorized, and encrypted, and that the user's device must be compliant with corporate policies. Which combination of services should they use?

A.Azure VPN Gateway and Azure AD Multi-Factor Authentication
B.Azure AD Conditional Access and Azure AD Application Proxy
C.Azure Firewall and Azure AD Password Protection
D.Azure AD B2C and Azure AD Identity Protection
AnswerB

Conditional Access enforces authentication and device compliance; Application Proxy provides secure remote access.

Why this answer

Option C is correct because Azure AD Conditional Access can enforce authentication and device compliance, while Azure AD Application Proxy provides secure remote access to on-premises apps without VPN. Option A is wrong because Azure VPN Gateway does not enforce device compliance. Option B is wrong because Azure Firewall does not enforce authentication.

Option D is wrong because Azure AD B2C is for external identities, not internal access.

210
Multi-Selecthard

Your organization is migrating from on-premises Active Directory to Microsoft Entra ID. You need to design a solution for hybrid identity that supports seamless SSO for legacy applications that require Kerberos authentication. Which THREE components should you include in your design?

Select 3 answers
A.Deploy Azure AD Application Proxy to publish legacy apps
B.Register legacy applications as Enterprise Applications in Microsoft Entra ID
C.Active Directory Federation Services (AD FS) deployed on-premises
D.Microsoft Entra Connect with Seamless SSO enabled
E.Password Hash Sync (PHS) with Self-Service Password Reset (SSPR) integration
AnswersB, D, E

Registering apps allows them to use Microsoft Entra ID for authentication, enabling SSO.

Why this answer

Option A (Microsoft Entra Connect) enables synchronization and seamless SSO. Option C (Password hash sync) is required for seamless SSO. Option D (Enterprise App registration) allows legacy apps to use Microsoft Entra ID for authentication.

Option B (AD FS) is optional and not required; Option E (Azure AD Application Proxy) is for remote access, not Kerberos SSO.

211
MCQmedium

You are a security architect at a global manufacturing company. The company uses a hybrid infrastructure with on-premises Active Directory and Azure. They have recently deployed Microsoft Sentinel as their SIEM. The security team wants to detect and investigate ransomware attacks that spread via SMB. The CISO has requested a solution that can automatically block malicious IPs at the network level and provide forensic evidence. You need to design a solution that meets these requirements with minimal manual intervention. What should you include in your design?

A.Deploy Azure Firewall with threat intelligence-based filtering enabled. Use Sentinel to generate alerts when SMB traffic is detected, and manually block IPs.
B.Use Microsoft Defender for Cloud to detect ransomware and deploy a third-party firewall in VPC. Configure Sentinel to send alerts to the firewall API.
C.Integrate Microsoft Defender for Identity with Sentinel. Create a playbook that automatically adds malicious IPs to a custom Azure Firewall policy, and use Sentinel incidents for investigation.
D.Enable network security groups (NSGs) on all subnets. Use Sentinel to detect SMB anomalies and apply NSG rules via Azure Policy.
AnswerC

Defender for Identity detects lateral movement via SMB; playbook automates blocking via Azure Firewall; incidents provide forensic data.

Why this answer

Option C uses Microsoft Defender for Identity to detect SMB-based attacks and Azure Firewall to block IPs via playbooks. Option A uses Azure Firewall alone without detection; Option B uses NSG but cannot block based on real-time threat intel; Option D uses VPC (AWS) which is not applicable.

212
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only approved applications can run on corporate devices. Which Intune feature should you configure?

A.Windows Defender Firewall
B.BitLocker
C.Windows Information Protection
D.AppLocker
AnswerD

AppLocker enables application control policies.

Why this answer

Option B is correct because AppLocker allows you to create policies to control which apps can run. Option A is wrong because Windows Defender Firewall controls network traffic. Option C is wrong because BitLocker encrypts drives.

Option D is wrong because Windows Information Protection prevents data leaks.

213
MCQmedium

Your organization uses Microsoft Sentinel to monitor hybrid workloads. You need to design a solution to detect lateral movement attempts using pass-the-hash attacks. Which data source should you prioritize for ingestion?

A.Sysmon Event ID 1 (Process creation)
B.DNS Query Logs
C.Azure Activity Logs
D.Windows Security Events (Event ID 4624)
AnswerD

Event ID 4624 captures successful logons with logon type and credential details, critical for detecting pass-the-hash.

Why this answer

Option B is correct because Windows Security Event ID 4624 (successful logon) with LogonType 3 (network) and hashed credentials is key for detecting pass-the-hash. Option A is wrong because Azure Activity Logs record control plane events, not authentication details. Option C is wrong because Sysmon Event ID 1 is process creation, not authentication.

Option D is wrong because DNS logs may show network connections but not credential theft.

214
MCQeasy

You are designing a secure remote access solution for employees using Windows 10/11 devices that are managed by Microsoft Intune. The solution must enforce device compliance before allowing access to corporate resources and must support single sign-on (SSO). Which technology should you use?

A.Deploy a traditional VPN with certificate-based authentication.
B.Set up Azure AD Application Proxy for remote access.
C.Implement Microsoft Defender for Endpoint to block non-compliant devices.
D.Use Microsoft Entra ID with Conditional Access policies that require compliant devices.
AnswerD

Conditional Access integrates with Intune compliance and provides SSO.

Why this answer

Option B is correct because Microsoft Entra ID with Conditional Access can evaluate device compliance from Intune and provide SSO. Option A is incorrect because VPN alone does not enforce device compliance. Option C is incorrect because Microsoft Defender for Endpoint is an endpoint protection solution, not an access control mechanism.

Option D is incorrect because Azure AD Application Proxy is for on-prem apps, but it does not natively enforce device compliance without Conditional Access.

215
MCQmedium

You are designing a backup strategy for a Microsoft 365 tenant. You need to ensure that Exchange Online mailbox items deleted by users can be recovered up to 30 days after deletion, without using third-party tools. What should you configure?

A.Place the mailbox on litigation hold.
B.Create a Microsoft 365 retention policy for Exchange mailboxes.
C.Enable single item recovery for the mailbox.
D.Configure Azure Backup for Microsoft 365.
AnswerC

This allows recovery of deleted items within the retention period.

Why this answer

Option A is correct because single item recovery in Exchange Online allows recovery of deleted items up to 30 days. Option B is wrong because litigation hold preserves items indefinitely, not recovery after deletion. Option C is wrong because retention policies are for retention, not recovery.

Option D is wrong because Azure Backup for Microsoft 365 is a third-party-like feature (actually Microsoft but not the simplest built-in).

216
Multi-Selecteasy

Your company is planning to use Microsoft Intune for mobile device management (MDM). You need to ensure that devices are compliant before accessing corporate resources. Which TWO components should you configure?

Select 2 answers
A.Device configuration policies.
B.Enrollment restrictions.
C.Conditional Access policies in Microsoft Entra ID.
D.Compliance policies.
E.App protection policies.
AnswersC, D

Enforce access based on compliance.

Why this answer

Option B is correct because compliance policies define the conditions for device compliance. Option D is correct because Conditional Access policies enforce access based on compliance. Option A is wrong because configuration policies are for settings, not compliance.

Option C is wrong because app protection policies are for app-level, not device-level compliance. Option E is wrong because enrollment restrictions are for device enrollment, not compliance.

217
MCQeasy

Refer to the exhibit. You are reviewing a Bicep template for deploying an Azure SQL Database server. Which security best practice is violated?

A.Minimal TLS version is set to 1.2, which is acceptable.
B.Administrator password is hardcoded in plain text.
C.Public network access is disabled, which may affect connectivity.
D.Azure AD authentication is not configured.
AnswerB

Passwords should not be in code; use Azure Key Vault.

Why this answer

Option D is correct because hardcoding passwords in code is a security risk. Option A is wrong because publicNetworkAccess is disabled. Option B is wrong because TLS version is set to 1.2.

Option C is wrong because Azure SQL does not require Azure AD auth by default.

218
MCQeasy

You need to secure Azure Kubernetes Service (AKS) clusters by ensuring that only approved container images from a private Azure Container Registry (ACR) can be deployed. The solution should enforce this at admission time. Which Azure Policy effect should you use?

A.modify
B.enforceRegoPolicy
C.audit
D.deny
AnswerB

This effect uses OPA Gatekeeper to enforce custom admission policies, such as restricting container image sources.

Why this answer

The 'enforceRegoPolicy' effect for Azure Policy on AKS uses Open Policy Agent (OPA) Gatekeeper to enforce that only images from specific registries are allowed. 'audit' only logs, 'deny' is not directly applicable for AKS admission, 'modify' changes resources but does not block.

219
MCQmedium

Your organization is planning to deploy Microsoft Defender for Cloud to protect a hybrid environment that includes on-premises servers and Azure virtual machines. You need to ensure that the security recommendations and threat detections are consistently applied across all resources. What should you configure?

A.Connect on-premises servers using Azure Arc and assign a built-in policy initiative.
B.Enable auto-provisioning for the Log Analytics agent on all subscriptions.
C.Configure an Azure Policy to require the deployment of the Log Analytics agent.
D.Use Azure Policy to assign the 'Deploy Log Analytics agent' initiative to the management group.
AnswerB

Auto-provisioning ensures all VMs are monitored and security recommendations are consistently applied.

Why this answer

Option A is correct because enabling auto-provisioning for the Log Analytics agent ensures that all existing and future VMs (both on-premises and Azure) are automatically monitored and security recommendations are applied consistently. Option B is wrong because Azure Arc is for managing on-premises machines, but it does not by itself provide consistent security policy application. Option C is wrong because just assigning a policy does not enforce monitoring.

Option D is wrong because Azure Policy is used to enforce compliance, but it does not replace the need for auto-provisioning.

220
Multi-Selecthard

Which TWO of the following are requirements for implementing Azure Disk Encryption on Windows VMs? (Choose two.)

Select 2 answers
A.The BitLocker Drive Encryption feature must be available (Windows)
B.The VM must be a supported VM size
C.The VM must have a public IP address
D.An Azure Key Vault with the EnabledForDiskEncryption property set to true
E.An Azure Backup vault in the same region
AnswersA, D

BitLocker is required; it's available in supported Windows versions.

Why this answer

Option B (Key Vault with EnabledForDiskEncryption) and Option E (BitLocker feature available) are requirements. Option A is not required because the VM does not need a public IP. Option C is incorrect because Azure Backup is not required.

Option D is incorrect because the VM must be a supported size, but any size is not correct.

221
MCQhard

You are designing a network security architecture for an Azure application that uses Azure Front Door and Azure Application Gateway. The application must be protected from DDoS attacks and common web exploits. Application traffic should be inspected by a web application firewall (WAF) before reaching the backend. What is the recommended deployment order?

A.Azure Front Door with WAF only, no Application Gateway.
B.Azure Front Door without WAF in front of Azure Application Gateway without WAF.
C.Azure Application Gateway with WAF in front of Azure Front Door.
D.Azure Front Door with WAF in front of Azure Application Gateway with WAF.
AnswerD

Defender for Cloud supports AWS and GCP via connectors, providing unified recommendations.

Why this answer

Option B is correct because Azure Front Door should be the outermost layer for global DDoS protection and TLS termination, then Azure Application Gateway with WAF provides regional web application firewall inspection. Option A is wrong because that would inspect traffic at the gateway first, missing Front Door's global DDoS protection. Option C is wrong because placing WAF only at Front Door leaves backend traffic uninspected.

Option D is wrong because Application Gateway should have WAF enabled for web exploit protection.

222
MCQeasy

Your company is migrating to Azure and needs to secure virtual networks with network segmentation. You need to design a solution that filters traffic between subnets based on application requirements. Which Azure service should you use?

A.Azure DDoS Protection
B.Azure Firewall
C.Azure Bastion
D.Network Security Groups (NSGs)
AnswerD

NSGs provide stateful filtering between subnets and VMs within a VNet.

Why this answer

Option B is correct because Network Security Groups (NSGs) filter traffic between subnets and VMs. Option A is wrong because Azure Firewall is a managed firewall for inbound/outbound but at a higher level. Option C is wrong because Azure DDoS Protection mitigates DDoS attacks, not segmentation.

Option D is wrong because Azure Bastion is for secure RDP/SSH access.

223
MCQhard

A company is migrating its on-premises Active Directory to Microsoft Entra ID. They have line-of-business applications that use Windows Integrated Authentication. You need to design a solution that allows users to access these applications from domain-joined devices without prompting for credentials, while also supporting hybrid identity. What should you implement?

A.Deploy Pass-through Authentication (PTA) with Seamless SSO.
B.Configure Microsoft Entra hybrid join and enable Seamless SSO.
C.Use Azure AD Application Proxy with pre-authentication.
D.Implement Active Directory Federation Services (AD FS).
AnswerB

Hybrid join provides SSO for on-prem apps from domain-joined devices.

Why this answer

Option D is correct because Microsoft Entra hybrid join allows domain-joined devices to authenticate to both on-prem and cloud resources, enabling SSO. Option A is incorrect because Azure AD Application Proxy requires separate authentication. Option B is incorrect because Pass-through Authentication is for cloud apps, not on-prem.

Option C is incorrect because Federation does not provide device-based SSO for on-prem apps.

224
Multi-Selecthard

Your company is designing a secure baseline for Azure Linux virtual machines using Azure Policy. You need to ensure that all Linux VMs have SSH access restricted, disk encryption enabled, and vulnerability assessments installed. Which THREE built-in policies should you assign? (Choose THREE.)

Select 3 answers
A.Microsoft Antimalware for Azure must be configured with automatic update
B.[Preview]: Configure Linux VMs to install the Azure Security Agent for vulnerability assessment
C.Windows Defender Credential Guard should be enabled on Windows VMs
D.Disk encryption should be applied on virtual machines
E.[Preview]: Linux machines should meet requirements for the Azure compute security baseline
AnswersB, D, E

This policy deploys the vulnerability assessment agent on Linux.

Why this answer

Options A, B, and D are correct. A restricts SSH from the internet, B enables encryption, and D deploys vulnerability assessment. Option C is wrong because it requires Microsoft Antimalware, which is for Windows.

Option E is wrong because it enforces Windows Defender Credential Guard, which is Windows-specific.

225
MCQhard

Your organization uses Azure SQL Database with Azure AD authentication. You need to ensure that database administrators (DBAs) can only perform management tasks from a specific Azure region and only during business hours. Which solution should you use?

A.Azure AD Conditional Access policies
B.Azure RBAC with custom roles
C.Azure Policy with custom policy
D.Azure SQL Database firewall rules
AnswerA

Can enforce location and time conditions for Azure AD authenticated access.

Why this answer

Option A is correct because Conditional Access can enforce location and time restrictions for Azure AD authenticated users. Option B is wrong because Azure SQL Firewall rules filter by IP, not user identity. Option C is wrong because Azure Policy cannot enforce time-based access.

Option D is wrong because Azure RBAC cannot enforce location or time.

← PreviousPage 3 of 4 · 231 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Design security solutions for infrastructure questions.