CCNA Design a Zero Trust strategy and architecture Questions

12 questions · Design a Zero Trust strategy and architecture · All types, answers revealed

1
MCQmedium

A company is implementing a Zero Trust network strategy using Azure Virtual Network Manager (AVNM). They need to ensure that all traffic between virtual networks is encrypted and inspected by a firewall. Which configuration should they use?

A.Enable VNet peering between all VNets and use network security groups
B.Use a mesh topology with direct connectivity between VNets
C.Use a hub-and-spoke topology with a firewall appliance in the hub
D.Configure service endpoints for each VNet
AnswerC

Hub-and-spoke with firewall ensures traffic is routed through the firewall for inspection.

Why this answer

In a Zero Trust network strategy, all traffic must be encrypted and inspected regardless of source. A hub-and-spoke topology with a firewall appliance in the hub forces all inter-VNet traffic through the firewall, enabling deep packet inspection and encryption enforcement. Azure Virtual Network Manager (AVNM) can deploy this topology and route traffic via the hub, ensuring no direct VNet-to-VNet communication bypasses inspection.

Exam trap

The trap here is that candidates often assume VNet peering with NSGs is sufficient for Zero Trust, but NSGs cannot inspect or encrypt traffic, and peering itself does not enforce inspection—only a hub-and-spoke topology with a firewall appliance can meet both encryption and inspection requirements.

How to eliminate wrong answers

Option A is wrong because VNet peering creates direct, unencrypted-by-default connectivity between VNets, and network security groups (NSGs) only provide stateful filtering at Layers 3-4, not encryption or deep packet inspection. Option B is wrong because a mesh topology with direct connectivity between VNets allows traffic to bypass any central inspection point, violating the Zero Trust requirement that all traffic must be inspected. Option D is wrong because service endpoints provide private connectivity to Azure PaaS services over the Microsoft backbone, but they do not encrypt or inspect traffic between VNets.

2
MCQhard

An organization is implementing a Zero Trust identity strategy. They have a mix of on-premises Active Directory and Azure AD. They want to enforce conditional access policies that require device compliance for accessing sensitive apps. However, some users report that their devices are not being evaluated for compliance even though they are enrolled in Microsoft Intune. What should the organization check first?

A.Ensure Intune compliance policies are assigned to the correct user groups
B.Confirm that devices are Azure AD Joined
C.Check if users have enabled multi-factor authentication
D.Verify that devices are registered in Azure AD
AnswerD

Device registration in Azure AD is required for conditional access to evaluate device compliance.

Why this answer

Device compliance evaluation in a hybrid identity environment requires that devices are registered in Azure AD (Azure AD Registration) so that Azure AD can associate the device identity with Intune compliance data. Even if a device is enrolled in Intune, without Azure AD registration, Conditional Access policies cannot evaluate its compliance status because the device identity is not recognized by Azure AD during authentication.

Exam trap

The trap here is that candidates assume Intune enrollment alone is sufficient for device compliance evaluation, but Azure AD registration is the prerequisite that links the device identity to Azure AD for Conditional Access to enforce compliance policies.

How to eliminate wrong answers

Option A is wrong because Intune compliance policies must be assigned to the correct user groups, but this does not affect whether a device is evaluated for compliance; it only determines which users' devices receive the policy. Option B is wrong because devices do not need to be Azure AD Joined; they can be Azure AD Registered (workplace-joined) or Hybrid Azure AD Joined, and Azure AD Joined is not a prerequisite for compliance evaluation. Option C is wrong because multi-factor authentication is an authentication requirement, not a device compliance requirement; enabling MFA does not cause a device to be evaluated for compliance.

3
Drag & Dropmedium

Order the steps to implement Azure AD Privileged Identity Management (PIM) for a role.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

PIM setup involves selecting role, assigning with eligibility, and activation process.

4
Multi-Selectmedium

A company is implementing a Zero Trust identity strategy. They want to ensure that only compliant and managed devices can access corporate resources. Which THREE components should they include in their solution? (Choose three.)

Select 3 answers
A.Microsoft Intune for device management and compliance policies
B.Azure AD device registration
C.Azure AD Conditional Access policies
D.Azure AD Application Proxy
E.Azure AD B2B collaboration
AnswersA, B, C

Intune manages device compliance and enforces policies.

Why this answer

A is correct because Microsoft Intune provides device management and compliance policies that define the security posture required for managed devices, such as requiring encryption, a minimum OS version, or a specific patch level. These compliance policies are evaluated by Azure AD during authentication, ensuring only devices that meet the organization's security standards can access corporate resources.

Exam trap

The trap here is that candidates may confuse Azure AD Application Proxy (a publishing tool) with a device compliance mechanism, or assume Azure AD B2B collaboration can enforce device management for external users, when in fact neither component evaluates device health or management status.

5
Multi-Selecthard

A company is designing a Zero Trust security posture for their Azure environment. They need to assess and improve their security posture. Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Enable Azure Update Management for all VMs
B.Use Azure Policy to enforce security configurations
C.Deploy Microsoft Entra Permissions Management
D.Review and implement recommendations from Microsoft Defender for Cloud Secure Score
E.Use Microsoft Security Copilot to generate security policies
AnswersB, D

Azure Policy can enforce compliance and security baselines.

Why this answer

Azure Policy enforces organizational standards and assesses compliance at scale, which is a core Zero Trust principle of continuous verification and policy-driven access control. By applying policies that enforce security configurations (e.g., requiring HTTPS, restricting public network access), the company can proactively prevent misconfigurations and maintain a consistent security baseline across their Azure environment.

Exam trap

The trap here is that candidates confuse operational tools (like Update Management) or AI assistants (like Security Copilot) with core Zero Trust assessment and enforcement mechanisms, when the exam specifically tests understanding that Azure Policy and Secure Score are the primary built-in tools for continuous posture evaluation and improvement.

6
MCQhard

Refer to the exhibit. You are reviewing a Conditional Access policy in Azure AD. The policy requires MFA and a compliant device for all users and all cloud apps. Some users report that they are able to access apps without being prompted for MFA even though their devices are compliant. What is the most likely reason?

A.The policy does not include all cloud apps
B.The policy is set to 'Report-only' mode
C.The policy excludes specific locations
D.The policy does not include session controls to enforce MFA re-prompt
AnswerB

In report-only mode, policies are not enforced, so users are not prompted for MFA.

Why this answer

Option B is correct because a Conditional Access policy set to 'Report-only' mode evaluates the policy and logs results but does not enforce any controls, such as requiring MFA or a compliant device. Users can access apps without MFA prompts because the policy is not actively blocking or challenging them, even if their devices are compliant. This mode is used for testing before enabling enforcement.

Exam trap

The trap here is that candidates may overlook the 'Report-only' mode setting and assume the policy is enforcing controls, focusing instead on app scope or location exclusions, which are common red herrings in Conditional Access troubleshooting questions.

How to eliminate wrong answers

Option A is wrong because the policy explicitly states it includes 'all cloud apps,' so missing apps is not the issue. Option C is wrong because excluding specific locations would only bypass MFA for users from those locations, but the question states users report access without MFA even though devices are compliant, implying the issue is not location-based. Option D is wrong because session controls for MFA re-prompt are not required for initial MFA enforcement; the policy's grant controls (requiring MFA and compliant device) are sufficient to prompt MFA on first access, and the lack of re-prompt controls does not explain why MFA is never prompted.

7
Matchingmedium

Match each Azure security capability to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

SIEM and SOAR

Cloud security posture management

Risk-based conditional access

Manage secrets, keys, and certificates

Mitigate distributed denial-of-service attacks

Why these pairings

These are core Azure security services with distinct functions.

8
Drag & Dropmedium

Order the steps to implement a Microsoft Sentinel data connector for Azure Active Directory logs.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Azure AD connector setup requires selecting the connector, configuring log types, and connecting to start streaming.

9
MCQmedium

A company, Fabrikam, has a hybrid identity environment with on-premises Active Directory synchronized to Azure AD using Azure AD Connect. They have implemented a Zero Trust strategy that includes requiring multi-factor authentication (MFA) for all users accessing cloud applications. They use Conditional Access policies to enforce MFA. Recently, they noticed that users who authenticate from the on-premises network are not being prompted for MFA when accessing cloud apps, even though the Conditional Access policy is configured to require MFA for all users. The network location is not excluded in the policy. The Conditional Access policy is enabled and in 'Enforce' mode. The users' devices are not domain-joined. What is the most likely reason for this behavior?

A.Azure AD Connect is not configured for Pass-through Authentication
B.The Conditional Access policy does not include session controls
C.The Conditional Access policy is not targeting the correct user group
D.Users are using legacy authentication protocols that do not support MFA
AnswerD

Legacy authentication protocols like POP, IMAP, SMTP do not support MFA and can bypass Conditional Access policies if not blocked.

Why this answer

The most likely reason is that users are using legacy authentication protocols (e.g., POP3, IMAP, SMTP, or older Office clients) that do not support modern authentication and thus cannot enforce MFA via Conditional Access. Even though the policy requires MFA, legacy protocols bypass the Conditional Access engine entirely, allowing authentication without MFA prompts.

Exam trap

The trap here is that candidates often focus on policy configuration (e.g., user targeting, session controls) or authentication methods, but the real issue is that legacy protocols completely bypass Conditional Access, making MFA enforcement impossible regardless of policy settings.

How to eliminate wrong answers

Option A is wrong because Pass-through Authentication is an authentication method (not related to MFA enforcement) and does not affect whether Conditional Access policies prompt for MFA; the issue is about protocol support, not authentication flow. Option B is wrong because session controls (e.g., app-enforced restrictions, sign-in frequency) are optional and not required for MFA enforcement; the core MFA requirement is a grant control, not a session control. Option C is wrong because the scenario states the policy targets 'all users' and is in 'Enforce' mode, so user group targeting is not the issue; the problem is protocol-level bypass.

10
MCQeasy

A company is planning their Zero Trust data protection strategy. They want to classify and protect sensitive data stored in SharePoint Online. Which Microsoft tool should they use?

A.Microsoft Intune
B.Microsoft Defender for Cloud Apps
C.Microsoft Purview Information Protection
D.Azure Policy
AnswerC

Purview Information Protection provides data classification and labeling.

Why this answer

Microsoft Purview Information Protection (formerly Microsoft Information Protection) is the correct tool because it provides integrated classification, labeling, and protection for sensitive data across Microsoft 365 services, including SharePoint Online. It uses sensitivity labels that can automatically apply encryption, rights management, and visual markings (headers/footers) to documents based on policy conditions, directly supporting the Zero Trust principle of 'assume breach' by protecting data at rest and in transit.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps (a CASB for monitoring and controlling cloud app usage) with the data classification and labeling capabilities of Microsoft Purview Information Protection, because both tools can handle sensitive data but serve fundamentally different roles in a Zero Trust strategy.

How to eliminate wrong answers

Option A is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) tool focused on managing devices and apps, not on classifying or protecting data within SharePoint Online documents. Option B is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) that provides visibility, threat detection, and access controls for cloud apps, but it does not natively classify or label sensitive data within SharePoint Online; it can discover sensitive data via integration with Purview but is not the primary tool for classification. Option D is wrong because Azure Policy is used to enforce compliance and governance rules on Azure resources (e.g., resource types, locations, tags) and does not apply sensitivity labels or encryption to SharePoint Online documents.

11
Matchingmedium

Match each Azure security benchmark control to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Control category for authentication and authorization

Control category for network segmentation and filtering

Control category for encryption and data classification

Control category for audit logs and alerts

Control category for detection and response processes

Why these pairings

These are key categories in the Microsoft cloud security benchmark.

12
MCQmedium

A company is designing a Zero Trust network strategy. They want to ensure that all network traffic between on-premises and Azure is inspected and logged, regardless of source or destination. Which Azure service should they use to achieve this?

A.Azure Front Door
B.Azure Bastion
C.Azure Firewall
D.Azure DDoS Protection
AnswerC

Azure Firewall can inspect and log all traffic between on-premises and Azure.

Why this answer

Azure Firewall is a managed, cloud-based network security service that provides inbound and outbound traffic inspection and logging for all traffic between on-premises networks and Azure, regardless of source or destination. It supports application and network-level filtering, threat intelligence-based filtering, and integrates with Azure Monitor for comprehensive logging, making it the correct choice for a Zero Trust network strategy that requires full traffic inspection and logging.

Exam trap

The trap here is that candidates may confuse Azure Firewall with Azure Front Door or Azure Bastion, thinking that any security or access service can inspect all traffic, but only Azure Firewall provides the necessary stateful inspection and logging for all network traffic between on-premises and Azure.

How to eliminate wrong answers

Option A is wrong because Azure Front Door is a global, scalable entry point for web applications, focusing on HTTP/HTTPS load balancing and acceleration, not on inspecting and logging all network traffic between on-premises and Azure (it does not handle non-web protocols or provide stateful packet inspection). Option B is wrong because Azure Bastion is a fully managed PaaS service that provides secure RDP/SSH connectivity to virtual machines directly from the Azure portal, without exposing public IPs; it does not inspect or log general network traffic between on-premises and Azure. Option D is wrong because Azure DDoS Protection is a service that protects against distributed denial-of-service attacks by monitoring and mitigating volumetric attacks at the network layer, but it does not provide general traffic inspection or logging for all network flows.

Ready to test yourself?

Try a timed practice session using only Design a Zero Trust strategy and architecture questions.