CCNA Security Apps Data Solutions Questions

75 of 207 questions · Page 2/3 · Security Apps Data Solutions topic · Answers revealed

76
MCQeasy

Your organization uses Microsoft Purview to classify and protect sensitive data. You need to prevent users from accidentally sharing files that contain credit card numbers via email. What should you configure in Microsoft Purview?

A.Enable Microsoft Defender for Cloud Apps session policy to monitor file downloads.
B.Configure a retention policy for files containing credit card numbers.
C.Implement a data loss prevention (DLP) policy that detects credit card numbers and blocks email sharing.
D.Create a sensitivity label that automatically classifies credit card numbers.
AnswerC

DLP policies can detect sensitive data and enforce actions like block or warn.

Why this answer

Data Loss Prevention (DLP) policies in Microsoft Purview can detect sensitive information types like credit card numbers and block sharing via email. Sensitivity labels can be applied automatically but do not block sharing by themselves. The correct answer is DLP policy.

77
MCQmedium

You are designing a data classification strategy for a Microsoft 365 tenant. You need to automatically classify documents that contain personally identifiable information (PII) and apply a retention label. Which Microsoft Purview feature should you use?

A.Auto-labeling policies
B.Trainable classifiers
C.Manual labeling
D.Data Loss Prevention (DLP) policies
AnswerA

Auto-labeling policies can automatically apply labels based on sensitive info types.

Why this answer

Option C is correct: Auto-labeling policies in Purview can automatically classify and apply labels based on sensitive information types. Option A is wrong: Trainable classifiers require training and are for more complex classification, not automatic for PII. Option B is wrong: Manual labeling is not automatic.

Option D is wrong: DLP policies are for enforcement, not automatic labeling.

78
MCQhard

Your organization uses Microsoft Sentinel to detect threats. You need to design a solution that automatically remediates a detected threat on an Azure VM by isolating the VM from the network. What should you use?

A.Create a Microsoft Sentinel automation rule that triggers a playbook to run an Azure Automation runbook to modify the NSG.
B.Configure a Log Analytics workspace query to run on a schedule and automatically block the VM.
C.Use Azure Policy to audit and automatically remediate non-compliant VMs.
D.Enable Microsoft Defender for Cloud's 'Just-in-time VM access' policy.
AnswerA

Sentinel playbooks can automate remediation via Azure Automation.

Why this answer

Option A is correct because Microsoft Sentinel can trigger a playbook (automation rule) that runs an Azure Automation runbook to modify the NSG and isolate the VM. Option B is wrong because Log Analytics workspace doesn't have remediation actions. Option C is wrong because Azure Policy is for compliance, not incident response.

Option D is wrong because Defender for Cloud has some automation, but Sentinel playbook is the designed method for automated response.

79
Multi-Selecthard

Your company is designing a zero-trust security posture for a new application in Azure. The application uses Azure Functions, Azure SQL Database, and Azure Blob Storage. You need to ensure that data in transit is encrypted and that the application can authenticate without storing secrets in code. Which THREE actions should you take?

Select 3 answers
A.Enable 'Enforce minimum TLS version' on the Blob Storage account
B.Configure the application to use TLS 1.2 or higher for all connections
C.Use managed identity for Azure Functions to access Azure SQL Database
D.Enable customer-managed keys (CMK) for Azure SQL Database
E.Configure the Azure SQL firewall to allow only the Functions IP range
AnswersA, B, C

Ensures clients use TLS 1.2+ for encrypted connections.

Why this answer

Options A, C, and E are correct. Enforcing TLS 1.2 encrypts data in transit, managed identity for Azure Functions provides secretless authentication to Azure SQL, and Enforce minimum TLS version on Blob Storage ensures encrypted connections. Option B is wrong because firewall rules don't encrypt data.

Option D is wrong because CMK is for encryption at rest, not in transit.

80
MCQeasy

You are designing a secure DevOps pipeline using GitHub Actions and Azure. The security team requires that all container images pushed to Azure Container Registry (ACR) are scanned for vulnerabilities before deployment. If critical vulnerabilities are found, the pipeline must fail. What should you integrate into the pipeline?

A.Configure Azure Policy to require image scanning before deployment
B.Integrate Microsoft Defender for Cloud with Azure Container Registry scanning and configure a GitHub Actions step to check scan results
C.Deploy Azure Bastion to scan images during build
D.Use Azure Security Center (legacy) to scan images on push
AnswerB

Defender for Cloud provides vulnerability scanning for ACR images and can be queried via API.

Why this answer

Option A is correct because Microsoft Defender for Cloud can scan container images in ACR for vulnerabilities and integrate with GitHub Actions to fail the pipeline on critical findings. Option B is wrong because Azure Security Center is now part of Defender for Cloud. Option C is wrong because Azure Policy can enforce compliance but not scan images.

Option D is wrong because Azure Bastion is for secure remote access.

81
Multi-Selectmedium

A company is designing a security solution for a new application that will be deployed on Azure Kubernetes Service (AKS). They need to protect secrets and ensure that only authorized pods can access them. Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Enable pod identity to assign managed identities to pods for Key Vault access
B.Configure network policies to restrict pod-to-pod traffic
C.Store secrets in Kubernetes ConfigMaps
D.Enable Azure Disk Encryption for AKS nodes
E.Use Azure Key Vault Provider for Secrets Store CSI Driver to mount secrets as volumes
AnswersA, E

Pod identity allows pods to authenticate to Key Vault using managed identities

Why this answer

Using Azure Key Vault Provider for Secrets Store CSI Driver (Option A) allows pods to mount secrets from Key Vault. Enabling pod identity with managed identity (Option C) ensures that only authorized pods can access Key Vault. Option B is wrong because storing secrets in ConfigMaps is not secure.

Option D is wrong because Azure Disk Encryption does not apply to secrets. Option E is wrong because Network Policies control traffic, not secrets access.

82
MCQeasy

Your organization uses Microsoft Sentinel to detect threats. You need to ensure that sensitive data stored in Azure SQL Database is protected from unauthorized access by Sentinel playbooks. What should you implement?

A.Enable dynamic data masking on the SQL database
B.Use customer-managed keys (CMK) for SQL Transparent Data Encryption
C.Configure Azure SQL firewall rules to allow only Sentinel IP addresses
D.Use a managed identity assigned to the playbook to authenticate to Azure SQL
AnswerD

Managed identities provide secure, credential-free authentication for Azure resources.

Why this answer

Option A is correct because managed identities provide a secure, identity-based authentication for playbooks to access Azure SQL without storing credentials. Option B is wrong because firewall rules are network-level, not identity-based. Option C is wrong because data masking is for query results, not access control.

Option D is wrong because CMK is for encryption at rest, not access control.

83
MCQeasy

Your company is deploying Microsoft Entra ID for application authentication. You need to register a new web application that uses OAuth 2.0 for user sign-in. Which authentication flow should you use?

A.Device code flow
B.Authorization code flow
C.Implicit flow
D.Client credentials flow
AnswerB

Standard flow for web apps with backend.

Why this answer

Option B is correct because Authorization Code Flow is the recommended flow for web applications that have a backend server. Option A is wrong because Implicit Flow is deprecated for user sign-in. Option C is wrong because Client Credentials Flow is for server-to-server without user.

Option D is wrong because Device Code Flow is for input-constrained devices.

84
Multi-Selecthard

You are designing a solution to protect Azure SQL Database from SQL injection attacks. The solution must use a web application firewall (WAF) and also ensure that queries from the application are parameterized. Which two components should you include? (Choose two. Each correct answer presents part of the solution.)

Select 2 answers
A.Azure SQL Database firewall rules
B.Transparent Data Encryption (TDE)
C.Azure Application Gateway with WAF
D.Parameterized queries in the application code
AnswersC, D

WAF can detect and block SQL injection attempts.

Why this answer

Options A and D are correct because Azure Application Gateway with WAF can block SQL injection at the network edge, and using parameterized queries in the application code prevents SQL injection at the application layer. Option B is wrong because TDE encrypts data at rest. Option C is wrong because Azure SQL Database firewall controls IP access.

85
MCQeasy

Refer to the exhibit. You are analyzing sign-in failures in Microsoft Sentinel using a KQL query. What does this query identify?

A.Accounts that have been locked out due to multiple failures.
B.Computers with more than 10 login attempts from the same IP address.
C.Accounts that had more than 10 failed logon attempts in the last 7 days.
D.Accounts that successfully logged in more than 10 times.
AnswerC

The query sums failed logons per account per computer.

Why this answer

Option B is correct because the query filters EventID 4625 (failed logon) and groups by Account and Computer, then filters accounts with more than 10 failures in the last 7 days. Option A is wrong because it does not show success events. Option C is wrong because it does not group by IP address.

Option D is wrong because it does not include locked accounts.

86
Multi-Selecthard

A company is implementing Microsoft Purview to protect sensitive data in Microsoft 365. They need to prevent users from sharing credit card numbers via email. Which THREE components must be configured? (Choose three.)

Select 3 answers
A.Create an auto-labeling policy for credit card data
B.Create a retention label for credit card data
C.Create a sensitive info type for credit card numbers
D.Create a Data Loss Prevention (DLP) policy that blocks sharing
E.Configure policy tips to notify users of policy violations
AnswersC, D, E

Sensitive info types are used to detect credit card numbers in content

Why this answer

A sensitive info type for credit card numbers (Option A) is needed to detect the data. A DLP policy (Option C) enforces the rule. A policy tip (Option E) notifies users about the policy.

Option B is wrong because retention labels are for retention, not prevention. Option D is wrong because auto-labeling applies labels, but DLP policies are needed to block sharing.

87
MCQeasy

Your company uses Microsoft Intune for mobile device management. You need to ensure that corporate data on iOS devices is protected by requiring a PIN and encrypting the device. What configuration should you create?

A.Create a device configuration profile to enforce PIN and encryption.
B.Create a Conditional Access policy that requires compliant devices.
C.Create a compliance policy that requires a device PIN and encryption.
D.Create an app protection policy for Microsoft apps.
AnswerC

Compliance policies enforce device security requirements.

Why this answer

Option C is correct because a compliance policy in Intune defines device requirements like PIN and encryption. Option A is wrong because app protection policies target apps, not device-level settings. Option B is wrong because device configuration profiles can enforce settings but compliance policy is the standard way to require PIN and encryption for compliance.

Option D is wrong because Conditional Access policies control access based on compliance, not enforce settings directly.

88
MCQmedium

Your organization uses Microsoft Defender for Cloud to protect its Azure workloads. You have an application that runs on Azure Virtual Machines and uses a storage account to store sensitive data. The security team wants to detect when the storage account access keys are used from an unexpected location. What should you configure?

A.Configure adaptive application controls on the storage account.
B.Create an Azure Monitor alert based on the 'Storage Account List Keys' operation.
C.Enable just-in-time VM access in Microsoft Defender for Cloud.
D.Enable Microsoft Defender for Storage and configure anomaly detection alerts.
AnswerD

Defender for Storage detects unusual patterns, including access from unexpected locations.

Why this answer

Microsoft Defender for Cloud provides adaptive application controls, file integrity monitoring, and just-in-time access, but not specifically for detecting storage key usage from unexpected locations. Microsoft Defender for Storage (part of Defender for Cloud) provides anomaly detection, including unusual access patterns. You can also use Azure Monitor with alerts on storage metrics, but the most direct is Defender for Storage.

Option D is correct.

89
MCQeasy

Your company runs a critical application on Azure VMs. You need to ensure that only authorized applications can run on the VMs to prevent malware. Which Azure security feature should you enable?

A.Azure Security Center adaptive application controls
B.Just-In-Time VM access
C.Azure Antimalware
D.Windows Defender Application Control (WDAC)
AnswerD

WDAC allows you to control which applications can run on the VM.

Why this answer

Option B is correct: Application Control (Windows Defender Application Control) allows you to specify which applications are allowed to run. Option A is wrong: Antimalware detects and removes malware but does not control which apps can run. Option C is wrong: Just-In-Time VM access controls network access, not application execution.

Option D is wrong: Azure Security Center (now Defender for Cloud) provides recommendations but not direct app control.

90
MCQeasy

You are designing a secure data classification strategy for documents in Microsoft 365. The compliance officer wants to automatically apply a 'Confidential' label to documents containing credit card numbers. Which Microsoft Purview feature should you use?

A.Auto-labeling policies
B.Data loss prevention policies
C.Trainable classifiers
D.Manual labeling
AnswerA

Auto-labeling policies can automatically apply sensitivity labels based on sensitive info types like credit card numbers.

Why this answer

Option C is correct because auto-labeling policies in Microsoft Purview can automatically apply sensitivity labels based on sensitive info types. Option A is wrong because trainable classifiers require training and are for more complex patterns. Option B is wrong because manual labeling is not automatic.

Option D is wrong because data loss prevention policies prevent sharing but do not apply labels.

91
MCQmedium

Your company uses Microsoft Intune to manage mobile devices. You need to ensure that corporate data in Microsoft 365 apps cannot be copied to personal apps on the same device. What should you configure?

A.App protection policy (MAM) with 'Restrict cut, copy, and paste'
B.Conditional Access policy requiring compliant device
C.Device configuration profile with restrictions
D.Device compliance policy for mobile devices
AnswerA

App protection policies control data transfer between managed apps and unmanaged apps.

Why this answer

Option C is correct because app protection policies (MAM) can prevent data transfer between managed and unmanaged apps. Option A is wrong because conditional access blocks access but does not control copy/paste. Option B is wrong because compliance policies enforce device health, not app-level data movement.

Option D is wrong because device configuration profiles set device settings, not app restrictions.

92
MCQeasy

You are designing a solution to protect an Azure App Service web application from common web attacks like SQL injection and cross-site scripting. What should you implement?

A.Azure Firewall
B.Azure DDoS Protection
C.Azure Web Application Firewall (WAF) policy on Azure Front Door
D.Network Security Groups (NSGs) on the subnet
AnswerC

WAF protects against SQL injection and XSS.

Why this answer

Option A is correct because Azure Web Application Firewall (WAF) with Application Gateway or Front Door protects against SQL injection and XSS. Option B is wrong because Network Security Groups (NSGs) filter network traffic, not application layer. Option C is wrong because Azure DDoS Protection protects against DDoS, not web attacks.

Option D is wrong because Azure Firewall is a network firewall, not a web application firewall.

93
MCQeasy

Your organization uses Microsoft Purview to govern data assets across Azure and on-premises. You need to automatically classify sensitive data such as credit card numbers in Azure SQL Database. What should you use?

A.Microsoft Purview Data Map
B.Microsoft Defender for Cloud
C.Microsoft Entra ID
D.Microsoft Sentinel
AnswerA

Purview Data Map scans and classifies sensitive data.

Why this answer

Option B is correct because Microsoft Purview Data Map can scan Azure SQL Database and apply automatic classification using built-in classifiers. Option A is wrong because Microsoft Sentinel is for SIEM, not data classification. Option C is wrong because Microsoft Defender for Cloud is for security posture, not data classification.

Option D is wrong because Microsoft Entra ID is for identity.

94
Multi-Selecthard

Which THREE actions should you take to secure a CI/CD pipeline using Azure DevOps and GitHub?

Select 3 answers
A.Enable secret scanning in GitHub to detect leaked credentials
B.Run all pipeline tasks with administrative privileges
C.Disable pull request code reviews to speed deployment
D.Store secrets in Azure Key Vault and use variable groups linked to Key Vault
E.Configure branch protection rules in GitHub to require status checks
AnswersA, D, E

Secret scanning helps prevent accidental exposure of secrets in repositories.

Why this answer

Options A, D, and E are correct. Using secure variables, branch protection rules, and secret scanning are key security measures. Option B is wrong because disabling code review reduces security.

Option C is wrong because running pipelines with admin privileges increases risk.

95
MCQmedium

Your organization is deploying Microsoft Defender for Cloud Apps. You need to create a policy that blocks downloads of sensitive files from sanctioned cloud apps to unmanaged devices. What type of policy should you create?

A.Session policy
B.App discovery policy
C.Anomaly detection policy
D.Access policy
AnswerA

Session policies provide real-time session control, including blocking downloads.

Why this answer

Option B is correct because Session policies in Defender for Cloud Apps can monitor and control user sessions in real-time, including blocking downloads based on device tags. Option A is wrong because access policies control access but not session-level actions like downloads. Option C is wrong because app discovery policies are for discovering shadow IT.

Option D is wrong because anomaly detection policies detect unusual behavior, not block downloads.

96
MCQhard

A healthcare organization uses Microsoft Purview Information Protection to classify and protect patient data. They want to automatically apply a 'High Confidentiality' label to any document containing a patient ID pattern (###-####). The label should also encrypt the document. Which configuration should they use?

A.Retention label with auto-labeling policy
B.Data Loss Prevention (DLP) policy with a block action
C.Sensitivity label with auto-labeling for sensitive info types
D.Trainable classifier with a retention policy
AnswerC

Sensitivity labels can be configured to automatically apply based on sensitive info types (like patient ID pattern) and include encryption.

Why this answer

Option B is correct because a sensitivity label with auto-labeling for files containing sensitive info types (like patient IDs) can apply encryption automatically. Option A is wrong because a retention label only manages retention, not encryption. Option C is wrong because a DLP policy alerts but does not automatically label.

Option D is wrong because a trainable classifier requires training and does not use a regex pattern.

97
Multi-Selectmedium

Your organization is designing a data protection strategy using Microsoft Purview. You need to classify and label all sensitive data stored in Azure SQL Database. The solution must automatically detect credit card numbers and apply a sensitivity label. Which three actions should you take? (Choose three.)

Select 3 answers
A.Enable Azure SQL Database auditing
B.Create a scan in Purview to classify sensitive data types
C.Register the Azure SQL Database as a data source in Microsoft Purview
D.Create a data loss prevention (DLP) policy in Purview
E.Create a sensitivity label with auto-labeling for credit card numbers and publish it
AnswersB, C, E

Scanning discovers sensitive data.

Why this answer

Options B, C, and D are correct because to automatically classify and label data in Azure SQL Database, you need to register the data source in Purview, scan it to discover sensitive data, and create an auto-labeling policy that applies the label. Option A is wrong because DLP policies are for data in use/motion, not for labeling. Option E is wrong because enabling auditing does not classify or label.

98
Multi-Selecthard

Your organization is deploying a new application on Azure Kubernetes Service (AKS). You need to secure container access to Azure resources using managed identities. Which THREE components are required? (Choose THREE.)

Select 3 answers
A.Pod identity (e.g., aad-pod-identity)
B.Azure AD pod-managed identity (or workload identity)
C.Azure Container Registry
D.Azure Key Vault for secret storage
E.Azure Firewall
AnswersA, B, D

Assigns identity to pods.

Why this answer

Option A, Option B, and Option D are correct. A pod identity is needed to assign an identity to pods, Azure Key Vault stores secrets, and Azure AD pod-managed identity (or workload identity) provides the identity. Option C is incorrect because Azure Container Registry is for storing images, not identity.

Option E is incorrect because Azure Firewall is for network security.

99
MCQhard

You are designing a data classification strategy for Microsoft Purview. The compliance team requires that documents containing personally identifiable information (PII) like credit card numbers are automatically labeled and encrypted when stored in Microsoft SharePoint Online. The solution must use built-in sensitive information types. What should you include in the design?

A.Create a sensitivity label with auto-labeling for credit card numbers and enable encryption
B.Create a retention label and apply it automatically via a data loss prevention (DLP) policy
C.Use a trainable classifier to detect PII and apply a sensitivity label
D.Configure a manual sensitivity label policy for users to apply
AnswerA

This automatically labels and encrypts documents containing PII.

Why this answer

Option D is correct because a sensitivity label with auto-labeling for content matching a sensitive information type (like credit card number) and encryption can be applied to SharePoint documents automatically. Option A is wrong because retention labels do not enforce encryption. Option B is wrong because trainable classifiers require custom training.

Option C is wrong because manual labeling is not automatic.

100
MCQhard

A company uses Azure Cosmos DB with Microsoft Defender for Cloud to protect its NoSQL database. The security team wants to audit all data plane operations for compliance. Which diagnostic setting should they enable?

A.MongoRequests
B.PartitionKeyStatistics
C.QueryRuntimeStatistics
D.DataPlaneRequests
AnswerD

This log records all data plane operations including CRUD on items.

Why this answer

Option C is correct because DataPlaneRequests logs contain all data plane operations. Option A is wrong because QueryRuntimeStatistics logs query execution stats, not operations. Option B is wrong because MongoRequests logs MongoDB operations only.

Option D is wrong because PartitionKeyStatistics logs partition statistics.

101
Multi-Selecteasy

A company uses Microsoft Defender for Cloud to secure their Azure workloads. They need to ensure that all Azure SQL databases have threat detection enabled. Which TWO actions should they take? (Choose two.)

Select 2 answers
A.Enable Microsoft Defender for Cloud's 'SQL servers on machines' plan
B.Enable Azure Defender for SQL at the subscription level
C.Configure SQL Vulnerability Assessment
D.Enable Advanced Threat Protection on each SQL server individually
E.Configure SQL auditing on each database
AnswersA, B

This plan enables threat detection for SQL servers, including Azure SQL databases

Why this answer

Enabling Azure Defender for SQL at the subscription level (Option A) automatically enables threat detection for all SQL databases. Option C is correct because Defender for Cloud can enable Microsoft Defender for SQL as a plan. Option B is wrong because enabling individual audit policies is not necessary for threat detection.

Option D is wrong because Advanced Threat Protection is part of the Azure SQL security settings, but the plan is enabled at the subscription level. Option E is wrong because vulnerability assessment is a separate feature.

102
MCQeasy

Your organization, Adatum, is migrating its on-premises applications to Azure. The applications include a legacy .NET Framework web app that uses Windows authentication and a modern ASP.NET Core API that uses OAuth 2.0. You need to design a secure solution for these applications using Azure App Service. The security requirements include: (1) enforce HTTPS only, (2) restrict access to the web app based on the user's corporate identity, (3) allow the API to access an Azure SQL Database using a managed identity. Which of the following is the correct design?

A.Configure the web app to use Windows authentication via Azure AD Domain Services, and the API to use SQL authentication with a managed identity.
B.Configure the web app to use Microsoft Entra ID authentication with a built-in policy, and the API to use a connection string with a username and password.
C.Configure the web app to require client certificates for authentication, and the API to use a connection string with SQL authentication.
D.Configure both apps to enforce HTTPS only, configure the web app to use Microsoft Entra ID authentication, and configure the API to use a system-assigned managed identity to access Azure SQL Database.
AnswerD

HTTPS enforcement, Entra ID authentication for user access, and managed identity for API database access meet all requirements.

Why this answer

Option D is correct because it meets all requirements: HTTPS only enforced, Microsoft Entra ID authentication for the web app, and managed identity for the API to access SQL Database. Option A is wrong because client certificates do not provide user-level authentication. Option B is wrong because the API should use managed identity, not connection strings.

Option C is wrong because SQL authentication is less secure and does not use managed identity.

103
Multi-Selectmedium

Which THREE security controls should you implement to protect a web application against common OWASP Top 10 vulnerabilities?

Select 3 answers
A.Role-Based Access Control (RBAC)
B.Input validation on all user inputs
C.Content Security Policy (CSP) headers
D.Web Application Firewall (WAF)
E.Multi-factor authentication (MFA)
AnswersB, C, D

Input validation prevents injection attacks by sanitizing user input.

Why this answer

Options A, C, and D are correct. WAF protects against many OWASP threats, input validation prevents injection, and CSP mitigates XSS. Option B is wrong because RBAC manages access, not application layer attacks.

Option E is wrong because MFA is an identity control.

104
MCQeasy

A company uses Microsoft Sentinel for SIEM. They need to ensure that security events from Azure Active Directory (now Microsoft Entra ID) are ingested into Sentinel. Which data connector should they enable?

A.Microsoft Entra ID connector
B.Office 365 connector
C.Azure Activity connector
D.Microsoft Defender XDR connector
AnswerA

This connector ingests sign-in and audit logs from Entra ID

Why this answer

The Microsoft Entra ID connector (Option B) is the correct data source for ingesting sign-in logs and audit logs from Entra ID. Option A is wrong because the Office 365 connector ingests data from Exchange, SharePoint, etc. Option C is wrong because the Azure Activity connector ingests subscription-level events.

Option D is wrong because the Microsoft Defender XDR connector ingests alerts from Defender products.

105
MCQmedium

You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy is intended to block sign-ins from high-risk users. However, some high-risk users are still able to sign in. What is the most likely reason?

A.The policy is not enforced because user risk is not being evaluated (e.g., missing licenses or risk policy)
B.The policy does not include all client app types
C.The policy is set to report-only mode
D.The policy does not include all locations
AnswerA

User risk evaluation requires Azure AD Premium P2 licenses and the risk policy to be configured. Without them, the condition never triggers.

Why this answer

Option C is correct because the policy only blocks based on user risk level, but if the user risk is not evaluated or the policy is not in report-only mode, it may not enforce. However, the exhibit shows the policy is enabled, but if the user risk level is not being calculated in real-time (e.g., due to licensing), it may not trigger. Option A is wrong because locations include all.

Option B is wrong because client app types include all. Option D is wrong because the policy is enabled.

106
MCQhard

You run the PowerShell command to retrieve the vulnerability assessment baseline for rule VA2108 on an Azure SQL Database. The command returns a baseline with multiple rows. What is the purpose of this baseline?

A.It configures the database to ignore performance issues related to rule VA2108.
B.It sets the baseline for all databases on the server for rule VA2108.
C.It automatically remediates the vulnerability identified by rule VA2108.
D.It defines the expected scan result for rule VA2108, so future scans do not flag the same findings.
AnswerD

Baselines suppress known safe findings.

Why this answer

Option D is correct because vulnerability assessment baselines define acceptable scan results for specific rules, so that future scans do not report the same findings as vulnerabilities. Option A is wrong because baselines do not fix vulnerabilities. Option B is wrong because the baseline is for a specific database, not all databases.

Option C is wrong because baselines are not about performance.

107
Multi-Selectmedium

Your organization is designing a security solution for a new web application that will be deployed on Azure App Service. The application will access an Azure SQL Database and an Azure Storage account. The security requirements include: (1) use managed identities for authentication, (2) encrypt data at rest and in transit, (3) restrict network access to the database and storage account to only the App Service, and (4) use Azure Key Vault for secrets management. Which TWO of the following should you implement?

Select 2 answers
A.Configure the App Service to use a connection string with a storage account access key.
B.Configure private endpoints for the SQL Database and Storage account.
C.Configure the App Service to use a system-assigned managed identity.
D.Use shared access signatures (SAS) for the App Service to access the Storage account.
E.Configure service endpoints for the SQL Database and Storage account.
AnswersB, C

Private endpoints ensure that traffic stays within the Microsoft network and provides isolation.

Why this answer

Option A and Option D are correct. Managed identities allow the App Service to authenticate to other Azure services without credentials. Private endpoints provide network isolation.

Option B is wrong because connection strings with access keys negate the use of managed identities. Option C is wrong because service endpoints are less secure than private endpoints and do not provide the same level of isolation. Option E is wrong because SAS tokens are not recommended when managed identities are available.

108
MCQmedium

Your organization is designing a solution to protect sensitive data in Microsoft SharePoint Online. You need to ensure that documents containing credit card numbers are automatically encrypted when shared with external users. What should you configure?

A.A Data Loss Prevention (DLP) policy that blocks sharing
B.Information Rights Management (IRM) for SharePoint
C.An auto-labeling policy for sensitivity labels with encryption
D.A retention policy with a hold
AnswerC

Auto-labeling applies labels with encryption based on sensitive content.

Why this answer

Option B is correct because auto-labeling in Microsoft Purview can apply sensitivity labels that enforce encryption based on sensitive data patterns. Option A is wrong because DLP policies can block or warn but not automatically encrypt. Option C is wrong because retention labels manage lifecycle.

Option D is wrong because IRM can protect but requires manual application or DLP integration, not automatic labeling.

109
MCQmedium

Your company, Fabrikam, is a global financial services firm that handles sensitive customer data. You are designing a security solution for a new customer-facing web application that processes credit card transactions. The application will be deployed on Azure Kubernetes Service (AKS) and will use Azure SQL Database for data storage. Compliance requirements include PCI DSS and GDPR. You need to ensure that data at rest and in transit is encrypted, and that access to the database is tightly controlled. You plan to use Azure Key Vault for managing encryption keys. Which combination of actions should you implement?

A.Enable TDE with a customer-managed key in Azure Key Vault, use Always Encrypted for sensitive columns, enforce TLS 1.2, and use Azure AD managed identities for authentication with a firewall rule to allow only the AKS cluster's outbound IP.
B.Enable TDE with a customer-managed key stored in the application's configuration file, enforce TLS 1.2, and use Azure AD authentication.
C.Implement application-level encryption for credit card data, enforce TLS 1.2, and use Azure AD managed identities with no database firewall rules.
D.Enable Transparent Data Encryption (TDE) with a service-managed key, enforce TLS 1.0, and use SQL authentication.
AnswerA

This provides encryption at rest (TDE and Always Encrypted), encryption in transit (TLS 1.2), and secure access with managed identities and IP restrictions.

Why this answer

Option C is correct because it covers encryption in transit (TLS 1.2), encryption at rest (TDE and Always Encrypted), and access control with managed identities and firewall rules. Option A is wrong because TLS 1.0 is outdated and not PCI DSS compliant. Option B is wrong because Azure SQL Database does not support BYOK for TDE natively without Key Vault integration.

Option D is wrong because application-level encryption alone does not meet compliance requirements for data at rest.

110
MCQeasy

Your company uses Microsoft Defender for Cloud to secure Azure workloads. You need to ensure that all storage accounts have the 'Secure transfer required' setting enabled. What should you use?

A.Azure role-based access control (RBAC)
B.Azure Blueprints
C.Microsoft Defender for Cloud regulatory compliance dashboard
D.Azure Policy
AnswerD

Azure Policy can audit or enforce the 'Secure transfer required' property on storage accounts.

Why this answer

Option A is correct because Azure Policy can audit and enforce the 'Secure transfer required' setting across all storage accounts. Option B is wrong because Defender for Cloud recommendations are not enforced automatically. Option C is wrong because Azure Blueprints are deprecated.

Option D is wrong because RBAC does not enforce resource configuration.

111
MCQmedium

Your company uses Microsoft Sentinel for security operations. You need to design a solution that automatically remediates a detected threat by blocking a malicious IP address on Azure Firewall. Which Microsoft Sentinel feature should you use?

A.Analytics rules
B.Workbooks
C.SOAR playbooks
D.User and Entity Behavior Analytics (UEBA)
AnswerC

Automate response actions.

Why this answer

Option C is correct because Security Orchestration, Automation, and Response (SOAR) in Microsoft Sentinel uses playbooks to automate remediation actions like blocking IPs on Azure Firewall. Option A is wrong because analytics rules only generate alerts. Option B is wrong because workbooks visualize data.

Option D is wrong because UEBA analyzes behavior but does not automate remediation.

112
MCQhard

Refer to the exhibit. This is a risk alert from Microsoft Entra ID Identity Protection for user jdoe@contoso.com. You are designing an automated response using Microsoft Sentinel. Which condition should you use to trigger a high-severity incident?

A.If the user risk level is 'high'
B.If the sign-in risk level is 'high'
C.If the risk event types include 'leakedCredentials'
D.If the user risk level is 'medium'
AnswerA

The user risk level is 'high', indicating a compromised account.

Why this answer

Option D is correct because the alert has a user risk level of 'high', which indicates a compromised account. Option A is wrong because risk event types are 'unfamiliarFeatures' and 'atypicalTravel', not 'leakedCredentials'. Option B is wrong because the sign-in risk level is 'medium', not 'high'.

Option C is wrong because the user risk level is 'high', not 'medium'.

113
MCQmedium

Your organization uses Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Exchange Online. The compliance team wants to prevent users from sending emails containing Social Security numbers to external recipients. What should you configure?

A.Create a DLP policy with the condition 'Content contains sensitive info type' and action 'Block the message'
B.Configure a retention label for emails
C.Create a mail flow rule in Exchange admin center
D.Apply a sensitivity label to all emails
AnswerA

DLP policies can detect sensitive info types and block messages from being sent.

Why this answer

Option A is correct because a DLP policy can detect sensitive info types and block the email. Option B is wrong because sensitivity labels are for classification, not blocking. Option C is wrong because retention labels are for data retention.

Option D is wrong because mail flow rules (transport rules) can do similar but DLP is the recommended approach.

114
Multi-Selecthard

A financial services company uses Microsoft Sentinel for SIEM. They need to detect potential data exfiltration from their Azure SQL Database. Which THREE data sources should they connect to Sentinel to achieve this? (Choose THREE.)

Select 3 answers
A.Microsoft Defender for Cloud alerts
B.Azure AD sign-in logs
C.Azure Network Watcher NSG flow logs
D.Azure SQL Database audit logs
E.Azure Activity Logs
AnswersC, D, E

Provide network traffic data to detect unusual data transfers.

Why this answer

Azure SQL Database audit logs contain query details; Azure Activity Logs provide resource management events; Network security group flow logs show network traffic patterns. Option A, Option B, and Option C are correct. Option D is wrong because Azure AD sign-in logs are for user authentication, not database operations.

Option E is wrong because Microsoft Defender for Cloud alerts may cover threats but not raw data exfiltration details.

115
MCQmedium

A company deploys a line-of-business application on Azure App Service. The application uses a managed identity to access Azure SQL Database. Security policy requires that the database connection string must not contain credentials. How should the connection string be configured?

A.Store the connection string in App Service application settings with the password encrypted by App Service
B.Store the connection string with username and password in Key Vault and reference it in App Settings
C.Use a managed identity and set the connection string to use Active Directory Managed Identity authentication without credentials
D.Store the connection string as a secret in Azure Key Vault and use a Key Vault reference in App Settings
AnswerC

Managed identity allows the App Service to authenticate to Azure SQL without storing any credentials in the connection string

Why this answer

Using a managed identity, the connection string can be set to use 'Authentication=Active Directory Managed Identity' without any username or password. Option A is wrong because the connection string should not include credentials. Option B is wrong because Key Vault references are used for secrets, but managed identity itself avoids the need for a secret.

Option D is wrong because connection strings are not stored in App Service as secrets.

116
MCQeasy

Your organization is using Microsoft Sentinel for security information and event management (SIEM). You need to ensure that data from Azure Activity Logs is ingested into Sentinel. What should you configure?

A.Configure a Log Analytics workspace to collect Activity Logs
B.Use Azure Policy to stream Activity Logs to Sentinel
C.Enable Azure Monitor to forward Activity Logs to Sentinel
D.Connect Azure Activity Logs via the Microsoft Sentinel data connector
AnswerD

This is the standard method to ingest Activity Logs.

Why this answer

Option D is correct because you can connect Azure Activity Logs as a data connector in Microsoft Sentinel. Option A is wrong because Log Analytics workspace is the underlying storage, but the connection is made via data connectors. Option B is wrong because Azure Policy can enforce configuration but not directly ingest logs.

Option C is wrong because Azure Monitor is a broader service; the specific connector is needed.

117
MCQhard

Refer to the exhibit. You are auditing an Azure subscription. The Azure Policy assignment above is targeting a resource group. The policy definition ID corresponds to a built-in policy that audits if SQL databases have transparent data encryption (TDE) enabled. What is the effect of this policy assignment?

A.The policy automatically enables TDE on non-compliant SQL databases.
B.The policy is only reported as audit, not enforced.
C.The policy applies to all resources in the management group.
D.The policy audits SQL databases for TDE and marks non-compliant resources.
AnswerD

Default enforcement audits and enforces.

Why this answer

Option B is correct. The policy assignment has enforcementMode set to 'Default', which means it will audit and enforce the policy (e.g., mark non-compliant resources). If enforcementMode were 'DoNotEnforce', it would only audit.

Option A is wrong because enforcementMode is not set to DoNotEnforce. Option C is wrong because the policy does not automatically enable TDE; it only audits. Option D is wrong because the scope is a resource group, not an entire management group.

118
Multi-Selectmedium

A company is designing a data classification strategy using Microsoft Purview. They need to automatically classify and protect sensitive data stored in Azure Blob Storage. Which TWO capabilities should they use? (Choose TWO.)

Select 2 answers
A.Sensitivity labels
B.Data Loss Prevention (DLP) policies
C.Information Barriers
D.Microsoft Purview Data Map
E.Azure Policy
AnswersA, D

Sensitivity labels can be applied to Azure Blob to enforce protection like encryption.

Why this answer

Microsoft Purview Data Map provides auto-discovery and classification of data assets, and Sensitivity labels can apply protection. Option A and Option C are correct. Option B is wrong because DLP policies are for endpoint and Microsoft 365, not for Azure Blob.

Option D is wrong because Information Barriers are for restricting communication, not classification. Option E is wrong because Azure Policy is for governance, not data classification.

119
Multi-Selectmedium

Your company is developing a web application that stores sensitive customer data in Azure SQL Database. The data must be encrypted at rest and in transit. Additionally, you need to ensure that only the application can access the database, not individual administrators. Which two technologies should you implement? (Choose two.)

Select 1 answer
A.Azure Key Vault
B.Azure Information Protection
C.Dynamic Data Masking
D.Always Encrypted
E.Transparent Data Encryption (TDE)
AnswersA

AKV stores encryption keys but is not the encryption mechanism itself.

Why this answer

Option A is correct: Transparent Data Encryption (TDE) encrypts data at rest. Option C is correct: Always Encrypted protects data in transit and during processing by keeping encryption keys client-side, preventing administrators from seeing plaintext. Option B is wrong: Azure Information Protection is for labeling and classification, not database encryption.

Option D is wrong: Dynamic Data Masking obfuscates data but does not encrypt it. Option E is wrong: Azure Key Vault is used to store keys but is not the encryption mechanism itself.

120
Multi-Selecthard

A company is using Microsoft Defender for Cloud to secure their Azure environment. They have enabled the 'Defender for Cloud's integrated workload protection' plan for Azure SQL Database. Which TWO of the following security features are included in this plan?

Select 2 answers
A.Microsoft Purview Information Protection
B.Azure Policy
C.Vulnerability assessment
D.Transparent Data Encryption (TDE)
E.Advanced Threat Protection (ATP)
AnswersC, E

Defender for SQL includes vulnerability assessment capabilities.

Why this answer

Option A and D are correct. Option A: Vulnerability assessment is included in the Defender for SQL plan. Option D: Advanced Threat Protection (ATP) is included.

Option B: Azure SQL Database always encrypts data at rest with TDE by default, but it is not a specific feature of the Defender plan. Option C: Information Protection is a Microsoft Purview feature, not Defender for Cloud. Option E: Azure Policy is a separate governance tool.

121
MCQmedium

Your organization is using Microsoft Defender for Cloud to secure applications running on Azure. You need to ensure that all Azure Storage accounts have secure transfer required enabled. What is the BEST way to enforce this?

A.Create a custom recommendation in Microsoft Defender for Cloud to alert when storage accounts do not have secure transfer required.
B.Use Azure Blueprints to apply the setting to all subscriptions.
C.Assign an Azure Policy initiative that includes the built-in policy 'Secure transfer to storage accounts should be enabled' with a 'Deny' effect.
D.Grant the 'Storage Account Contributor' role to a security group that will manually enable the setting.
AnswerC

Azure Policy with Deny effect prevents creation of non-compliant storage accounts.

Why this answer

Option B is correct because Azure Policy can audit and enforce compliance at scale. Option A is wrong because while Defender for Cloud can detect the issue, it does not automatically enforce. Option C is wrong because Azure Blueprints is deprecated; Azure Policy is the correct tool.

Option D is wrong because RBAC controls permissions, not configuration.

122
MCQeasy

Your organization uses Microsoft Purview to map and classify data across Azure, on-premises, and multi-cloud sources. You need to ensure that sensitive data assets are automatically discovered and classified. Which Microsoft Purview component should you configure?

A.Data Map scanning
B.Data Sharing
C.Data Catalog
D.Data Estate Insights
AnswerA

Automatically discovers and classifies.

Why this answer

Option A is correct because Microsoft Purview Data Map scans and classifies data across sources. Option B is wrong because Data Catalog is the inventory, not scanning. Option C is wrong because Data Sharing is for sharing data.

Option D is wrong because Data Estate Insights provides monitoring, not scanning.

123
MCQhard

Your company uses Microsoft Entra ID for identity management. You need to implement a solution that allows external partners to access a specific application using their own identity providers, while ensuring that their accounts are automatically deprovisioned when removed from their home organization. Which feature should you use?

A.B2B direct federation
B.Entitlement management with connected organizations
C.Self-service sign-up
D.Identity Governance access reviews
AnswerB

Automates lifecycle management.

Why this answer

Option C is correct because Entitlement management with connected organizations allows external users to be provisioned and deprovisioned automatically based on lifecycle. Option A is wrong because B2B direct federation does not enforce deprovisioning. Option B is wrong because self-service sign-up does not manage deprovisioning.

Option D is wrong because Identity Governance includes access reviews but does not automatically deprovision.

124
MCQmedium

You are designing a solution for a multi-national corporation that uses Microsoft Purview to govern data across Azure SQL Database, Azure Data Lake Storage, and Microsoft 365. The data classification labels must be automatically applied based on sensitive data types such as credit card numbers and passport numbers. Which Microsoft Purview capability should you use?

A.Microsoft Purview Data Loss Prevention (DLP) policies
B.Microsoft Purview Audit
C.Microsoft Purview Information Protection
D.Microsoft Purview Data Map with automatic classification
AnswerD

Data Map can scan multiple data sources and automatically apply sensitivity labels based on sensitive data types.

Why this answer

Option B is correct because Microsoft Purview Data Map with automatic classification scanning can scan data sources and apply sensitivity labels based on built-in or custom data types. Option A is wrong because Information Protection is for labeling and protection in Microsoft 365, not for scanning data sources. Option C is wrong because DLP policies are for preventing data loss, not for automatic classification.

Option D is wrong because Audit is for logging activities.

125
MCQhard

Your organization uses Microsoft Defender for Cloud Apps to protect SaaS applications. You need to configure a policy that blocks downloads of files tagged as 'Highly Confidential' from SharePoint Online and triggers an automated investigation. Which policy type should you use?

A.Session policy
B.App discovery policy
C.Access policy
D.Anomaly detection policy
AnswerC

Can block downloads based on sensitivity labels.

Why this answer

Option C is correct because an access policy in Defender for Cloud Apps can enforce real-time controls like blocking downloads based on sensitivity labels. Option A is wrong because session policy controls user sessions but does not natively block downloads by label. Option B is wrong because app discovery policy discovers shadow IT, not controls access.

Option D is wrong because anomaly detection policy detects unusual behavior but does not block downloads.

126
Multi-Selectmedium

Your organization is designing a data protection strategy for Microsoft 365 using Microsoft Purview. You need to protect sensitive data from being shared externally via email. Which TWO capabilities should you include?

Select 2 answers
A.Sensitivity labels with encryption for emails and attachments
B.Retention labels and policies
C.Data Loss Prevention (DLP) policies
D.Microsoft Purview Message Encryption
E.Privileged Access Management (PAM)
AnswersA, C

Encryption prevents unauthorized users from reading the content, even if shared.

Why this answer

Options A and D are correct. Sensitivity labels with encryption prevent unauthorized sharing, and Data Loss Prevention (DLP) policies detect and block sharing of sensitive data. Option B is wrong because message encryption protects at rest/in transit but doesn't prevent sharing.

Option C is wrong because retention labels manage data lifecycle, not sharing. Option E is wrong because Privileged Access Management controls administrative access, not end-user sharing.

127
MCQhard

Your organization, Contoso Ltd., is a multinational financial services company that handles sensitive customer financial data. They are migrating a critical loan origination application from on-premises to Azure Kubernetes Service (AKS). The application uses SQL Server on Azure VMs for data storage. Compliance requirements mandate encryption at rest and in transit, and data classification labels must be applied automatically to all financial documents stored in Azure Blob Storage. The security team wants to use Microsoft Defender for Cloud to monitor for misconfigurations and threats. You need to design a security solution for the application and data that meets these requirements. Which of the following actions should you take first?

A.Use Microsoft Entra Application Proxy to publish the loan origination application for remote access.
B.Deploy Azure Front Door with WAF policies in front of the loan origination application.
C.Configure Azure VPN Gateway to allow site-to-site VPN connections from employee home offices.
D.Deploy Microsoft Entra Domain Services to extend the on-premises domain to Azure for authentication.
AnswerA

Microsoft Entra Application Proxy provides secure remote access to on-premises web applications without a VPN, and it integrates with conditional access policies for additional security.

Why this answer

Option C is correct because Entra ID Application Proxy is designed for secure remote access to on-premises applications without a VPN, and it supports conditional access policies for the loan origination application. Option A is wrong because Azure Front Door is a global load balancer and CDN, not a secure remote access solution. Option B is wrong because Azure VPN Gateway creates site-to-site VPN, not per-user remote access.

Option D is wrong because Microsoft Entra Domain Services provides domain services but not remote application access.

128
MCQmedium

A company uses Microsoft Defender for Cloud Apps to protect SaaS applications. The security team receives alerts about suspicious file downloads from a specific user. They want to automatically block the user's account when the risk score exceeds 80. What should they configure?

A.Configure Conditional Access app control
B.Create a session policy
C.Create an access policy
D.Create an app governance policy
AnswerC

Access policies can automatically block a user when the risk score exceeds a threshold.

Why this answer

Option B is correct because an access policy in Defender for Cloud Apps can automatically block a user based on risk score. Option A is wrong because session policies control real-time monitoring, not blocking. Option C is wrong because app governance policies manage consent and permissions.

Option D is wrong because Conditional Access app control is for session-level controls.

129
MCQmedium

Refer to the exhibit. You are reviewing an Azure Policy definition. What does this policy do?

A.Audits virtual machines that have a network interface
B.Deletes virtual machines that do not have a network interface
C.Denies creation of virtual machines that have a network interface
D.Denies creation of virtual machines that do not have a network interface attached
AnswerD

The condition checks for existence of NIC.

Why this answer

Option C is correct because the policy denies the creation of a virtual machine if the networkProfile.networkInterfaces field does not exist, meaning no NIC is attached. Option A is wrong because it denies creation, not deletes. Option B is wrong because it checks for NIC existence, not specific settings.

Option D is wrong because it checks at creation time.

130
MCQmedium

Your organization uses Microsoft Defender for Cloud to protect Azure workloads. You need to ensure that all Azure SQL Databases have Threat Detection enabled and Advanced Threat Protection notifications are sent to the security team. What should you do?

A.Enable Advanced Threat Protection on the SQL Server and configure email notifications for all databases.
B.Create an Azure Policy to audit Threat Detection settings and remediate non-compliant databases.
C.Enable Threat Detection on each individual Azure SQL Database and set the email recipients in the server's diagnostic settings.
D.Configure Microsoft Sentinel to monitor Azure SQL Databases and trigger alerts.
AnswerA

This enables Threat Detection on all databases and sends alerts to security team.

Why this answer

Option C is correct because the SQL Server's Defender for Cloud settings include an option to enable Advanced Threat Protection for all databases and configure email notifications. Option A is wrong because Azure Policy can enforce settings but doesn't configure notifications directly. Option B is wrong because Microsoft Sentinel setup is not required for this.

Option D is wrong because enabling at the database level is less efficient and doesn't cover new databases.

131
Multi-Selecthard

You are designing a secure access strategy for Azure App Service web applications. The requirements are: use Azure AD for authentication, restrict access to specific IP ranges, and require multi-factor authentication (MFA) for all users. Which two components should you configure? (Choose two.)

Select 2 answers
A.Apply a network security group (NSG) to the App Service subnet
B.Configure Azure App Service authentication with Microsoft Entra ID
C.Create a Conditional Access policy in Microsoft Entra ID that requires MFA and restricts IP ranges
D.Deploy Azure Firewall to filter inbound traffic
E.Register the application in Microsoft Entra ID
AnswersB, C

This enables Azure AD as the identity provider.

Why this answer

Options B and C are correct because Azure App Service authentication can be configured to use Azure AD, and Conditional Access policies can enforce MFA and IP restrictions. Option A is wrong because app registration is part of the setup but not a direct component for access control. Option D is wrong because network security groups are for virtual networks, not App Service.

Option E is wrong because Azure Firewall is for network traffic, not user authentication.

132
MCQhard

You have created a custom Azure RBAC role named 'Custom SQL DB Reader' as shown in the exhibit. You assign this role to a user. The user reports they cannot read data from an Azure SQL Database. What is the most likely cause?

A.The Azure SQL Database is not configured to support Azure AD authentication
B.The role does not include 'Microsoft.Sql/servers/databases/read' action
C.The assignableScopes does not include the resource group
D.The role does not include any dataActions
AnswerA

RBAC data actions require the database to have Azure AD authentication enabled. Without it, the user cannot authenticate using their Azure AD identity.

Why this answer

Option D is correct because the role includes dataActions for read, but Azure SQL Database uses SQL authentication or Azure AD authentication; RBAC dataActions are only effective if the user authenticates via Azure AD and the database is configured to support Azure AD authentication. Option A is wrong because the role includes Microsoft.Sql/servers/databases/read action. Option B is wrong because dataActions are present.

Option C is wrong because assignableScopes includes the subscription.

133
MCQeasy

You are designing a solution for a healthcare organization that needs to share patient health information (PHI) with a partner organization. The partner must be able to query the data but should not be able to modify it. Both organizations use Microsoft Entra ID. What should you use?

A.Azure Active Directory B2C (now part of Entra) to allow the partner to authenticate and access data via a custom API.
B.Microsoft Entra entitlement management with an access package that grants read-only access to a SharePoint Online site.
C.Microsoft Purview Information Protection to label the data and allow the partner to decrypt it.
D.Azure DevOps for sharing the data in a repository with read-only permissions.
AnswerB

Entitlement management enables you to govern external access with access packages that include SharePoint Online sites with read-only permissions.

Why this answer

Option A is correct because Microsoft Entra entitlement management allows you to create access packages that grant external users read-only access to SharePoint Online or other resources. Option B is wrong because Azure AD B2C is for customer identity. Option C is wrong because Microsoft Purview Information Protection is for classification and labeling, not for external sharing with read-only access.

Option D is wrong because Azure DevOps is for development collaboration.

134
MCQhard

Refer to the exhibit. You are evaluating a custom Azure Policy definition for storage accounts. The policy is assigned with effect set to 'Deny'. An administrator attempts to create a new storage account with network rules configured to allow all traffic (defaultAction set to Allow). What will happen?

A.The storage account creation is denied.
B.The storage account is created, and the network rules are automatically changed to deny all traffic.
C.The storage account is created, and an audit event is generated.
D.The storage account is created successfully, and no action is taken.
AnswerA

The policy checks if defaultAction is not 'Deny' and then applies the Deny effect, blocking creation.

Why this answer

Option B is correct because the policy denies creation when networkAcls.defaultAction is not 'Deny'. Option A is wrong because the policy denies, not audits. Option C is wrong because the policy does not modify the resource.

Option D is wrong because the policy explicitly denies.

135
MCQmedium

You are designing a CI/CD pipeline for a containerized application using Azure DevOps. You need to ensure that container images are scanned for vulnerabilities before being deployed to production. Which service should you integrate?

A.Azure Policy
B.Azure Key Vault
C.Microsoft Defender for Cloud
D.Azure Monitor
AnswerC

Defender for Cloud scans container images for vulnerabilities.

Why this answer

Option B is correct because Microsoft Defender for Cloud (formerly Azure Security Center) can scan container images in Azure Container Registry for vulnerabilities. Option A is wrong because Azure Policy can enforce compliance but not scan images. Option C is wrong because Azure Key Vault is for secrets.

Option D is wrong because Azure Monitor is for monitoring, not scanning.

136
Multi-Selecthard

Your company is using Microsoft Defender for Cloud to protect Azure resources. You need to implement just-in-time (JIT) VM access. Which THREE components are required? (Choose THREE.)

Select 3 answers
A.Microsoft Defender for Cloud enabled at the subscription level.
B.Azure role-based access control (RBAC) permissions for users to request access.
C.Log Analytics workspace for storing access logs.
D.Azure Bastion host for secure RDP/SSH access.
E.A virtual machine with an associated network security group (NSG).
AnswersA, B, E

JIT is a feature of Defender for Cloud.

Why this answer

Options A, B, and E are required. JIT requires a VM with a network security group (NSG), enabling JIT in Defender for Cloud, and assigning permissions to request access. Option C is wrong because an Azure Bastion host is optional.

Option D is wrong because a Log Analytics workspace is not required.

137
MCQeasy

You are reviewing an ARM template snippet that creates a blob container. The security team requires that the container be accessible only via authorized Azure AD identities, not via anonymous access. Based on the exhibit, is the configuration correct?

A.Yes, but you also need to disable shared key access
B.No, you need to set 'publicAccess' to 'Blob' to restrict access
C.Yes, the setting 'publicAccess': 'None' prevents anonymous access, and Azure AD authentication is available by default
D.No, you must also configure a firewall rule to restrict access to Azure AD users
AnswerC

Setting publicAccess to None blocks anonymous access. Azure AD authentication is always an option for authorized users.

Why this answer

Option B is correct because 'publicAccess': 'None' ensures no anonymous access, and Azure AD authentication is the default for authorized identities. Option A is wrong because the configuration is correct. Option C is wrong because container-level access is not a separate setting.

Option D is wrong because RBAC is already the default for authorized identities; no additional action needed.

138
MCQeasy

Your organization is developing a Power BI dashboard that uses data from an Azure SQL Database. The data includes personally identifiable information (PII). You need to mask the PII from certain users while allowing full access to data owners. What should you use?

A.Azure SQL Database auditing and Microsoft Defender for Cloud
B.Microsoft Purview Data Map and data catalog
C.Dynamic data masking in Azure SQL Database and row-level security in Power BI
D.Microsoft Purview sensitivity labels and auto-labeling
AnswerC

Dynamic data masking obfuscates PII in query results for non-privileged users. RLS restricts rows in Power BI.

Why this answer

Option A is correct because Power BI row-level security (RLS) can filter data based on user roles, but to mask specific columns, you need dynamic data masking in Azure SQL Database. Option B is wrong because sensitivity labels do not mask data. Option C is wrong because Azure SQL Database auditing logs access, does not mask.

Option D is wrong because Microsoft Purview scans data, does not mask.

139
MCQmedium

A multinational retail company, Northwind Traders, is building a new e-commerce platform on Azure. The platform includes a public-facing API built on Azure API Management (APIM) that processes orders containing personal data (PII). The company uses Microsoft Entra ID for identity management. You need to design a security solution that protects the API from common web vulnerabilities (e.g., SQL injection, XSS) and ensures that only authenticated users with the appropriate role can place orders. Additionally, you need to log and monitor all API requests for security auditing. Which combination of services should you use?

A.Use Azure Firewall to filter traffic, implement client certificate authentication in APIM, and use Azure Monitor for logging.
B.Use Azure API Management with built-in WAF, configure OAuth 2.0 authorization with Microsoft Entra ID, and enable Azure Monitor and Log Analytics for logging and alerting.
C.Use Azure Application Gateway with WAF in front of APIM, configure IP whitelisting on APIM, and enable diagnostic settings to send logs to a storage account.
D.Use Azure Front Door with WAF in front of APIM, configure IP whitelisting on APIM, and use Microsoft Sentinel for logging.
AnswerB

APIM WAF protects against OWASP threats, OAuth 2.0 provides secure authentication and authorization, and Monitor/Log Analytics provide comprehensive logging.

Why this answer

Option C is correct because Azure Web Application Firewall (WAF) on APIM protects against OWASP top 10 threats, OAuth 2.0 with Entra ID provides authentication and authorization, and Azure Monitor and Log Analytics provide logging and monitoring. Option A is wrong because NSGs do not protect against application-layer attacks. Option B is wrong because IP whitelisting does not handle authentication/authorization.

Option D is wrong because Application Gateway WAF is redundant if APIM WAF is used, and IP whitelisting is not suitable.

140
MCQhard

A company deploys a multi-tier application on Azure Kubernetes Service (AKS). The application uses Azure Key Vault to store secrets. You need to ensure that pod-level access to secrets is restricted to only the pods that require them. What should you implement?

A.Use a managed identity for each pod to access Key Vault directly
B.Configure Azure RBAC on the Key Vault to restrict access to the AKS cluster
C.Apply Azure Policy to deny access to Key Vault from unauthorized namespaces
D.Use the AKS Secret Store CSI Driver with pod-managed identities
AnswerD

CSI driver mounts secrets from Key Vault into specific pods using pod identity.

Why this answer

Option B is correct because AKS Secret Store CSI Driver allows mounting secrets from Key Vault into specific pods using pod identity, ensuring only authorized pods can access secrets. Option A is wrong because RBAC on the Key Vault itself is too coarse. Option C is wrong because Azure Policy for AKS can enforce compliance but doesn't manage secret access.

Option D is wrong because managed identity is used for pod identity but needs the CSI driver to mount secrets.

141
MCQhard

A company uses Azure API Management to expose backend APIs. They need to implement OAuth 2.0 authorization with Microsoft Entra ID. The APIs are called by a SPA application. Which OAuth 2.0 grant type should be used?

A.Implicit grant
B.Resource owner password credentials grant
C.Authorization code flow with PKCE
D.Client credentials grant
AnswerC

Recommended for SPAs, provides secure token exchange.

Why this answer

Option C is correct because the authorization code flow with PKCE is the recommended grant for SPAs. Option A is wrong because implicit flow is deprecated due to security concerns. Option B is wrong because client credentials is for server-to-server, not user authentication.

Option D is wrong because resource owner password credentials (ROPC) is not recommended and requires user credentials.

142
MCQhard

Refer to the exhibit. A security analyst is reviewing a Windows security event log from a domain controller. The event indicates an attempted logon failure. Which type of attack is most likely being attempted?

A.Kerberos golden ticket attack
B.DCSync attack
C.Pass-the-hash attack
D.Brute-force password guessing attack
AnswerD

Multiple failed logon attempts with Logon Type 3 targeting a privileged account indicate a brute-force password guessing attack over the network

Why this answer

Event 4625 is a failed logon attempt. Logon Type 3 (Network) and the target account 'admin' with failure reason 'Unknown user name or bad password' suggest a brute-force or password guessing attack against a privileged account. Option B is correct because the event shows attempts to guess the 'admin' account password over the network.

Option A is wrong because a pass-the-hash attack would use a different logon type and process. Option C is wrong because a Kerberos golden ticket attack would not show a logon type 3 failure. Option D is wrong because DCSync would generate different events (4662).

143
Multi-Selectmedium

Your organization is designing a solution to protect sensitive data in Microsoft 365. You need to implement Microsoft Purview Data Loss Prevention (DLP) policies. Which TWO actions can a DLP policy take when a match occurs? (Choose TWO.)

Select 2 answers
A.Encrypt the file with Azure Information Protection.
B.Quarantine the file for administrator review.
C.Automatically apply a sensitivity label.
D.Block the sharing of sensitive information.
E.Show a policy tip to the user.
AnswersD, E

DLP can block sharing actions.

Why this answer

Options A and D are correct. DLP policies can block sharing and show a policy tip to users. Option B is wrong because auto-labeling is a separate feature (auto-labeling policies).

Option C is wrong because DLP policies do not quarantine items. Option E is wrong because encryption is applied via sensitivity labels, not DLP directly.

144
MCQmedium

Your organization stores sensitive data in Azure Blob Storage. You need to ensure that data is encrypted at rest and that the encryption keys are rotated every 90 days. You also need to maintain your own key material. Which solution should you use?

A.Azure Information Protection
B.Azure Storage Service Encryption with Microsoft-managed keys
C.Azure Storage Service Encryption with customer-managed keys in Azure Key Vault
D.Azure Disk Encryption
AnswerC

Customer-managed keys allow you to provide your own key material and rotate it every 90 days

Why this answer

Azure Storage encryption with customer-managed keys in Azure Key Vault allows you to supply your own encryption keys and rotate them on your own schedule. Option A is wrong because Azure Disk Encryption is for VM disks, not Blob Storage. Option B is wrong because Azure Storage Service Encryption with Microsoft-managed keys does not allow customer control or rotation.

Option D is wrong because Azure Information Protection is for classification and labeling, not encryption at rest.

145
MCQmedium

You are designing a secure data sharing solution for a research organization that needs to share large datasets with external universities. The data must be encrypted at rest and in transit, and access must be time-limited. The solution should minimize administrative overhead. What should you use?

A.Azure Blob Storage with SFTP protocol enabled
B.Azure Data Share with snapshot-based sharing
C.Azure Storage with shared access signatures (SAS) and Azure Key Vault
D.Azure File Sync with on-premises file servers
AnswerC

SAS tokens provide time-limited access, and Azure Storage encrypts data at rest and in transit.

Why this answer

Option D is correct because Azure Storage with SAS tokens provides time-limited access, encryption at rest (SSE), and encryption in transit (HTTPS). Option A is wrong because Azure File Sync focuses on syncing files, not secure sharing. Option B is wrong because Azure Data Share is more for periodic snapshots, not direct access.

Option C is wrong because SFTP requires more administrative overhead for user management.

146
MCQhard

Refer to the exhibit. You run the PowerShell script to protect high-confidentiality resources. After execution, you find that some resources with tag 'Confidentiality=High' are still unprotected. What is the most likely reason?

A.Some resources are in a different resource group than expected.
B.The script does not check for existing locks properly.
C.Tags are not inherited from resource groups.
D.The script overwrites existing locks.
AnswerA

The script assumes resource group from the resource object.

Why this answer

Option B is correct because the script uses Get-AzResource which returns resources from all resource groups, but the lock creation uses -ResourceGroupName parameter. If a resource is in a different resource group than the one resolved from the resource object, the lock might fail or apply incorrectly. Option A is wrong because the script does not check for existing locks correctly, but the main issue is the resource group mismatch.

Option C is wrong because the script checks for locks before creating new ones. Option D is wrong because tag inheritance is not the issue.

147
MCQhard

Your company uses Microsoft Purview to manage data governance. You need to create a data classification rule that scans Azure Data Lake Storage for personally identifiable information (PII) such as email addresses. The rule must also apply a sensitivity label automatically. Which approach should you use?

A.Create an Azure Policy to detect and label PII.
B.Create a custom scan rule in Microsoft Purview and configure auto-labeling.
C.Use a Power Automate flow to scan files and apply labels.
D.Use Microsoft Defender for Cloud to scan for PII.
AnswerB

Purview scans data and can auto-apply sensitivity labels.

Why this answer

Option C is correct because Microsoft Purview has built-in scan rules for sensitive data types and can auto-label. Option A is wrong because Azure Policy is for compliance, not scanning. Option B is wrong because Microsoft Defender for Cloud is for security posture.

Option D is wrong because custom Power Automate flows are not the primary method for classification.

148
MCQhard

You are designing a solution to securely store and manage secrets for a cloud-native application deployed on Azure Kubernetes Service (AKS). The application needs to retrieve database connection strings and API keys at runtime without hardcoding them. The solution must minimize administrative overhead and integrate with Azure Active Directory (now Microsoft Entra ID) for access control. Which service should you use?

A.Kubernetes Secrets
B.HashiCorp Vault on AKS
C.Azure Key Vault with managed identities
D.Azure App Configuration
AnswerC

Key Vault securely stores secrets, and managed identities provide secure access without credentials.

Why this answer

Option C is correct: Azure Key Vault with managed identities for AKS allows secure secret retrieval without storing credentials in code or configuration, integrates with Entra ID, and minimizes overhead. Option A is wrong: Kubernetes Secrets are not encrypted by default and require additional configuration. Option B is wrong: Azure App Configuration can store configuration but is not optimized for secrets.

Option D is wrong: HashiCorp Vault adds complexity and is not a native Azure service.

149
MCQeasy

Your application uses Azure Key Vault to store secrets. You need to ensure that the application rotates secrets automatically without downtime. Which feature should you enable?

A.Key Vault automatic rotation with Event Grid integration
B.Key Vault manual rotation
C.Key Vault soft-delete
D.Key Vault RBAC
AnswerA

Automates rotation with notifications.

Why this answer

Option B is correct because Key Vault automatic rotation with Event Grid notifications allows the application to be notified before expiration and rotate seamlessly. Option A is wrong because manual rotation requires intervention. Option C is wrong because soft-delete only protects against accidental deletion.

Option D is wrong because RBAC controls access, not rotation.

150
Multi-Selectmedium

You are designing a solution to protect a web application hosted on Azure App Service. The application uses Azure SQL Database and stores sensitive customer data. You need to ensure that the data is encrypted at rest and in transit, and that the application is protected from common web attacks. Which TWO of the following should you implement?

Select 2 answers
A.Azure Private Link for App Service
B.Enforce TLS for Azure SQL Database connections
C.Network Security Groups (NSGs) on the subnet
D.Azure Web Application Firewall (WAF) on Azure Front Door
E.Azure DDoS Protection Standard
AnswersB, D

Enforcing TLS encrypts data in transit between App Service and SQL Database; TDE encrypts at rest.

Why this answer

Option A and D are correct. Option A: Azure WAF protects against common web attacks like SQL injection and XSS. Option D: Azure SQL Database always encrypts data at rest with TDE, and enforcing TLS ensures encryption in transit.

Option B is wrong because DDoS Protection is for network-layer attacks, not application-layer. Option C is wrong because Network Security Groups (NSGs) are for network traffic filtering, not for encrypting data in transit.

← PreviousPage 2 of 3 · 207 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Apps Data Solutions questions.