CCNA Security Best Practices Questions

24 questions · Security Best Practices topic · All types, answers revealed

1
Multi-Selecthard

Which TWO of the following are true about Azure Policy initiatives?

Select 2 answers
A.Initiatives cannot be assigned to a management group
B.Initiatives can be assigned to management groups, subscriptions, or resource groups
C.An initiative can only contain one policy definition
D.Initiatives are predefined and cannot be customized
E.Initiatives help to organize policies by grouping them under a common goal
AnswersB, E

Initiatives have the same assignment scopes as policies.

Why this answer

Azure Policy initiatives (also known as policy sets) are designed to group multiple policy definitions together to achieve a common compliance goal. They can be assigned at the management group, subscription, or resource group scope, which allows for broad or granular enforcement of compliance rules across the Azure hierarchy.

Exam trap

The trap here is that candidates often confuse initiatives with single policy definitions, assuming they cannot be customized or assigned broadly, when in fact initiatives are designed for grouping and flexible assignment across multiple scopes.

2
MCQeasy

A company is moving to a zero-trust security model. Which principle is most important for securing network traffic?

A.Rely on perimeter firewalls to block threats
B.Verify explicitly every access request
C.Trust all traffic within the corporate network
D.Allow all traffic and monitor for anomalies
AnswerB

Zero-trust requires explicit verification for each access attempt.

Why this answer

In a zero-trust model, the principle of 'verify explicitly' means every access request—regardless of source—must be authenticated, authorized, and encrypted before being allowed. This eliminates implicit trust based on network location, which is the core shift from traditional perimeter-based security.

Exam trap

The trap here is that candidates often confuse zero-trust with traditional defense-in-depth, mistakenly thinking perimeter firewalls or anomaly detection are sufficient, when the exam specifically tests the 'verify explicitly' principle as the foundational requirement for zero-trust network traffic.

How to eliminate wrong answers

Option A is wrong because relying solely on perimeter firewalls assumes a trusted internal network, which violates zero-trust's 'never trust, always verify' mandate; threats can originate from inside the network. Option C is wrong because trusting all traffic within the corporate network is the opposite of zero-trust; it ignores lateral movement risks and assumes internal traffic is safe, which is a common attack vector. Option D is wrong because allowing all traffic and monitoring for anomalies is a detect-and-respond approach, not a prevent-and-verify one; zero-trust requires explicit denial by default and only allowing traffic after verification, not passive monitoring.

3
MCQhard

You are the lead security architect for a multinational corporation that recently completed a merger. The new entity, Contoso Ltd., has a complex Azure environment with over 200 subscriptions spread across multiple management groups. The company's security team has identified several critical issues: (1) many subscriptions have Azure Security Center's Secure Score below 30%, (2) there are numerous unmanaged VMs with public IP addresses, (3) there is no centralized logging for security events, and (4) identity management is fragmented with multiple Azure AD tenants. The CEO mandates a 'zero-trust' security posture within 12 months. You have a limited budget and must prioritize the most impactful actions. Which course of action should you take first?

A.Implement Azure Sentinel to centralize logs and create automated response playbooks
B.Deploy Azure Firewall and enforce forced tunneling for all VNets
C.Consolidate all Azure AD tenants into a single tenant and establish a common identity baseline
D.Deploy Azure Policy to deny creation of VMs with public IPs and enforce NSGs
AnswerC

Zero-trust requires a unified identity to enforce consistent access policies.

Why this answer

Option C is correct because identity is the foundational control plane for zero-trust architecture. Without a unified identity baseline across a single Azure AD tenant, you cannot enforce consistent conditional access policies, least-privilege access, or authentication strength—making all other security controls ineffective. Consolidating tenants first directly addresses the fragmented identity management issue and enables centralized policy enforcement, which is the highest-impact, lowest-cost action to improve the security posture within 12 months.

Exam trap

The trap here is that candidates often prioritize network controls (Azure Firewall, forced tunneling) or monitoring tools (Azure Sentinel) because they seem more directly related to 'security' or 'visibility,' but the SC-100 exam emphasizes that identity is the new perimeter in zero-trust, and without a unified identity plane, all other controls are undermined.

How to eliminate wrong answers

Option A is wrong because implementing Azure Sentinel for centralized logging and automated response is a detection and response capability, not a preventive control; it does not address the root cause of unmanaged VMs, low Secure Score, or fragmented identity, and it requires significant budget and time to deploy effectively. Option B is wrong because deploying Azure Firewall and forced tunneling is a network-centric control that only mitigates lateral movement and data exfiltration risks; it does not solve the identity fragmentation or low Secure Score issues, and it incurs high operational overhead without addressing the foundational identity problem. Option D is wrong because deploying Azure Policy to deny public IPs and enforce NSGs is a compliance enforcement mechanism that only addresses one symptom (unmanaged VMs with public IPs) but does not fix the underlying identity fragmentation or enable centralized security event logging; without a unified identity, policy assignments cannot be consistently applied across multiple tenants.

4
Drag & Dropmedium

Order the steps to configure Azure DDoS Protection Standard for a virtual network.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DDoS Protection requires a plan, association, enablement, then monitoring setup.

5
MCQhard

Refer to the exhibit. A company creates this Azure Policy definition and assigns it to a subscription. A developer attempts to create a storage account with blob encryption enabled. The creation fails. What is the most likely reason?

A.The policy effect is set to 'deny' but should be 'audit'
B.The field path for blob encryption is case-sensitive and may not match the actual property
C.The policy uses 'allOf' incorrectly; it should use 'anyOf'
D.The field path is not a valid Azure Resource Manager path
AnswerB

Azure Policy field paths are case-sensitive; the correct path is 'Microsoft.Storage/storageAccounts/encryption.services.blob.enabled' with proper casing.

Why this answer

The policy definition uses the field path `Microsoft.Storage/storageAccounts/encryption.services.blob.enabled` to check for blob encryption. Azure Resource Manager property paths are case-sensitive, and the actual property for blob encryption is `Microsoft.Storage/storageAccounts/encryption.services.blob.enabled` with lowercase 'b' in 'blob'. If the path in the policy uses incorrect casing (e.g., 'Blob' with capital B), the policy engine cannot match the property, causing the deny effect to trigger incorrectly or fail to evaluate properly, leading to creation failure.

Exam trap

Microsoft often tests the nuance that Azure Policy field paths are case-sensitive, tricking candidates who assume ARM properties are case-insensitive or who focus on the effect type rather than the path syntax.

How to eliminate wrong answers

Option A is wrong because changing the effect from 'deny' to 'audit' would only log non-compliance without blocking creation, but the question states the creation fails due to a policy mismatch, not the effect type. Option C is wrong because 'allOf' is used correctly to require all conditions to be true (e.g., type matches and encryption disabled), which is appropriate for denying unencrypted storage; 'anyOf' would allow creation if any single condition is met, which is not the intended logic. Option D is wrong because the field path `Microsoft.Storage/storageAccounts/encryption.services.blob.enabled` is a valid Azure Resource Manager path; the issue is case sensitivity, not path validity.

6
MCQmedium

A company is deploying Microsoft Defender for Cloud to protect a multi-cloud environment that includes Azure and AWS. The security team wants to prioritize the highest-risk recommendations. Which feature should they use to identify and focus on the most critical security issues?

A.Use Secure Score and its recommendations
B.Regulatory Compliance dashboard
C.Enable Defender for Cloud's enhanced security features
D.Review attack path analysis
AnswerA

Secure Score quantifies risk and prioritizes recommendations.

Why this answer

Secure Score in Microsoft Defender for Cloud aggregates all security recommendations and assigns a score based on their relative risk and impact. By focusing on recommendations that most improve the Secure Score, the security team can systematically prioritize the highest-risk issues across both Azure and AWS resources. This directly aligns with the goal of identifying and focusing on the most critical security issues.

Exam trap

The trap here is that candidates often confuse 'enhanced security features' (which enable advanced detections) with 'prioritization features' (which rank recommendations by risk), leading them to select Option C instead of recognizing that Secure Score is the dedicated prioritization mechanism.

How to eliminate wrong answers

Option B is wrong because the Regulatory Compliance dashboard is designed to track adherence to specific compliance standards (e.g., SOC 2, ISO 27001) and does not inherently prioritize recommendations by risk; it focuses on compliance gaps rather than overall security risk. Option C is wrong because enabling enhanced security features (e.g., Defender for Servers, Defender for SQL) expands the scope of monitoring and threat detection but does not itself provide a prioritization mechanism; it is a prerequisite for advanced protections, not a prioritization tool. Option D is wrong because attack path analysis is a visual tool that maps potential attack vectors but is used for deep investigation of specific threats, not for broad prioritization of all recommendations; it is reactive and scenario-specific, not a holistic risk-ranking feature.

7
Multi-Selectmedium

Which THREE of the following are key components of a defense-in-depth strategy?

Select 3 answers
A.Physical security
B.Flat network topology
C.Single sign-on (SSO)
D.Identity and access management
E.Network segmentation
AnswersA, D, E

Physical security is the first layer of defense.

Why this answer

Physical security is a foundational layer in defense-in-depth, protecting hardware assets from unauthorized physical access, theft, or tampering. It includes measures like biometric locks, surveillance cameras, and secure server rooms, which prevent attackers from bypassing logical controls by directly interacting with systems.

Exam trap

The trap here is that candidates often confuse convenience features like SSO with security controls, or assume a flat network is simpler and thus more secure, failing to recognize that defense-in-depth requires multiple independent barriers, not a single authentication mechanism.

8
MCQmedium

A company is using Azure Active Directory (Azure AD) for identity management. They want to implement a policy that requires all users to use multi-factor authentication (MFA) when accessing Office 365 from outside the corporate network. Which conditional access policy setting should they configure?

A.Assignments > Conditions > Client apps
B.Assignments > Conditions > Locations
C.Assignments > Conditions > Device platforms
D.Assignments > Conditions > Sign-in risk
AnswerB

Location condition can be used to enforce MFA for external networks.

Why this answer

Option B is correct because the Locations condition in Azure AD Conditional Access allows administrators to define named locations (such as corporate IP ranges) and then require MFA when access originates from any location that is not trusted. By configuring a policy that targets 'All users' and 'All cloud apps' (or specifically Office 365), and setting the Locations condition to 'Any location' with the exclusion of the corporate network, the policy enforces MFA for all external access attempts. This directly meets the requirement to require MFA when accessing Office 365 from outside the corporate network.

Exam trap

The trap here is that candidates often confuse the Locations condition with the Sign-in risk condition, thinking that external access is inherently risky, but the question specifically asks for a policy based on network location, not risk level.

How to eliminate wrong answers

Option A is wrong because the Client apps condition controls which types of applications (browser, mobile app, legacy authentication) trigger the policy, not the network location of the user. Option C is wrong because the Device platforms condition filters based on the operating system (e.g., Windows, iOS, Android) and does not consider whether the request originates from inside or outside the corporate network. Option D is wrong because the Sign-in risk condition uses Azure AD Identity Protection to detect risky sign-in behavior (e.g., anonymous IP, leaked credentials) and is not designed to enforce MFA based purely on network location.

9
MCQeasy

A company uses Azure DevOps for CI/CD. The security team wants to ensure that secrets like API keys and connection strings are never stored in code repositories. Which best practice should they recommend?

A.Use environment variables in the pipeline YAML
B.Use Azure Key Vault references in Azure DevOps variable groups
C.Encrypt secrets using Git-secret and commit to repo
D.Store secrets in Azure App Configuration with encryption
AnswerB

Key Vault references securely fetch secrets at pipeline runtime.

Why this answer

Option B is correct because Azure Key Vault references in Azure DevOps variable groups allow secrets to be securely linked to pipelines without ever storing them in code repositories. At pipeline runtime, the agent retrieves the secret value directly from Azure Key Vault using a managed identity or service principal, ensuring secrets are never exposed in YAML files, logs, or build artifacts.

Exam trap

The trap here is that candidates confuse Azure App Configuration (which is for app-level settings) with Azure Key Vault (which is the correct service for secret management in CI/CD pipelines), or they assume that encrypting secrets before committing them is acceptable, when the best practice is to never store secrets in repositories at all.

How to eliminate wrong answers

Option A is wrong because environment variables in pipeline YAML still require the secret value to be defined somewhere in the pipeline definition or as a plain-text variable, which can be exposed in logs or repository history. Option C is wrong because committing encrypted secrets to a repo using Git-secret still stores the encrypted blob in the repository, violating the principle of never storing secrets in code; decryption keys must also be managed, increasing risk. Option D is wrong because Azure App Configuration with encryption is designed for application configuration settings, not for CI/CD pipeline secrets; it lacks native integration with Azure DevOps variable groups and does not support dynamic secret retrieval during pipeline execution.

10
MCQhard

A financial services organization is designing a zero-trust architecture for its Azure environment. They need to ensure that all administrative access to critical systems uses just-in-time (JIT) access and that privileged role assignments are time-bound. Which combination of Microsoft security best practices should they implement?

A.Azure AD Conditional Access and Azure AD Identity Protection
B.Azure Policy and Azure Blueprints
C.Azure Sentinel and Azure Workbook
D.Azure AD Privileged Identity Management (PIM) and Azure Bastion
AnswerD

PIM provides time-bound privileges; Bastion provides JIT VM access.

Why this answer

Azure AD Privileged Identity Management (PIM) provides just-in-time (JIT) activation and time-bound role assignments for privileged roles, directly meeting the requirement for time-bound administrative access. Azure Bastion enables secure, audited RDP/SSH access to Azure VMs without exposing public IP addresses, ensuring that administrative sessions are isolated and monitored. Together, they enforce zero-trust principles by granting ephemeral, scoped access to critical systems.

Exam trap

The trap here is that candidates confuse Azure AD Conditional Access (which controls sign-in conditions) with PIM’s JIT role activation, or they assume Azure Bastion is only a connectivity tool rather than a critical component of zero-trust administrative access.

How to eliminate wrong answers

Option A is wrong because Azure AD Conditional Access and Identity Protection focus on user sign-in risk and session controls, not on time-bound role assignments or JIT access to Azure resources. Option B is wrong because Azure Policy and Blueprints enforce compliance and resource governance (e.g., tagging, allowed locations), but they do not provide JIT activation or time-bound privileged role management. Option C is wrong because Azure Sentinel and Workbooks are for security information and event management (SIEM) and visualization, not for controlling privileged access or session isolation.

11
MCQmedium

A company is designing a defense-in-depth strategy for their Azure environment. They want to ensure that if a virtual machine is compromised, the attacker cannot move laterally to other VMs in the same virtual network. Which security control should they prioritize?

A.Enable Azure DDoS Protection on the virtual network
B.Implement network segmentation using NSGs and application security groups
C.Enable multi-factor authentication (MFA) for all admin accounts
D.Deploy Azure Bastion for secure remote access
AnswerB

Network segmentation restricts east-west traffic, limiting lateral movement.

Why this answer

Network segmentation using NSGs and application security groups is the correct priority because it directly controls east-west traffic between VMs within the same virtual network. By defining explicit inbound and outbound rules that restrict communication to only necessary ports and protocols (e.g., TCP 443 for HTTPS), an attacker who compromises one VM cannot initiate lateral movement to other VMs, as the NSG will drop unauthorized traffic at the subnet or NIC level.

Exam trap

The trap here is that candidates often confuse network-level controls (NSGs) with identity or access controls (MFA, Bastion) or perimeter defenses (DDoS Protection), failing to recognize that lateral movement is a network traffic problem that requires explicit east-west traffic filtering.

How to eliminate wrong answers

Option A is wrong because Azure DDoS Protection protects against volumetric attacks from the internet, not against lateral movement from a compromised VM inside the same virtual network. Option C is wrong because MFA protects authentication to the Azure portal or management plane, but does not prevent an attacker who already has a foothold on a VM from moving laterally via network traffic. Option D is wrong because Azure Bastion provides secure RDP/SSH access to VMs without exposing public IPs, but once a VM is compromised, Bastion does not restrict the attacker's ability to initiate outbound connections to other VMs in the same network.

12
MCQmedium

A company is implementing a cloud security governance strategy. They need to ensure that all Azure resources are compliant with internal security policies before deployment. Which approach should they use?

A.Configure Azure Firewall to block non-compliant resources
B.Assign Azure Policy definitions with 'deny' effect at the subscription scope
C.Deploy resources using Azure Blueprints
D.Use Azure DevOps pipelines with manual approval gates
AnswerB

Azure Policy can deny non-compliant resource creation.

Why this answer

Azure Policy with the 'deny' effect is the correct approach because it proactively prevents the deployment of any resource that violates defined security policies at the subscription scope. This ensures compliance before deployment by evaluating the resource against policy rules during the creation or update operation, blocking the request if non-compliant. Unlike reactive measures, this enforces governance at the point of deployment without requiring post-deployment remediation.

Exam trap

The trap here is that candidates confuse Azure Policy with Azure Blueprints, thinking Blueprints enforce compliance, but Blueprints only package and deploy policies—the actual enforcement comes from the Policy definitions themselves.

How to eliminate wrong answers

Option A is wrong because Azure Firewall is a network security service that filters traffic at layers 3-7, not a governance tool that can evaluate or block resource deployments based on compliance policies. Option C is wrong because Azure Blueprints orchestrates the deployment of resource templates and policies but does not inherently enforce compliance; it relies on Azure Policy definitions within the blueprint for enforcement. Option D is wrong because Azure DevOps pipelines with manual approval gates add a human review step but do not automatically enforce compliance; they can be bypassed or delayed and do not prevent deployment of non-compliant resources at the Azure Resource Manager level.

13
Multi-Selectmedium

A large enterprise is implementing Microsoft Defender for Cloud to improve their security posture. Which TWO actions should they take to prioritize and remediate security recommendations effectively? (Choose two.)

Select 2 answers
A.Assign each recommendation to a specific team member manually
B.Enable automatic remediation for high-priority recommendations
C.Review Secure Score and focus on recommendations that improve it most
D.Ignore recommendations with low severity to save time
E.Disable recommendations that generate security alerts
AnswersB, C

Automation ensures quick fixes for critical issues.

Why this answer

Option B is correct because Microsoft Defender for Cloud allows you to enable automatic remediation for high-priority recommendations, which automatically applies the necessary configuration changes (e.g., enabling encryption or installing endpoint protection) when a recommendation is triggered. This reduces manual effort and ensures critical security gaps are closed quickly. Option C is correct because the Secure Score aggregates all recommendations into a numerical score, and focusing on recommendations that provide the highest score improvement directly correlates to the most significant risk reduction, aligning with Microsoft's guidance for prioritization.

Exam trap

The trap here is that candidates often confuse 'automatic remediation' with 'manual assignment' (Option A) or incorrectly assume that low-severity recommendations can be safely ignored (Option D), when in fact Defender for Cloud's Secure Score treats all recommendations as contributing to the overall score, and ignoring them can lead to compliance failures and gradual score degradation.

14
Matchingmedium

Match each Azure policy effect to its behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevents resource creation or update

Creates a warning event in activity log

Adds fields to resource during creation

Changes existing resource properties

Deploys a resource if it does not exist

Why these pairings

These are common Azure Policy effects used for governance.

15
MCQhard

You are the security architect for a multinational corporation that uses Azure Active Directory (Azure AD) and Microsoft 365. The company has recently experienced a security incident where a compromised user account was used to access sensitive data from a legacy application that does not support modern authentication. To mitigate this risk, you have been asked to recommend a set of security best practices and priorities. The environment includes 50,000 users, 200 applications (many legacy), and a hybrid identity setup with Active Directory Domain Services (AD DS) synchronized to Azure AD via Azure AD Connect. The security team wants to reduce the attack surface, enforce least privilege, and improve identity protection. Current issues include: (1) many users have standing admin privileges on workstations, (2) legacy apps use shared service accounts with weak passwords, (3) Conditional Access policies are not applied consistently, and (4) there is no process for reviewing privileged role assignments. Which course of action should you recommend as the highest priority?

A.Migrate legacy applications to support modern authentication and use Azure AD Application Proxy
B.Implement Azure AD Privileged Identity Management (PIM) for just-in-time access and role approval workflows
C.Deploy Azure AD Password Protection and enforce banned password lists
D.Implement Conditional Access policies to block legacy authentication and require MFA for all users
AnswerB

Directly reduces standing admin privileges and adds review.

Why this answer

Option B is correct because implementing Azure AD Privileged Identity Management (PIM) directly addresses the highest-priority risk: the lack of oversight and control over privileged role assignments. With 50,000 users and many standing admin privileges on workstations, PIM enables just-in-time (JIT) activation, approval workflows, and time-bound roles, which drastically reduces the attack surface by eliminating permanent privileged access. This is the most critical first step because unmanaged privileged accounts are the primary vector for lateral movement and data exfiltration, as demonstrated in the incident.

Exam trap

The trap here is that candidates often prioritize blocking legacy authentication (Option D) or password policies (Option C) because they seem directly related to the incident, but the highest priority in a hybrid environment with 50,000 users is eliminating standing privileged access through PIM, which is the root cause of the attack surface expansion.

How to eliminate wrong answers

Option A is wrong because migrating legacy applications to support modern authentication and using Azure AD Application Proxy is a long-term architectural change that does not address the immediate, highest-priority risk of unmanaged privileged role assignments; it also does not mitigate the standing admin privileges on workstations or the shared service account issue. Option C is wrong because deploying Azure AD Password Protection and enforcing banned password lists, while useful, only addresses weak passwords for shared service accounts and does not solve the core problem of standing admin privileges, inconsistent Conditional Access, or lack of privileged role review. Option D is wrong because implementing Conditional Access policies to block legacy authentication and require MFA for all users is important but does not directly address the lack of privileged role assignment review or the standing admin privileges on workstations; it also cannot enforce JIT access or approval workflows for privileged roles.

16
MCQhard

A company uses Azure Security Center and Azure Sentinel. They want to prioritize remediation of vulnerabilities based on risk. Which metric should they use to rank vulnerabilities?

A.Common Vulnerability Scoring System (CVSS) score
B.Azure Secure Score impact
C.Compliance status from Azure Policy
D.Number of security alerts triggered
AnswerB

Secure Score reflects the risk and remediation priority.

Why this answer

Azure Secure Score impact is the correct metric because it directly reflects the risk-based prioritization of security recommendations within Azure Security Center. Each recommendation has a Secure Score impact value that indicates how much your overall security posture improves when remediated, allowing you to prioritize actions that reduce the most risk. This aligns with the scenario's goal of ranking vulnerabilities by risk, as Secure Score impact is calculated using factors like exploitability, threat intelligence, and potential business impact.

Exam trap

The trap here is that candidates often assume CVSS score is the definitive risk metric, but Azure Security Center uses Secure Score impact to incorporate environmental and threat intelligence factors, making it the correct choice for risk-based prioritization in Azure.

How to eliminate wrong answers

Option A is wrong because the Common Vulnerability Scoring System (CVSS) score is a generic, vendor-agnostic metric that does not account for your specific Azure environment, threat landscape, or the actual exploitability of the vulnerability in your context. Option C is wrong because compliance status from Azure Policy indicates whether resources meet regulatory or organizational standards, not the risk level of individual vulnerabilities; it is a binary pass/fail indicator, not a prioritization metric. Option D is wrong because the number of security alerts triggered measures the volume of detected threats, not the severity or risk of underlying vulnerabilities; a vulnerability might have no alerts yet still pose high risk if exploited.

17
MCQeasy

A company wants to protect sensitive data in their Azure SQL Database from unauthorized access. Which feature should they enable?

A.Azure Information Protection
B.Transparent Data Encryption (TDE)
C.Azure Key Vault
D.Azure Firewall
AnswerB

TDE encrypts SQL Server data files.

Why this answer

Transparent Data Encryption (TDE) performs real-time I/O encryption and decryption of the data and log files at the page level, protecting data at rest in Azure SQL Database. This directly addresses the requirement to prevent unauthorized access to the underlying storage files, as TDE ensures that data cannot be read if the physical media is compromised.

Exam trap

The trap here is that candidates often confuse Azure Information Protection (a classification tool) with database encryption, or think Azure Key Vault alone provides encryption, when in fact TDE is the specific feature that encrypts the database files at rest.

How to eliminate wrong answers

Option A is wrong because Azure Information Protection is a classification and labeling solution for documents and emails, not a database-level encryption feature for Azure SQL Database. Option C is wrong because Azure Key Vault is a secure key management service that can store TDE encryption keys, but it does not itself encrypt the database; it is a supporting component, not the primary feature. Option D is wrong because Azure Firewall is a network security service that controls inbound and outbound traffic at the network layer, not a data-at-rest encryption mechanism for database files.

18
Multi-Selectmedium

Which TWO of the following are best practices for securing Azure Kubernetes Service (AKS)?

Select 2 answers
A.Use Azure AD integration for authentication
B.Deploy all applications in the default namespace
C.Use service principals instead of managed identities for pod identity
D.Enable Azure Policy for AKS to enforce pod security policies
E.Enable SSH access to all worker nodes for troubleshooting
AnswersA, D

Azure AD integration provides identity-based access control.

Why this answer

Azure AD integration for AKS enables role-based access control (RBAC) using Azure AD identities, allowing fine-grained permissions for cluster operations. This eliminates the need for shared static credentials and supports conditional access policies, multi-factor authentication, and audit logging via Azure AD sign-in logs. It is a foundational security best practice for identity management in Kubernetes clusters.

Exam trap

The trap here is that candidates may think service principals are more secure than managed identities because they are explicit credentials, but managed identities eliminate credential management and are the recommended approach for pod identity in Azure.

19
MCQhard

A company uses Azure Policy to enforce compliance. They have a custom policy that denies creation of storage accounts without encryption enabled. A developer reports that they cannot create a storage account even though they specified encryption. What is the most likely cause?

A.The developer does not have 'Microsoft.Authorization/policyAssignments/write' permission
B.The policy effect is set to 'audit' instead of 'deny'
C.The policy's 'then' block uses 'deny' but the condition logic evaluates the 'encryption' property incorrectly
D.The policy is scoped to a management group that includes the developer's subscription
AnswerC

If the condition does not match the actual property path, the deny may fire incorrectly.

Why this answer

Option C is correct because the most likely cause is that the policy's condition logic incorrectly evaluates the 'encryption' property. Azure Policy uses JSON-based condition expressions to check resource properties; if the condition does not match the actual property path (e.g., 'properties.encryption.enabled' vs. 'properties.encryption') or uses an incorrect operator, the deny effect will trigger even when encryption is specified. This is a common misconfiguration in custom policies.

Exam trap

The trap here is that candidates often assume permission issues (Option A) or scope problems (Option D) are the cause, but the real issue is a misconfigured condition in the policy definition that fails to correctly match the encryption property.

How to eliminate wrong answers

Option A is wrong because 'Microsoft.Authorization/policyAssignments/write' permission is required to assign policies, not to create resources; the developer only needs contributor or owner permissions on the resource scope to create storage accounts. Option B is wrong because if the policy effect were set to 'audit', it would only log non-compliance without blocking creation, so the developer would succeed in creating the account. Option D is wrong because scoping a policy to a management group that includes the developer's subscription would apply the policy correctly; it does not inherently cause a false deny—the issue is with the policy logic, not the scope.

20
MCQhard

Refer to the exhibit. A security architect reviews the Azure AD Conditional Access policy JSON. The policy is intended to require MFA for all users accessing Azure management (Microsoft Azure Management app ID 797f4846-ba77-4853-9e6f-4433c3e1d1c5), except for the BreakGlassAdmin account and from trusted locations. However, some users report being prompted for MFA even when connecting from the corporate office (which is marked as a trusted location). What is the most likely cause?

A.The corporate office location is not correctly defined as a trusted location in Azure AD
B.The grant controls operator is set to 'OR' instead of 'AND'
C.The policy is in 'Report-only' mode
D.The policy applies to all cloud apps, not just Azure management
AnswerA

If the corporate office IP range is not added to trusted locations, 'AllTrusted' won't exclude it.

Why this answer

Option A is correct because the policy is designed to require MFA for all users accessing Azure management, except for the BreakGlassAdmin account and from trusted locations. If the corporate office location is not correctly defined as a trusted location in Azure AD, the Conditional Access policy will not recognize it as an exception, and users connecting from that location will still be prompted for MFA. This mismatch between the intended trusted location definition and the actual location configuration is the most likely cause of the unexpected MFA prompts.

Exam trap

The trap here is that candidates often assume the policy logic is flawed (e.g., grant operator or app scope) when the real issue is a misconfiguration in the location definition, which is a common oversight in Conditional Access troubleshooting.

How to eliminate wrong answers

Option B is wrong because the grant controls operator being set to 'OR' would actually make the policy less restrictive (allowing MFA or other controls), not more restrictive, and would not cause unexpected MFA prompts; the issue is about location exclusion, not grant logic. Option C is wrong because if the policy were in 'Report-only' mode, it would not enforce MFA at all—users would not be prompted—so this cannot explain why MFA is being enforced. Option D is wrong because the policy explicitly targets the Microsoft Azure Management app (ID 797f4846-ba77-4853-9e6f-4433c3e1d1c5), not all cloud apps; if it applied to all cloud apps, the behavior would be broader, but the specific complaint is about Azure management access, and the policy scope is correctly set.

21
Drag & Dropmedium

Order the steps to configure Azure Policy to enforce tagging on resources.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Policy requires definition, assignment with parameters, and compliance monitoring.

22
MCQeasy

Refer to the exhibit. The ContosoPlatform management group has an Azure Policy assignment that denies all deployments without encryption. The App1 subscription contains a storage account that was created without encryption. Why is the storage account still non-compliant?

A.The storage account is in App1 subscription, which is under ContosoApplication, not ContosoPlatform
B.The policy is assigned at ContosoPlatform, but App1 is not a direct child
C.The policy is assigned at ContosoRoot, but ContosoPlatform overrides it
D.Azure Policy does not inherit from parent management groups
AnswerA

Policy assignments only affect subscriptions within the assigned management group hierarchy.

Why this answer

Option A is correct because Azure Policy inheritance only applies to direct child management groups and subscriptions. The App1 subscription is a direct child of the ContosoApplication management group, not ContosoPlatform. Since the policy denying deployments without encryption is assigned at ContosoPlatform, it does not inherit to App1 because App1 is not a direct descendant of ContosoPlatform.

The storage account was created without encryption and is not subject to the policy, so it remains non-compliant.

Exam trap

The trap here is that candidates assume Azure Policy inheritance applies across all management groups under the same root, but it only applies to direct descendants, not siblings or indirect children.

How to eliminate wrong answers

Option B is wrong because Azure Policy does inherit from a parent management group to its direct children; the issue here is that App1 is not a direct child of ContosoPlatform, not that it is not a direct child. Option C is wrong because the exhibit shows the policy is assigned at ContosoPlatform, not ContosoRoot, and there is no indication of an override; the policy simply does not apply to App1. Option D is wrong because Azure Policy does inherit from parent management groups to direct child management groups and subscriptions; the statement is factually incorrect.

23
Matchingmedium

Match each compliance framework to its focus area.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Information security management system

Controls for service organizations

Payment card data security

Protected health information privacy and security

Cloud security for US federal agencies

Why these pairings

These are common compliance standards relevant to Azure.

24
MCQhard

A company is planning a migration to Azure and wants to ensure that their security operations center (SOC) has visibility into all Azure resources. They need to collect security logs from multiple subscriptions into a central workspace. Which Azure service should they use?

A.Azure Security Center
B.Azure Policy
C.Azure Monitor
D.Azure Sentinel
AnswerD

Sentinel is a SIEM that can centralize logs from multiple subscriptions.

Why this answer

Azure Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) solution designed to ingest security logs from multiple Azure subscriptions, on-premises sources, and third-party clouds into a single central workspace. It provides the SOC with unified visibility, threat detection, and incident response across all Azure resources, meeting the requirement for centralized security log collection.

Exam trap

The trap here is that candidates often confuse Azure Monitor (a general monitoring service) with Azure Sentinel (a SIEM), but Azure Monitor lacks the security-specific log correlation, threat intelligence, and incident response features required for a SOC's centralized security operations.

How to eliminate wrong answers

Option A is wrong because Azure Security Center (now part of Microsoft Defender for Cloud) is a cloud security posture management (CSPM) tool that provides security recommendations and threat protection, but it does not serve as a central log collection and SIEM platform for multiple subscriptions. Option B is wrong because Azure Policy is a governance service that enforces compliance rules and resource configurations, not a log aggregation or SIEM service. Option C is wrong because Azure Monitor is a monitoring service for collecting metrics, logs, and alerts from Azure resources, but it lacks the advanced SIEM capabilities (e.g., correlation rules, threat intelligence, incident management) required for a SOC's centralized security operations.

Ready to test yourself?

Try a timed practice session using only Security Best Practices questions.