CCNA Security Best Practices Priorities Questions

75 of 180 questions · Page 1/3 · Security Best Practices Priorities topic · Answers revealed

1
Multi-Selecthard

Your company is designing a secure access strategy for a SaaS application that supports SAML 2.0. You need to enforce phishing-resistant authentication. Which THREE of the following methods meet the requirement?

Select 3 answers
A.Microsoft Authenticator push notifications
B.FIDO2 security keys
C.Passkeys (FIDO2) stored on user devices
D.Certificate-based authentication (CBA)
E.SMS one-time passcode (OTP)
AnswersB, C, D

Phishing-resistant hardware-based authentication.

Why this answer

FIDO2 security keys (Option B) are phishing-resistant because they use public-key cryptography and are bound to a specific web origin, preventing credential reuse on fake sites. The WebAuthn protocol ensures the private key never leaves the device, and the hardware key provides strong multi-factor authentication that cannot be intercepted or relayed.

Exam trap

The trap here is that candidates often confuse 'multi-factor' with 'phishing-resistant,' assuming any second factor (like push notifications or SMS) is sufficient, but only FIDO2, passkeys, and certificate-based authentication meet the strict definition of phishing resistance per NIST AAL3.

2
MCQmedium

Your organization is deploying a new application on Azure that will process personal data for European Union residents. The compliance team requires that the application encrypts all data at rest and in transit, that access to the data is logged and auditable, and that the data is not stored outside the EU. You need to design a solution that meets these requirements while following security best practices. The solution must also minimize operational overhead. You have decided to use Azure SQL Database, Azure Storage, and Azure Key Vault. Which design should you recommend?

A.Use Azure SQL Database with Always Encrypted using Azure Key Vault. Use Azure Storage with encryption at rest. Enforce TLS 1.2. Use Azure Traffic Manager to route traffic to EU regions. Enable SQL Auditing and export logs to an on-premises SIEM.
B.Use Azure SQL Database with Always Encrypted using client-managed keys stored in a config file. Enforce TLS 1.2. Use Azure Storage with client-side encryption. Store keys in Azure Key Vault. Configure LRS in EU. Enable SQL Auditing.
C.Use Azure SQL Database with SQL Server encryption (cell-level). Use Azure Storage with encryption at rest. Store keys in application code. Use Azure Backup for long-term retention. Enable auditing on SQL Database.
D.Use Azure SQL Database with Transparent Data Encryption (TDE) using service-managed keys. Enforce TLS 1.2 for connections. Use Azure Storage with encryption at rest using Microsoft-managed keys. Store keys in Azure Key Vault. Configure geo-redundant storage (GRS) in an EU region. Enable diagnostic settings to send logs to a Log Analytics workspace in the EU.
AnswerD

Meets all requirements with minimal overhead: built-in encryption, key management, geo-restriction, and logging.

Why this answer

Option D is correct because it uses Transparent Data Encryption (TDE) with service-managed keys for Azure SQL Database, which encrypts data at rest with minimal operational overhead, and enforces TLS 1.2 for data in transit. Azure Storage encryption at rest with Microsoft-managed keys meets the encryption requirement without management burden. Geo-redundant storage (GRS) within an EU region ensures data residency, and diagnostic settings sending logs to a Log Analytics workspace in the EU provides auditable logging while keeping logs within the EU, all aligning with security best practices and minimizing operational overhead.

Exam trap

The trap here is that candidates often choose Always Encrypted or client-side encryption thinking they provide stronger security, but for minimizing operational overhead with data at rest encryption, TDE with service-managed keys is the correct choice because it is fully managed by Azure and meets compliance requirements without the complexity of key management or client-side encryption.

How to eliminate wrong answers

Option A is wrong because Azure Traffic Manager routes traffic based on performance or priority, not data residency, and exporting logs to an on-premises SIEM increases operational overhead and may violate data residency if the SIEM is outside the EU. Option B is wrong because storing client-managed keys in a config file is insecure and violates best practices; client-side encryption for Azure Storage adds unnecessary complexity and overhead, and Always Encrypted with client-managed keys in a config file does not meet the requirement for auditable key management. Option C is wrong because cell-level encryption is deprecated and not recommended for new deployments; storing keys in application code is a critical security flaw, and Azure Backup does not address encryption at rest or in transit requirements.

3
MCQeasy

Your organization is using Microsoft Defender for Cloud to assess the security posture of Azure resources. You need to ensure that the highest severity recommendations are addressed first. Which dashboard or feature in Defender for Cloud should you use to view the most critical security issues?

A.Azure Security Center dashboard
B.Inventory
C.Secure Score
D.Security alerts
AnswerC

Secure Score shows recommendations grouped by severity and impact, helping prioritize critical issues.

Why this answer

The Secure Score dashboard in Microsoft Defender for Cloud provides a prioritized list of security recommendations based on their impact on your overall security posture. By sorting recommendations by score impact, you can identify and address the highest severity issues first, as they contribute most significantly to improving your secure score.

Exam trap

The trap here is that candidates confuse 'Security alerts' (which deal with active threats) with 'Secure Score' (which deals with configuration-based recommendations), leading them to choose D instead of C.

How to eliminate wrong answers

Option A is wrong because the Azure Security Center dashboard is a legacy interface that has been replaced by Defender for Cloud; it does not offer the same prioritized recommendation view as Secure Score. Option B is wrong because the Inventory feature lists all monitored resources but does not rank them by severity or provide a prioritized action plan. Option D is wrong because Security alerts focus on active threats and incidents, not on configuration-based recommendations that affect your secure score.

4
MCQmedium

Your company uses Microsoft Intune to manage corporate devices. The security team wants to prevent users from copying sensitive data from corporate apps to personal apps on mobile devices. Which Intune policy should you configure?

A.Device configuration policies
B.App protection policies
C.Windows Information Protection
D.Device compliance policies
AnswerB

MAM policies restrict data transfer between managed and unmanaged apps.

Why this answer

App protection policies (APP) are the correct Intune policy to prevent data transfer from corporate apps to personal apps on mobile devices. These policies apply at the application layer, allowing you to configure data protection settings such as 'Restrict cut, copy, and paste' and 'Allow app to transfer data to other apps' specifically for managed apps, regardless of the device enrollment state.

Exam trap

The trap here is confusing device-level policies (compliance or configuration) with app-level data protection, leading candidates to select device compliance policies or device configuration policies instead of app protection policies.

How to eliminate wrong answers

Option A is wrong because device configuration policies manage device-level settings (e.g., Wi-Fi, VPN, certificates) and do not control data sharing between apps on mobile devices. Option C is wrong because Windows Information Protection (WIP) is a Windows-only feature for desktop devices and does not apply to mobile platforms like iOS or Android. Option D is wrong because device compliance policies enforce device-level security requirements (e.g., jailbreak detection, minimum OS version) and do not restrict app-to-app data transfer.

5
MCQeasy

Your organization uses Microsoft Intune for mobile device management. You need to ensure that only devices compliant with security policies can access corporate email. What should you implement?

A.Conditional Access policy requiring compliant device
B.Microsoft Purview Data Lifecycle Management
C.Microsoft Defender for Endpoint integration
D.Microsoft Intune App Protection Policies
AnswerA

This enforces device compliance before granting access.

Why this answer

A is correct because a Conditional Access policy in Microsoft Entra ID can evaluate device compliance status reported by Intune before granting access to corporate email. By configuring a policy that requires a device to be marked as compliant, only devices that meet your security policies (e.g., encryption, OS version, threat level) will be allowed to authenticate and access email. This directly enforces the requirement that only compliant devices can access corporate email.

Exam trap

The trap here is that candidates often confuse Intune App Protection Policies (MAM) with device-based compliance, but MAM policies protect data at the app level and do not require the device itself to be compliant, so they do not meet the requirement of 'only compliant devices'.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview Data Lifecycle Management governs data retention and deletion policies, not real-time access control based on device compliance. Option C is wrong because Microsoft Defender for Endpoint integration provides threat detection and response on endpoints, but does not itself block access to email based on compliance status; it can feed signals into Conditional Access but is not the primary control. Option D is wrong because Intune App Protection Policies (MAM) protect data within apps without requiring device enrollment or compliance, so they do not ensure that only compliant devices can access email—they apply to apps on any device, including non-compliant ones.

6
Multi-Selectmedium

A company is designing a data security strategy using Microsoft Purview. They need to identify sensitive data across their data estate, including on-premises SQL Server, Azure SQL Database, and Amazon S3. Which THREE components should they use? (Choose three.)

Select 3 answers
A.Microsoft Purview Data Estate Insights
B.Microsoft Purview External Identities
C.Microsoft Purview Data Catalog
D.Microsoft Purview Compliance Manager
E.Microsoft Purview Data Map
AnswersA, C, E

Data Estate Insights provides monitoring and reporting.

Why this answer

Microsoft Purview Data Estate Insights provides visibility into data estate health and security posture, including sensitive data discovery across on-premises SQL Server, Azure SQL Database, and Amazon S3. It aggregates scan results and offers dashboards to identify where sensitive data resides, enabling targeted classification and protection actions.

Exam trap

The trap here is that candidates confuse Compliance Manager (a compliance posture tool) with data discovery capabilities, or think External Identities (an identity feature) is relevant to scanning data sources, when in fact only Data Map, Data Catalog, and Data Estate Insights form the core trio for sensitive data identification across hybrid estates.

7
MCQhard

A security team is designing a Microsoft Sentinel deployment. They need to minimize costs while ensuring critical alerts are always processed. Which data retention and ingestion strategy should they use?

A.Use Basic Logs for all data and retain for 90 days
B.Use Analytics Logs for all data and retain for 30 days
C.Use Basic Logs for critical alerts and retain for 30 days
D.Use Basic Logs for high-volume low-value data and Analytics Logs for critical alerts
AnswerD

This balances cost and performance: cheap storage for bulk data, fast access for critical alerts.

Why this answer

Option D is correct because it aligns with cost optimization and reliability requirements by using Basic Logs for high-volume, low-value data (e.g., firewall logs) and reserving Analytics Logs for critical alerts that require full query capabilities and interactive retention. This tiered approach ensures critical alerts are always processed with full fidelity while reducing storage costs for less important data.

Exam trap

The trap here is that candidates assume all data must be in Analytics Logs for security monitoring, overlooking the cost-saving strategy of tiered ingestion where Basic Logs handle high-volume, low-value data without sacrificing critical alert processing.

How to eliminate wrong answers

Option A is wrong because using Basic Logs for all data prevents critical alerts from being processed with full Analytics Logs features (e.g., advanced KQL queries, scheduled analytics rules), and 90-day retention on Basic Logs incurs unnecessary cost for low-value data. Option B is wrong because using Analytics Logs for all data maximizes cost (Analytics Logs are more expensive per GB) and 30-day retention may not meet compliance or investigation needs for critical alerts. Option C is wrong because using Basic Logs for critical alerts means they lose access to Analytics Logs capabilities (e.g., near-real-time detection, custom detections), and 30-day retention is insufficient for forensic analysis of critical incidents.

8
MCQhard

Your organization uses Microsoft Sentinel and has deployed the Analytics rule 'TI map IP entity to AzureActivity' to detect suspicious activities based on threat intelligence. The SOC team reports that the rule has a high false positive rate because it matches benign IP addresses used by legitimate services. What design change should you recommend to reduce false positives while maintaining detection coverage?

A.Increase the alert threshold to require multiple occurrences within a time window.
B.Disable the rule and rely on manual hunting queries.
C.Create a watchlist of trusted IP addresses and modify the rule to exclude those IPs.
D.Create a separate analytics rule that suppresses alerts when the source IP is in a trusted list.
AnswerC

Watchlist exclusion reduces false positives while keeping the rule active.

Why this answer

Option C is correct because creating a watchlist of trusted IP addresses and modifying the TI map IP entity to AzureActivity rule to exclude those IPs directly addresses the high false positive rate caused by benign IPs. This approach preserves detection coverage for all other threat intelligence matches while filtering out known legitimate services, leveraging Sentinel's watchlist feature for dynamic exclusion without disabling the rule.

Exam trap

The trap here is that candidates may choose Option D, thinking a separate suppression rule is needed, but Microsoft Sentinel's analytics rules support direct exclusion via watchlists in the query logic, making a separate rule redundant and less reliable.

How to eliminate wrong answers

Option A is wrong because increasing the alert threshold to require multiple occurrences within a time window does not address the root cause—benign IPs matching threat intelligence—and may delay detection of genuine threats or miss single-occurrence attacks. Option B is wrong because disabling the rule and relying on manual hunting queries eliminates automated detection entirely, increasing risk and workload, which contradicts the goal of maintaining detection coverage. Option D is wrong because creating a separate analytics rule that suppresses alerts when the source IP is in a trusted list introduces unnecessary complexity and potential race conditions; suppression logic should be integrated into the original rule via exclusion, not handled as a separate rule that may not suppress alerts in time or could conflict with other rules.

9
MCQeasy

Your organization uses Microsoft Sentinel as its SIEM. The security team needs to detect brute-force attacks against Azure VMs by analyzing Windows Security Event logs. Which data connector should you enable?

A.Office 365 connector
B.Azure Activity log connector
C.Microsoft Defender for Cloud connector
D.Windows Security Events via AMA connector
AnswerD

This connector ingests Windows Event logs including security events for analysis.

Why this answer

The Windows Security Events via AMA connector (D) is correct because it ingests Windows Event Logs (specifically Security logs with Event ID 4625 for failed logons) from Azure VMs into Microsoft Sentinel, enabling detection of brute-force patterns. This connector uses the Azure Monitor Agent (AMA) to collect events, which is the recommended method for modern Windows event collection in Sentinel.

Exam trap

The trap here is that candidates may confuse the Azure Activity log connector (which shows administrative actions like 'Deallocate VM') with guest OS-level security events, or mistakenly think Defender for Cloud provides raw Windows event logs instead of aggregated security alerts.

How to eliminate wrong answers

Option A is wrong because the Office 365 connector ingests audit logs from Microsoft 365 services (Exchange, SharePoint, Teams), not Windows Security Event logs from Azure VMs. Option B is wrong because the Azure Activity log connector collects subscription-level control plane events (e.g., VM creation, resource changes), not guest OS-level security events like logon failures. Option C is wrong because the Microsoft Defender for Cloud connector ingests security alerts and posture data from Defender for Cloud, not raw Windows Security Event logs needed for brute-force detection.

10
Multi-Selecthard

Which THREE components should be part of a secure DevOps pipeline using Microsoft security tools? (Select exactly three correct options.)

Select 3 answers
A.Azure Firewall
B.Microsoft Purview
C.Azure Front Door
D.Microsoft Entra ID
E.Microsoft Defender for DevOps
AnswersB, D, E

Can scan for secrets and sensitive data in repositories.

Why this answer

Microsoft Purview is correct because it provides data governance and compliance capabilities, including data classification, labeling, and data loss prevention (DLP) policies, which are essential for securing sensitive data within a DevOps pipeline. It integrates with Azure DevOps and GitHub to automatically detect and protect secrets, credentials, and other sensitive information in code repositories and CI/CD artifacts, ensuring that data security policies are enforced throughout the development lifecycle.

Exam trap

The trap here is that candidates often confuse network security appliances (Azure Firewall, Azure Front Door) with DevOps-specific security controls, failing to recognize that a secure pipeline requires identity, data governance, and workload protection tools that operate at the code and CI/CD layer, not just at the network perimeter.

11
MCQmedium

Your company uses Microsoft Defender for Endpoint (MDE) and wants to integrate threat intelligence from an external source to improve detection. The security team needs to ingest custom indicators of compromise (IOCs) into MDE. Which feature should they use?

A.Advanced Hunting
B.Threat Analytics
C.Automated investigation and response
D.Custom indicators (IOCs)
AnswerD

Custom indicators allow ingestion of IOCs from external sources.

Why this answer

Option D is correct because the Custom Indicators (IOCs) feature in Microsoft Defender for Endpoint allows security teams to manually ingest and manage threat intelligence from external sources, such as IP addresses, URLs, domains, or file hashes. These indicators are then used by MDE to create or block alerts, enabling tailored detection beyond built-in threat intelligence feeds.

Exam trap

The trap here is that candidates often confuse 'Advanced Hunting' (a query tool) with a feature for importing threat data, or they mistakenly think 'Threat Analytics' allows custom feed integration, when in fact it only displays Microsoft's pre-built analysis.

How to eliminate wrong answers

Option A is wrong because Advanced Hunting is a query-based tool for exploring raw telemetry data over the past 30 days, not a mechanism for ingesting external IOCs. Option B is wrong because Threat Analytics provides curated reports and insights on known threats from Microsoft's research, not a way to import custom indicators. Option C is wrong because Automated investigation and response is a workflow that triggers actions on alerts, but it cannot ingest or manage external IOCs; it relies on existing detection rules.

12
Multi-Selectmedium

Which TWO actions are part of the Microsoft Cybersecurity Reference Architecture (MCRA) for a Zero Trust implementation?

Select 2 answers
A.Use a single security vendor for all solutions
B.Block all legacy authentication protocols
C.Treat identity as the primary security perimeter
D.Implement micro-segmentation of network traffic
E.Require multifactor authentication for all users
AnswersC, D

MCRA emphasizes identity as the control plane.

Why this answer

Option C is correct because the MCRA explicitly identifies identity as the primary security perimeter in a Zero Trust model, shifting trust from the network to user and device identity. This principle underpins all other controls, as every access request must be authenticated and authorized regardless of location.

Exam trap

The trap here is that candidates often confuse 'best practices' (like blocking legacy auth or requiring MFA for all) with the core architectural principles of Zero Trust defined in the MCRA, which prioritize identity as the control plane and micro-segmentation as the network isolation mechanism.

13
MCQeasy

Your organization is adopting Microsoft Purview to classify and protect sensitive data in Microsoft 365. You need to ensure that documents containing credit card numbers are automatically detected and encrypted when shared externally. What should you configure?

A.An Information Barrier policy between departments
B.A sensitivity label configured with auto-labeling for credit card numbers and encryption for external sharing
C.A retention label that deletes documents with credit card numbers after 90 days
D.A Data Loss Prevention (DLP) policy that blocks sharing of credit card numbers
AnswerB

Auto-labeling detects the data and encryption protects it when shared externally.

Why this answer

Option B is correct because sensitivity labels in Microsoft Purview can be configured with auto-labeling conditions that detect sensitive data types (e.g., credit card numbers) and automatically apply encryption to documents when shared externally. This meets the requirement of automatic detection and encryption for external sharing without manual user intervention.

Exam trap

The trap here is confusing DLP policies (which block or warn) with sensitivity labels (which can auto-apply encryption), leading candidates to choose DLP when the requirement explicitly states 'encrypt when shared externally' rather than block.

How to eliminate wrong answers

Option A is wrong because Information Barrier policies are designed to prevent communication and collaboration between specific groups or departments, not to detect or encrypt sensitive data like credit card numbers. Option C is wrong because retention labels manage data lifecycle (retention or deletion) based on time, not real-time detection or encryption of sensitive content when shared externally. Option D is wrong because a DLP policy can block sharing of credit card numbers but does not encrypt the documents; it only prevents the action, whereas the requirement is to encrypt when shared externally.

14
MCQhard

Your organization is implementing a privileged access strategy using Microsoft Entra Privileged Identity Management (PIM). The compliance team requires that all privileged role activations be approved by a manager and that an audit trail is maintained for at least one year. Which configuration should you recommend?

A.Configure access reviews for privileged roles
B.Set PIM role settings to require approval and enable audit logging
C.Enable Conditional Access policies for privileged roles
D.Require Azure MFA for role activation
AnswerB

PIM supports approval workflow and logs are retained for auditing.

Why this answer

Option B is correct because it directly addresses both compliance requirements: requiring approval ensures a manager authorizes each activation, and enabling audit logging in PIM retains activation history for at least one year. PIM role settings allow you to configure approval workflows and automatically log all activations to the Microsoft Entra audit log, which can be exported and retained for compliance purposes.

Exam trap

The trap here is that candidates confuse access reviews (periodic recertification) with the real-time approval workflow required for each activation, or they assume MFA alone satisfies the audit and approval requirements.

How to eliminate wrong answers

Option A is wrong because access reviews are used for periodic recertification of role assignments, not for real-time approval of activations or audit trail retention. Option C is wrong because Conditional Access policies control access based on conditions like location or device state, but they do not provide the required manager approval workflow or dedicated audit logging for role activations. Option D is wrong because Azure MFA for role activation enhances security but does not satisfy the compliance requirement for manager approval or the one-year audit trail retention.

15
MCQhard

Your organization is migrating on-premises workloads to Azure and wants to use Microsoft Defender for Cloud to secure the environment. The compliance team requires that all critical vulnerabilities be remediated within 30 days. What is the most efficient way to track and enforce this?

A.Configure Azure Policy to auto-remediate all Defender for Cloud recommendations
B.Create a custom Azure Dashboard and manually update it weekly
C.Enable automatic VM patching in Azure Update Manager
D.Use Microsoft Defender for Cloud regulatory compliance dashboard with a custom initiative
AnswerD

Tracks compliance against specific standards and deadlines.

Why this answer

Option D is correct because Microsoft Defender for Cloud's regulatory compliance dashboard allows you to apply a custom initiative (e.g., based on the Microsoft Cloud Security Benchmark or a custom policy set) that maps specific security recommendations to compliance controls. By setting the initiative to enforce a 30-day remediation SLA via Azure Policy's 'deployIfNotExists' or 'modify' effects, you can automatically track compliance status and trigger remediation actions, meeting the compliance team's requirement efficiently.

Exam trap

The trap here is that candidates confuse 'auto-remediation' (Option A) with 'tracking and enforcing a time-bound SLA', but auto-remediation applies fixes immediately without a 30-day grace period, while the regulatory compliance dashboard is specifically designed to map recommendations to compliance controls and track remediation against custom timeframes.

How to eliminate wrong answers

Option A is wrong because Azure Policy auto-remediation (e.g., 'deployIfNotExists' effect) can automatically fix non-compliant resources, but it does not inherently track or enforce a 30-day remediation deadline; it applies fixes immediately or on a schedule, not based on a time-bound SLA. Option B is wrong because a custom Azure Dashboard manually updated weekly is not an efficient or automated way to track remediation deadlines; it lacks real-time enforcement and relies on human effort, which is error-prone and does not meet the compliance requirement for automated tracking. Option C is wrong because automatic VM patching in Azure Update Manager only addresses OS-level patch vulnerabilities, not all critical vulnerabilities across the full cloud workload (e.g., misconfigurations, network security groups, storage), and it does not provide a compliance dashboard to track remediation against a 30-day SLA.

16
MCQmedium

A company uses Microsoft Purview to manage data governance. They need to classify sensitive data automatically in Azure SQL Database. What should they configure?

A.Microsoft Defender for Cloud regulatory compliance
B.Microsoft Purview Data Map scanning rules
C.Microsoft Sentinel data connectors
D.Microsoft Entra ID Protection
AnswerB

Purview Data Map scans and classifies data sources.

Why this answer

Microsoft Purview Data Map scanning rules are the correct choice because they enable automated classification of sensitive data in Azure SQL Database by scanning the database schema and content against built-in or custom sensitive data types. This is the native mechanism within Purview to discover and label sensitive columns, such as credit card numbers or PII, directly in Azure SQL Database.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud's regulatory compliance dashboard with actual data classification, but Defender for Cloud only checks configuration settings against compliance frameworks, not the content of the data itself.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud regulatory compliance assesses the security posture of Azure resources against compliance standards (e.g., SOC 2, PCI DSS) but does not perform data classification or scanning of sensitive data within Azure SQL Database. Option C is wrong because Microsoft Sentinel data connectors ingest security logs and alerts from various sources for threat detection and SIEM purposes, not for scanning or classifying sensitive data in databases. Option D is wrong because Microsoft Entra ID Protection focuses on identity-based risks such as compromised credentials and sign-in anomalies, not on data classification within Azure SQL Database.

17
Multi-Selectmedium

Your organization is designing a secure access solution for a partner company that needs to access specific SharePoint Online sites. You need to implement Microsoft Entra ID B2B collaboration. Which THREE configurations are essential for a secure B2B collaboration setup?

Select 3 answers
A.Configure cross-tenant access settings in Microsoft Entra ID
B.Enable multi-factor authentication (MFA) for guest users
C.Use B2B direct connect for SharePoint site access
D.Allow all external domains to invite users without restrictions
E.Set Conditional Access policies that apply to guest users
AnswersA, B, E

Cross-tenant access settings control trust and access policies with partner tenants.

Why this answer

Option A is correct because cross-tenant access settings in Microsoft Entra ID allow you to control inbound and outbound access for B2B collaboration, including trust settings for MFA and device compliance. This is essential to define which partner tenants can access your resources and under what conditions, preventing unauthorized access.

Exam trap

The trap here is confusing B2B direct connect (for Teams shared channels) with B2B collaboration (for SharePoint and other apps), leading candidates to select Option C incorrectly.

18
MCQhard

A company uses Azure DevOps and wants to implement a DevSecOps practice by scanning code for secrets and vulnerabilities before deployment. Which tool should they integrate into their pipeline?

A.Azure Policy
B.Microsoft Purview
C.GitHub Advanced Security
D.Microsoft Defender for DevOps
AnswerD

Defender for DevOps integrates with Azure DevOps and GitHub to scan for secrets and vulnerabilities.

Why this answer

Option A is correct because Microsoft Defender for DevOps (now part of Microsoft Defender for Cloud) provides secret scanning, vulnerability scanning, and infrastructure-as-code scanning integrated into Azure DevOps and GitHub. Option B is wrong because Azure Policy enforces compliance but does not scan code. Option C is wrong because Microsoft Purview is for data governance.

Option D is wrong because GitHub Advanced Security is for GitHub, not Azure DevOps; Defender for DevOps supports Azure DevOps.

19
MCQhard

A company is designing a hybrid identity solution with Microsoft Entra ID. They need to ensure that users can access resources from unmanaged devices while maintaining security. The security team requires that all access from unmanaged devices must be limited to browser-only access to web apps and must block native client apps. Which conditional access grant control should you configure?

B.Require device to be marked as compliant
C.Require approved client app
D.Require hybrid Azure AD joined device
AnswerB

This grant control ensures only compliant devices (managed) get access; for unmanaged devices, you can combine with a session control to allow browser-only access.

Why this answer

Option B is correct because the 'Require device to be marked as compliant' grant control, when combined with a device compliance policy (e.g., via Microsoft Intune), enforces that only compliant devices can access resources. However, to achieve the specific requirement of limiting access from unmanaged devices to browser-only access to web apps and blocking native client apps, you must configure a session control (not a grant control) such as 'Use app enforced restrictions' or 'Require device to be compliant' with a conditional access policy that targets unmanaged devices and uses the 'Browser' client app condition. The correct grant control for this scenario is actually 'Require device to be marked as compliant' only if the device is managed; for unmanaged devices, the appropriate approach is to use a session control like 'Use Conditional Access App Control' or 'Require device to be compliant' is not directly applicable because unmanaged devices cannot be compliant.

The question's answer is flawed; the correct control is 'Require device to be marked as compliant' is not the right answer for unmanaged devices. The intended correct answer is likely 'Require device to be marked as compliant' but that only works for managed devices. The actual correct grant control for unmanaged devices is none of these; you would use a session control.

Given the options, the closest is B, but it is technically incorrect for unmanaged devices.

Exam trap

The trap here is that candidates confuse grant controls with session controls, assuming 'Require device to be marked as compliant' can be applied to unmanaged devices, when in fact it only works for devices enrolled in Intune or co-managed.

How to eliminate wrong answers

Option A is wrong because requiring multi-factor authentication does not restrict access to browser-only or block native client apps; it only adds an authentication factor. Option C is wrong because 'Require approved client app' allows native client apps that are approved (e.g., Microsoft apps), which contradicts the requirement to block native client apps entirely. Option D is wrong because 'Require hybrid Azure AD joined device' mandates domain-joined devices, which excludes unmanaged devices, failing the requirement to allow access from unmanaged devices.

20
Multi-Selecthard

Refer to the exhibit. You are reviewing an ARM template for a storage account. The security team has mandated that all storage accounts must enforce HTTPS traffic and use TLS 1.2 or higher. Which two changes must be made to the template to comply? (Choose two.)

Select 2 answers
A.Change 'minimumTlsVersion' to 'TLS1_2'
B.Set 'kind' to 'BlobStorage'
C.Add 'networkAcls' with defaultAction Deny
D.Change 'sku.name' to 'Standard_LRS'
E.Set 'supportsHttpsTrafficOnly' to true
AnswersA, E

TLS 1.0 is deprecated; must be at least 1.2.

Why this answer

Option A is correct because setting 'minimumTlsVersion' to 'TLS1_2' explicitly enforces that only TLS 1.2 or higher is accepted for HTTPS connections to the storage account, meeting the security mandate. Option E is correct because setting 'supportsHttpsTrafficOnly' to true ensures that all traffic to the storage account must use HTTPS, blocking any HTTP requests and aligning with the requirement to enforce HTTPS traffic.

Exam trap

Microsoft often tests the misconception that network access controls (like network ACLs) or storage account type changes can enforce encryption or TLS version requirements, when in fact only the explicit 'minimumTlsVersion' and 'supportsHttpsTrafficOnly' properties control these security settings.

21
MCQeasy

You are designing a security solution for Azure resources. You need to ensure that any changes to network security groups (NSGs) are automatically logged and sent to a central Log Analytics workspace. Which Azure feature should you use?

A.Diagnostic settings on the Azure Activity Log
B.Azure Policy
C.NSG flow logs
D.Azure Monitor alerts
AnswerA

Activity Log records control plane events; diagnostic settings can stream these to Log Analytics.

Why this answer

Diagnostic settings on the Azure Activity Log capture all control-plane operations, including changes to NSGs (e.g., rule additions or deletions). By configuring a diagnostic setting to stream the Activity Log to a Log Analytics workspace, you ensure that every NSG modification is automatically logged and centralized for monitoring and alerting.

Exam trap

The trap here is confusing NSG flow logs (which log network traffic) with the Activity Log (which logs configuration changes), leading candidates to select NSG flow logs instead of diagnostic settings on the Activity Log.

How to eliminate wrong answers

Option B (Azure Policy) is wrong because Azure Policy enforces compliance rules (e.g., preventing NSG changes that allow all inbound traffic) but does not automatically log changes; it can trigger remediation but not send logs to Log Analytics. Option C (NSG flow logs) is wrong because NSG flow logs capture IP traffic data (source/destination, ports, protocols) through the NSG, not configuration changes to the NSG itself. Option D (Azure Monitor alerts) is wrong because alerts are reactive notifications based on log data or metrics; they do not capture or forward logs themselves.

22
MCQhard

You are designing a security baseline for Azure resources that host a critical application. The application uses Azure SQL Database, Azure Storage, and Azure Key Vault. You need to ensure that all resources use managed identities for authentication and that no secrets are stored in code or configuration files. Which combination of controls should you include in the baseline?

A.Use user-assigned managed identities for all resources. Configure Key Vault access policies to allow the managed identity. Disable anonymous access to Storage.
B.Use system-assigned managed identities for all resources. Store connection strings in Key Vault secrets and configure SQL Database to use Azure AD authentication.
C.Use system-assigned managed identities for all resources. Configure each resource to use the managed identity. Disable local authentication on Key Vault and Storage. Enable Azure AD-only authentication on SQL Database.
D.Use user-assigned managed identities for all resources. Create a service principal with a client secret for Key Vault access.
AnswerC

This eliminates secrets entirely by using managed identities and disabling local authentication, enforcing Azure AD-only access.

Why this answer

Option C is correct because it enforces the principle of using managed identities for authentication without storing any secrets. System-assigned managed identities are tied directly to each Azure resource, eliminating the need for credential management. Disabling local authentication on Key Vault and Storage, and enabling Azure AD-only authentication on SQL Database, ensures that only managed identities (or other Azure AD identities) can authenticate, meeting the requirement that no secrets are stored in code or configuration files.

Exam trap

The trap here is that candidates often think storing secrets in Key Vault is sufficient, but the question explicitly requires that no secrets be stored anywhere, including Key Vault, so the correct approach is to eliminate secrets entirely by using managed identities and disabling local authentication methods.

How to eliminate wrong answers

Option A is wrong because user-assigned managed identities are not required for this scenario; system-assigned identities are simpler and directly tied to each resource. More critically, configuring Key Vault access policies alone does not disable local authentication, leaving a potential attack surface where secrets could be stored or used. Option B is wrong because storing connection strings in Key Vault secrets still requires retrieving those secrets at runtime, which introduces a secret into memory or configuration; the requirement is to use managed identities directly without any secrets.

Option D is wrong because creating a service principal with a client secret reintroduces a secret that must be stored and managed, violating the 'no secrets stored in code or configuration files' mandate; user-assigned managed identities are also unnecessary here.

23
MCQeasy

You are designing a security operations strategy for Microsoft 365. You need to prioritize alerts from Microsoft Defender XDR based on their impact on business operations. Which security best practice should you follow?

A.Prioritize alerts based on a risk assessment that considers asset criticality, threat severity, and business impact
B.Prioritize alerts based on a qualitative risk assessment only
C.Treat all alerts with equal severity to ensure none are missed
D.Prioritize alerts based solely on the MITRE ATT&CK technique involved
AnswerA

Risk-based prioritization ensures resources are focused on the most impactful threats.

Why this answer

Option A is correct because Microsoft Defender XDR integrates with Microsoft 365 Defender's risk-based alert prioritization, which uses a combination of asset criticality (e.g., from Microsoft Purview or Defender for Cloud Apps), threat severity (e.g., from the Microsoft Defender portal's alert severity levels: Informational, Low, Medium, High), and business impact (e.g., via sensitivity labels or data classification). This aligns with the security best practice of risk-based alert triage, ensuring that high-impact alerts are addressed first to minimize business disruption.

Exam trap

The trap here is that candidates may choose Option D because MITRE ATT&CK is a common framework in security operations, but they overlook that Microsoft Defender XDR's prioritization engine uses a multi-faceted risk assessment (including asset criticality and business impact) rather than a single technique-based filter.

How to eliminate wrong answers

Option B is wrong because a qualitative risk assessment alone lacks the quantitative data (e.g., asset criticality scores, threat severity levels) that Microsoft Defender XDR uses to dynamically prioritize alerts, leading to subjective and inconsistent triage. Option C is wrong because treating all alerts with equal severity ignores the risk-based prioritization built into Microsoft Defender XDR, which uses machine learning and threat intelligence to assign different severity levels (e.g., High, Medium, Low) and would overwhelm security operations with noise. Option D is wrong because prioritizing solely on the MITRE ATT&CK technique ignores asset criticality and business impact; for example, a low-severity technique on a critical server may be more impactful than a high-severity technique on a non-critical endpoint, and Microsoft Defender XDR's alert enrichment includes asset context beyond just the technique.

24
MCQeasy

A company is adopting Microsoft Purview for data security. They need to prevent users from sharing sensitive data like credit card numbers via email. Which feature should you configure?

A.Audit log search
B.Data Loss Prevention (DLP) policy
C.Insider Risk Management policy
D.Sensitivity labels
AnswerB

Specifically blocks sharing of sensitive information.

Why this answer

Data Loss Prevention (DLP) policies in Microsoft Purview are specifically designed to detect and prevent the accidental or intentional sharing of sensitive information, such as credit card numbers, through email and other channels. By configuring a DLP policy with a rule that scans for credit card number patterns (using predefined or custom sensitive info types), the system can block, quarantine, or notify users when such data is sent via Exchange Online. This directly addresses the requirement to prevent sharing sensitive data via email.

Exam trap

The trap here is that candidates often confuse Sensitivity labels as a direct replacement for DLP, but labels are for classification and protection (e.g., encryption), not for real-time content inspection and blocking of specific data patterns like credit card numbers in email.

How to eliminate wrong answers

Option A is wrong because Audit log search is a forensic tool for reviewing past activities, not a preventive control that blocks data sharing in real time. Option C is wrong because Insider Risk Management policies focus on identifying and investigating risky user behaviors (e.g., data exfiltration patterns) rather than enforcing content-based restrictions on outbound email. Option D is wrong because Sensitivity labels classify and protect data through encryption and visual markings, but they do not inherently block the transmission of specific sensitive data types like credit card numbers via email without being combined with a DLP policy.

25
MCQeasy

Tailwind Traders is a small business that uses Microsoft 365 Business Premium. They have no dedicated IT staff. The owner wants to implement basic security measures to protect against common threats like phishing, ransomware, and unauthorized access. They need a simple, cost-effective solution that aligns with Microsoft's security best practices for small businesses. Which set of actions should you recommend?

A.Implement Privileged Identity Management (PIM) for all accounts. Use Azure Information Protection to classify all emails. Set up a SIEM using Microsoft Sentinel.
B.Deploy Microsoft Intune to manage devices. Configure Conditional Access policies to require compliant devices. Use Microsoft Defender for Endpoint for antivirus. Set up a VPN for remote access.
C.Purchase Azure AD Premium P2 for all users. Use Identity Protection to detect risks. Configure Conditional Access with session controls. Use Azure AD Identity Governance for access reviews.
D.Enable Security Defaults in Microsoft Entra ID to enforce MFA for all users. Configure Microsoft Defender for Office 365 to protect against phishing and malware. Use Microsoft Defender for Business (included) for endpoint protection. Regularly review the Microsoft 365 Secure Score and implement top recommendations.
AnswerD

Simple, built-in features that provide strong baseline security.

Why this answer

Option D is correct because it aligns with Microsoft's security best practices for small businesses with no dedicated IT staff. Security Defaults in Microsoft Entra ID provide a baseline of MFA enforcement without requiring complex configuration. Microsoft Defender for Office 365 and Defender for Business (included in Microsoft 365 Business Premium) offer integrated phishing, malware, and endpoint protection.

Regularly reviewing the Secure Score ensures continuous improvement against common threats like ransomware and unauthorized access.

Exam trap

The trap here is that candidates often over-engineer the solution by selecting advanced identity or endpoint management options (like PIM, Intune, or Azure AD Premium P2) that are technically valid but inappropriate for a small business with no IT staff, ignoring the cost and complexity constraints explicitly stated in the scenario.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) requires Azure AD Premium P2 licensing, which is not included in Microsoft 365 Business Premium and adds unnecessary complexity for a small business with no IT staff; Azure Information Protection and Microsoft Sentinel are also overkill and not cost-effective. Option B is wrong because Microsoft Intune requires additional licensing beyond Business Premium and managing device compliance via Conditional Access policies demands dedicated IT expertise; a VPN is not a core security control for phishing or ransomware and adds complexity. Option C is wrong because Azure AD Premium P2 for all users is expensive and unnecessary for a small business; Identity Protection and Identity Governance are advanced features designed for larger enterprises with dedicated identity teams, not a simple, cost-effective baseline.

26
MCQeasy

Your organization needs to audit all changes to Azure resources, including who made the change and what was changed. Which Azure service should you use to collect and analyze this audit data?

A.Azure Policy
B.Azure Monitor with activity logs
C.Microsoft Defender for Cloud
D.Microsoft Sentinel
AnswerB

Activity logs capture control-plane changes and are analyzed in Azure Monitor.

Why this answer

Azure Monitor with activity logs is the correct service because it captures all control-plane operations on Azure resources, including who performed the change (via Azure Active Directory authentication), what was changed (the resource and properties), and when it occurred. Activity logs are retained for 90 days by default and can be exported to Log Analytics workspaces for advanced querying and alerting, making them the native audit trail for Azure resource modifications.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel as the audit service because it is a SIEM, but Sentinel ingests logs from other sources (including activity logs) and is not the native collection mechanism; the question specifically asks for the service that collects and analyzes the audit data, which is Azure Monitor with activity logs.

How to eliminate wrong answers

Option A is wrong because Azure Policy is a governance tool that enforces compliance rules on resources (e.g., requiring specific tags or denying certain SKUs) and does not natively log who made changes or what was changed; it evaluates resource configurations against policies but does not provide an audit trail of modifications. Option C is wrong because Microsoft Defender for Cloud focuses on security posture management, threat detection, and vulnerability assessments, not on auditing all resource changes; it uses activity logs for some security alerts but is not designed as a primary audit log service. Option D is wrong because Microsoft Sentinel is a SIEM (Security Information and Event Management) solution that ingests logs from multiple sources, including activity logs, but it is not the service that collects the audit data itself; the underlying source for resource change auditing remains Azure Monitor activity logs.

27
MCQeasy

Your organization is adopting Microsoft Entra ID as the identity provider for all SaaS applications. The security team wants to enforce multifactor authentication (MFA) for all users accessing these applications. Which approach aligns with security best practices and minimizes user friction?

A.Enable per-user MFA for all users in Microsoft Entra ID.
B.Disable MFA and rely on strong password policies.
C.Enable Microsoft Entra ID Security defaults.
D.Create a Conditional Access policy requiring MFA for all cloud apps, excluding trusted locations and devices.
AnswerD

Conditional Access provides risk-based MFA with exception handling.

Why this answer

Option D is correct because Conditional Access policies allow granular, risk-based MFA enforcement that excludes trusted locations (e.g., corporate offices) and trusted devices (e.g., compliant or hybrid-joined devices). This aligns with the Zero Trust principle of 'verify explicitly' while minimizing user friction by not prompting for MFA when the user is already in a trusted context. Security defaults (Option C) enforce MFA for all users but lack the ability to exclude trusted locations or devices, which can cause unnecessary friction.

Exam trap

The trap here is that candidates often confuse Security defaults (Option C) as the best practice for MFA enforcement, but Security defaults lack the exclusion capabilities of Conditional Access, which is the recommended approach for minimizing friction while maintaining security.

How to eliminate wrong answers

Option A is wrong because per-user MFA is a legacy approach that forces MFA on every authentication attempt regardless of context, leading to high user friction and no ability to exclude trusted locations or devices; it also lacks the granular control of Conditional Access. Option B is wrong because disabling MFA and relying solely on strong password policies violates security best practices, as passwords alone are vulnerable to phishing, credential stuffing, and brute-force attacks, and does not meet the requirement to enforce MFA. Option C is wrong because while Security defaults enforce MFA for all users, they do not allow exclusion of trusted locations or devices, which means users are prompted for MFA even from the corporate network or on compliant devices, increasing friction unnecessarily.

28
Multi-Selecthard

Which THREE are security best practices for Microsoft Entra ID? (Select three.)

Select 3 answers
A.Block legacy authentication protocols
B.Enable multifactor authentication for all administrators
C.Disable self-service password reset for users
D.Synchronize all on-premises user accounts to Microsoft Entra ID
E.Use Privileged Identity Management to enforce just-in-time access
AnswersA, B, E

Legacy auth does not support MFA and is a common attack vector.

Why this answer

Legacy authentication protocols (e.g., POP3, SMTP, IMAP4, and older versions of Office clients) do not support modern security controls like multifactor authentication (MFA) or conditional access. Blocking these protocols is a critical security best practice because they bypass MFA requirements, leaving accounts vulnerable to password spray and credential-stuffing attacks. Microsoft Entra ID allows administrators to block legacy authentication via Conditional Access policies or tenant-wide settings.

Exam trap

The trap here is that candidates often assume disabling self-service password reset (SSPR) improves security by reducing attack surface, but in reality, SSPR reduces help desk load and encourages users to reset compromised passwords quickly, while blocking legacy authentication is the actual critical control to prevent MFA bypass.

29
MCQhard

Your company is deploying Microsoft Defender XDR and wants to use automated investigation and response (AIR) to remediate confirmed threats. However, you need to ensure that high-impact actions like deleting email messages or isolating devices require manual approval from the security operations team. Which configuration should you set?

A.Set the automation level to 'Full - automatically remediate all threats'
B.Set the automation level to 'Semi - require approval for high-severity remediations'
C.Set the automation level to 'No automated remediation'
D.Create a custom automation rule in Microsoft Sentinel
AnswerB

This level requires manual approval for high-impact actions.

Why this answer

Option B is correct because the 'Semi - require approval for high-severity remediations' automation level in Microsoft Defender XDR ensures that high-impact actions (e.g., deleting email messages or isolating devices) require manual approval from the security operations team before execution. This setting balances automated efficiency with human oversight, specifically targeting high-severity threats while allowing lower-severity actions to proceed automatically.

Exam trap

The trap here is that candidates often confuse automation levels in Microsoft Defender XDR with automation rules in Microsoft Sentinel, or assume that 'Semi' requires approval for all actions rather than only high-severity ones, leading them to incorrectly select 'No automated remediation' or a Sentinel-based solution.

How to eliminate wrong answers

Option A is wrong because 'Full - automatically remediate all threats' would execute high-impact actions like device isolation or email deletion without any manual approval, violating the requirement for human oversight. Option C is wrong because 'No automated remediation' disables all automated responses entirely, requiring manual action for every threat, which defeats the purpose of using automated investigation and response (AIR) and increases operational overhead. Option D is wrong because creating a custom automation rule in Microsoft Sentinel is unrelated to Microsoft Defender XDR's AIR automation levels; Sentinel is a SIEM/SOAR tool that can orchestrate responses but does not control the native AIR settings within Defender XDR.

30
MCQmedium

Your organization uses Microsoft Intune to manage mobile devices. You need to design a policy that ensures corporate data on personally owned devices is protected, but does not allow IT to wipe the entire device if it is lost or stolen. Which Intune policy type should you configure?

A.Conditional Access policies requiring device compliance
B.App Protection Policies (MAM) without device enrollment
C.Device configuration profiles
D.Device compliance policies
AnswerB

MAM policies protect app data and allow selective wipe without wiping the device.

Why this answer

App Protection Policies (MAM) without device enrollment is correct because they protect corporate data at the app level and allow selective wipe of corporate data only. Option A (Device compliance policies) enforce device-level settings. Option C (Device configuration profiles) configure device settings.

Option D (Conditional Access policies) require device compliance but don't protect data selectively.

31
MCQmedium

A company uses Microsoft Intune to manage devices. They want to ensure that only devices that have passed health attestation can access corporate email. Which method should they use?

A.Use Microsoft Defender for Endpoint to block devices that fail health attestation
B.Create a device compliance policy for health attestation and use Conditional Access to require compliant devices
C.Create an app protection policy to require device health attestation
D.Create a device configuration policy to enforce health attestation
AnswerB

Compliance policies define health requirements; Conditional Access enforces access based on compliance.

Why this answer

Option B is correct because it combines a device compliance policy that evaluates health attestation (e.g., BitLocker status, Secure Boot, code integrity) with a Conditional Access policy that grants access to corporate email only when the device is marked as compliant. This is the standard Microsoft approach for enforcing health attestation before granting access to cloud resources like Exchange Online.

Exam trap

The trap here is confusing device compliance policies (which evaluate and report health state) with device configuration policies (which only apply settings), leading candidates to pick Option D, which cannot enforce access control.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint can detect and alert on device health issues but cannot directly block access to corporate email; blocking requires integration with Conditional Access or a network enforcement point. Option C is wrong because app protection policies (MAM) manage data protection at the app level without evaluating device health attestation; they rely on app-level conditions like jailbreak detection, not hardware-attested health. Option D is wrong because device configuration policies set settings (e.g., BitLocker enablement) but do not enforce real-time attestation checks or block access; compliance is determined by a separate compliance policy, not a configuration profile.

32
MCQhard

A company is designing a security strategy for their AI-powered applications using Microsoft Azure OpenAI Service. They need to ensure that the AI models are not used to generate harmful content and that the data sent to the models is protected. Which Microsoft Purview feature should they use?

A.Microsoft Purview Endpoint DLP
B.Microsoft Purview Information Protection
C.Microsoft Purview Data Loss Prevention (DLP) for AI
D.Microsoft Purview Audit
AnswerC

DLP for AI can monitor and block sensitive data in AI interactions.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) for AI is the correct feature because it is specifically designed to monitor and control the data sent to and from AI applications, including Azure OpenAI Service, to prevent the generation of harmful content and protect sensitive data. It uses deep content analysis and policy-based controls to detect and block policy violations in real-time, directly addressing the dual requirements of content safety and data protection.

Exam trap

The trap here is that candidates often confuse general data protection features (like Information Protection or Endpoint DLP) with the specialized AI-focused DLP capability, assuming any DLP or protection feature can handle AI workloads, when only DLP for AI is purpose-built for Azure OpenAI Service interactions.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Endpoint DLP focuses on monitoring and controlling data on endpoints (e.g., Windows 10/11 devices) and does not natively integrate with Azure OpenAI Service to inspect AI model prompts or outputs. Option B is wrong because Microsoft Purview Information Protection is primarily for classifying, labeling, and protecting sensitive data at rest (e.g., files and emails) using encryption and rights management, not for real-time content filtering of AI interactions. Option D is wrong because Microsoft Purview Audit provides logging and investigation of user and admin activities (e.g., who accessed what) but does not enforce policies to prevent harmful content generation or protect data in transit to AI models.

33
MCQmedium

You are designing a security solution for an Azure Kubernetes Service (AKS) cluster. You need to ensure that only authorized images from a specific container registry can be deployed. Which Azure Policy definition should you use?

A.Kubernetes cluster should be accessible only over HTTPS
B.Kubernetes cluster containers should only use allowed images
C.Kubernetes cluster should use internal load balancers
D.Kubernetes cluster should not allow privileged containers
AnswerB

This built-in policy restricts images to allowed registries.

Why this answer

Option B is correct because the Azure Policy built-in definition 'Kubernetes cluster containers should only use allowed images' enforces a constraint on the container images deployed in an AKS cluster. This policy uses an Open Policy Agent (OPA) constraint to validate that every container's image reference matches a specified list of allowed registries or image patterns, ensuring only authorized images from a specific container registry can be deployed.

Exam trap

The trap here is that candidates often confuse policies that restrict container behavior (like privileged containers) with policies that restrict image sources, leading them to select Option D instead of the correct image-based constraint.

How to eliminate wrong answers

Option A is wrong because the policy 'Kubernetes cluster should be accessible only over HTTPS' enforces TLS for the API server endpoint, not image source restrictions. Option C is wrong because 'Kubernetes cluster should use internal load balancers' mandates internal-facing load balancers for services, which addresses network exposure, not image authorization. Option D is wrong because 'Kubernetes cluster should not allow privileged containers' prevents containers from running with elevated privileges but does not restrict which images can be deployed.

34
Multi-Selecteasy

Your organization is designing a security strategy for Microsoft 365. You need to align with Microsoft's Zero Trust best practices. Which TWO principles should be included?

Select 2 answers
A.Verify explicitly
B.Trust but verify
C.Verify implicitly
D.Assume breach
E.Use least privilege
AnswersA, D

A key Zero Trust principle: always authenticate and authorize based on all available data points.

Why this answer

The Zero Trust model, as defined by Microsoft, is built on three foundational principles: verify explicitly, use least privilege, and assume breach. 'Verify explicitly' means always authenticating and authorizing based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies, before granting access. This aligns directly with Microsoft's implementation in Azure AD Conditional Access, which enforces real-time policy evaluation for every access request.

Exam trap

The trap here is that candidates often confuse 'use least privilege' as a separate principle when it is actually one of the three core Zero Trust pillars, but the question specifically requires selecting the two principles that are explicitly named in Microsoft's Zero Trust guidance, which are 'verify explicitly' and 'assume breach'.

35
MCQmedium

Your company uses Microsoft Purview to classify and label sensitive data. The data protection team needs to automatically apply a 'Confidential' label to documents that contain a custom sensitive info type for employee IDs. Which should you create?

A.A trainable classifier
B.A sensitivity label
C.A retention label
D.A custom sensitive information type and an auto-labeling policy
AnswerD

Custom SIT detects the employee ID pattern, and auto-labeling policy applies the label automatically.

Why this answer

To automatically apply a 'Confidential' label based on the presence of a custom sensitive info type (employee IDs), you need both a custom sensitive information type (SIT) to define the pattern and an auto-labeling policy to trigger the label application. The auto-labeling policy uses the SIT to scan documents and automatically applies the specified sensitivity label when a match is found. This is the only option that combines the detection mechanism with automated labeling.

Exam trap

The trap here is that candidates often confuse the role of a sensitivity label (which is just the label definition) with the auto-labeling policy (which provides the detection and automation), leading them to select only the sensitivity label without the necessary policy.

How to eliminate wrong answers

Option A is wrong because a trainable classifier uses machine learning to identify content based on examples, not a custom pattern like employee IDs, and it cannot directly apply labels without an auto-labeling policy. Option B is wrong because a sensitivity label alone defines the label and its protection settings but does not include the detection logic or automation to apply it automatically based on content. Option C is wrong because a retention label is used for data lifecycle management (retention and deletion), not for sensitivity classification or automatic application based on sensitive info types.

36
MCQmedium

A company uses Microsoft Defender for Cloud to manage security across hybrid workloads. They need to ensure that all Azure VMs have guest-level threat detection enabled. Which security policy should they assign?

A.Azure Security Benchmark
B.Microsoft cloud security benchmark
C.Microsoft Defender for Cloud Apps
D.NIST SP 800-53
AnswerB

This initiative includes policies to deploy guest configuration extensions and enable threat detection.

Why this answer

The Azure Security Benchmark includes built-in policies for guest configuration. Option A is wrong because it's a general benchmark. Option B is wrong because it's not a policy initiative.

Option D is wrong because it's a different product.

37
MCQmedium

A company is designing a security operations center (SOC). They want to use Microsoft Sentinel as their SIEM. They need to ensure that all security events from on-premises servers are collected. Which data connector should they configure?

A.Windows Firewall via Legacy Agent
B.Syslog via AMA
C.Azure Activity Log
D.Windows Security Events via Azure Monitor Agent (AMA)
AnswerD

AMA can collect events from on-premises servers using Azure Arc.

Why this answer

Option D is correct because the Windows Security Events via Azure Monitor Agent (AMA) connector is the recommended method for collecting security events from on-premises Windows servers into Microsoft Sentinel. AMA is the current generation agent that supports data collection rules (DCRs) for granular filtering and is fully supported by Sentinel, replacing the legacy Log Analytics Agent. This ensures comprehensive collection of Windows security logs such as Event ID 4625 (failed logons) and 4688 (process creation) for SOC analysis.

Exam trap

The trap here is that candidates may confuse Syslog (used for Linux/network devices) with Windows Security Events, or mistakenly think the legacy Log Analytics Agent (now deprecated) is still the primary connector for Windows events, when AMA is the current best practice.

How to eliminate wrong answers

Option A is wrong because Windows Firewall via Legacy Agent collects only firewall logs, not the full range of Windows security events (e.g., logon, process creation, object access) required for a SOC. Option B is wrong because Syslog via AMA collects syslog messages from Linux or network devices, not Windows Security Events from on-premises servers. Option C is wrong because Azure Activity Log collects subscription-level control plane events from Azure, not on-premises server security events.

38
Multi-Selecthard

Which TWO are best practices for designing a Microsoft 365 Defender (XDR) deployment to ensure optimal detection and response?

Select 2 answers
A.Deploy Defender for Endpoint on unsupported operating systems with limited functionality
B.Configure automated investigation and response for common incident types
C.Rely solely on manual alert triage to avoid missing complex attacks
D.Enable all supported data sources and ensure proper licensing
E.Configure each workload (Endpoint, Identity, etc.) in SILO mode to avoid false positives
AnswersB, D

Automation speeds up response and reduces workload.

Why this answer

B is correct because configuring automated investigation and response (AIR) for common incident types is a core best practice in Microsoft 365 Defender. AIR leverages built-in playbooks to automatically triage, investigate, and remediate alerts, reducing mean time to respond (MTTR) and allowing security teams to focus on complex threats. This aligns with the XDR principle of using automation to handle high-volume, predictable incidents efficiently.

Exam trap

The trap here is that candidates may think enabling all data sources (option D) is unnecessary or could cause noise, but in XDR, comprehensive data ingestion is essential for accurate correlation and detection, while proper tuning and automation handle false positives.

39
MCQeasy

A company wants to implement a secure web application gateway to protect their public-facing web apps from common exploits like SQL injection and cross-site scripting. Which Azure service should they use?

A.Azure Front Door with WAF
B.Azure Firewall
C.Azure DDoS Protection
D.Azure Application Gateway with WAF
AnswerD

Application Gateway with WAF protects web apps from common exploits.

Why this answer

Azure Application Gateway with WAF is the correct choice because it is a regional, layer-7 load balancer that includes a built-in Web Application Firewall (WAF) specifically designed to protect web applications from common exploits such as SQL injection and cross-site scripting (XSS). The WAF uses OWASP Core Rule Sets (CRS) to inspect HTTP/HTTPS traffic and block malicious payloads at the application layer, making it the ideal service for securing public-facing web apps.

Exam trap

The trap here is that candidates often confuse Azure Front Door with WAF as a direct alternative to Application Gateway with WAF, but Front Door is a global service for multi-region distribution, while Application Gateway is the regional, layer-7 load balancer with WAF that is the correct choice for protecting a single-region web application gateway.

How to eliminate wrong answers

Option A is wrong because Azure Front Door with WAF is a global, multi-region load balancer and CDN service that also includes WAF capabilities, but it is optimized for global distribution and edge caching, not for protecting a single regional web application gateway; the question implies a single gateway deployment, and Application Gateway is the standard regional choice. Option B is wrong because Azure Firewall is a stateful, network-layer firewall that filters traffic based on IP addresses, ports, and protocols (layers 3-4), and it does not inspect application-layer payloads like SQL injection or XSS; it lacks the WAF functionality required for web application exploits. Option C is wrong because Azure DDoS Protection provides mitigation against volumetric distributed denial-of-service attacks at layers 3 and 4, but it does not inspect or block application-layer attacks such as SQL injection or XSS, which require a WAF.

40
MCQeasy

An organization wants to ensure that all Windows 10 devices are compliant with security policies before they can access corporate email. Microsoft Intune is used for device management. Which component should be used to enforce compliance and block non-compliant devices?

A.Intune device compliance policy alone
B.Microsoft Entra ID Conditional Access policy integrated with Intune compliance
C.Microsoft 365 Defender portal
D.Microsoft Defender for Endpoint device risk score
AnswerB

Conditional Access uses compliance data to enforce access.

Why this answer

Option B is correct because Microsoft Entra ID Conditional Access policies can evaluate Intune device compliance status in real time. When a device is marked non-compliant by an Intune compliance policy, the Conditional Access policy blocks access to corporate email (e.g., Exchange Online) until the device is remediated. This integration enforces a 'compliant device required' gate that cannot be achieved by Intune compliance alone, which only reports status without blocking access.

Exam trap

The trap here is that candidates assume Intune compliance policies alone can block access, but they forget that enforcement requires a separate Conditional Access policy to act on the compliance state—Intune only reports, it does not gate authentication.

How to eliminate wrong answers

Option A is wrong because Intune device compliance policy alone only marks devices as compliant or non-compliant; it does not enforce access control or block email access—that requires a Conditional Access policy to act on the compliance state. Option C is wrong because the Microsoft 365 Defender portal provides threat detection, investigation, and response capabilities, but it does not directly enforce device compliance-based access control for email. Option D is wrong because Microsoft Defender for Endpoint device risk score is a signal that can be used within Conditional Access (via risk-based policies), but it is not the primary component for enforcing compliance policies; the question specifically asks for enforcing compliance, not risk-based access.

41
MCQhard

You are designing a secure DevOps pipeline in GitHub that deploys to Azure Kubernetes Service (AKS). The security team requires that no secrets are stored in the pipeline variables and that all container images are scanned for vulnerabilities before deployment. Which approach aligns with security best practices?

A.Use Azure DevOps with a service principal that has a client secret stored in Azure Key Vault. Use Trivy to scan images.
B.Use GitHub Actions with OpenID Connect to authenticate to Azure without storing any secrets. Integrate Microsoft Defender for Containers to scan images in Azure Container Registry.
C.Use GitHub Actions with a managed identity for the GitHub runner. Disable image scanning to speed up deployments.
D.Use GitHub Actions with environment secrets for Azure service principal credentials. Use Docker Hub's vulnerability scanning.
AnswerB

OpenID Connect eliminates secrets; Defender for Containers provides integrated scanning.

Why this answer

Option B is correct because it uses OpenID Connect (OIDC) to authenticate GitHub Actions to Azure without storing any long-lived secrets, which aligns with the requirement that no secrets be stored in pipeline variables. Additionally, integrating Microsoft Defender for Containers provides vulnerability scanning for container images in Azure Container Registry (ACR), meeting the image scanning requirement before deployment to AKS.

Exam trap

The trap here is that candidates may assume Azure DevOps is the only secure option or that storing secrets in Azure Key Vault is acceptable, but the question explicitly requires 'no secrets stored in the pipeline variables,' and OIDC eliminates secrets entirely, while Key Vault still requires a secret retrieval step that counts as a stored secret in the pipeline context.

How to eliminate wrong answers

Option A is wrong because it uses Azure DevOps instead of GitHub Actions as specified in the question, and it stores a client secret in Azure Key Vault, which still requires a secret to be retrieved and used in the pipeline, violating the 'no secrets stored in pipeline variables' requirement. Option C is wrong because it disables image scanning, which directly contradicts the requirement that all container images be scanned for vulnerabilities before deployment. Option D is wrong because it uses environment secrets for Azure service principal credentials, which stores secrets in the pipeline environment, and Docker Hub's vulnerability scanning does not integrate with ACR or AKS for pre-deployment scanning in the Azure context.

42
Multi-Selecthard

Your organization is designing a Microsoft Sentinel solution to detect and respond to threats across multi-cloud environments (Azure, AWS, GCP). Which TWO components are essential for this design?

Select 2 answers
A.Azure Policy assignments
B.Data connectors for AWS and GCP
C.Microsoft Defender for Cloud
D.Azure Automation accounts
E.Analytics rules for multi-cloud detection
AnswersB, E

Data connectors ingest logs from AWS (S3) and GCP (Cloud Logging).

Why this answer

Data connectors are the foundational component for ingesting logs from external cloud providers into Microsoft Sentinel. For AWS, you typically use the AWS CloudTrail connector via S3 and SQS; for GCP, you use the GCP Security Command Center connector or a custom log ingestion pipeline. Without these connectors, Sentinel cannot receive telemetry from those environments, making multi-cloud detection impossible.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud (a CSPM tool) with a data ingestion mechanism, or assume Azure Policy can enforce log collection across non-Azure clouds, when in fact only purpose-built data connectors can bring external logs into Sentinel.

43
Multi-Selecteasy

Which TWO are recommended practices for securing Microsoft 365 workloads? (Select two.)

Select 2 answers
A.Allow external sharing for all SharePoint sites
B.Disable multifactor authentication for users who access from trusted IPs
C.Allow all third-party apps to access Microsoft 365 data
D.Enable unified audit logging in Microsoft Purview
E.Use Microsoft Defender for Office 365 Safe Attachments policy
AnswersD, E

Audit logging is critical for detecting and investigating incidents.

Why this answer

Unified audit logging in Microsoft Purview is a recommended practice because it provides a centralized, searchable record of user and admin activities across Microsoft 365 workloads, which is essential for security investigations, compliance, and threat detection. Enabling this logging ensures that events such as mailbox access, file downloads, and admin role changes are captured and retained, supporting incident response and forensic analysis.

Exam trap

The trap here is that candidates often confuse 'enabling audit logging' with 'enabling mailbox auditing only' or assume that audit logging is enabled by default, but Microsoft Purview unified audit logging must be explicitly enabled per tenant and is not automatically turned on for all workloads.

44
MCQhard

Your organization uses Microsoft Sentinel for security operations. The SOC team wants to automatically disable a compromised user account in Microsoft Entra ID when a high-severity alert is generated. Which automation method should you use?

A.An automation rule with a playbook
B.A workbook
C.A KQL query in a hunting rule
D.An analytics rule
AnswerA

Automation rules trigger playbooks that can execute actions like disabling a user account.

Why this answer

Automation rules in Microsoft Sentinel can trigger a playbook (an Azure Logic Apps workflow) when a high-severity alert fires. The playbook can then execute an action to disable the user account in Microsoft Entra ID via the Microsoft Graph API. This is the correct method because it provides the necessary integration between Sentinel alerts and Entra ID identity remediation.

Exam trap

The trap here is that candidates often confuse analytics rules (which detect and alert) with automation rules (which respond), leading them to select an analytics rule thinking it can directly perform remediation actions.

How to eliminate wrong answers

Option B is wrong because a workbook is a visualization and reporting tool, not an automation mechanism; it cannot execute actions like disabling a user account. Option C is wrong because a KQL query in a hunting rule is used for proactive threat hunting and manual investigation, not for automated response to alerts. Option D is wrong because an analytics rule generates alerts based on detection logic but does not itself perform remediation actions; it requires an automation rule or playbook to act on the alert.

45
MCQmedium

A company uses Microsoft Intune to manage devices. They want to ensure that all devices accessing corporate email are compliant with security policies before they can connect. Which feature should they enable?

A.Microsoft Entra Conditional Access
B.Microsoft Defender for Endpoint
C.Microsoft Intune App Protection Policies
D.Mobile Device Management (MDM) enrollment
AnswerA

Conditional Access can require device compliance from Intune.

Why this answer

Microsoft Entra Conditional Access is the correct feature because it enforces compliance-based access control at the authentication layer. By integrating with Intune compliance policies, Conditional Access can block or allow device access to corporate email (e.g., Exchange Online) based on real-time compliance status, ensuring only compliant devices can connect.

Exam trap

The trap here is that candidates often confuse Intune compliance policies themselves with the enforcement mechanism, not realizing that compliance policies only mark a device as compliant or non-compliant—they do not block access; Conditional Access is the gate that enforces the block.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint is a threat protection and response solution, not an access control mechanism; it does not enforce pre-connection compliance checks for email. Option C is wrong because Intune App Protection Policies (MAM) manage data protection within apps without requiring device enrollment, but they do not block device-level access to email based on device compliance. Option D is wrong because MDM enrollment alone only registers the device; it does not enforce conditional access—compliance policies must be combined with Conditional Access to gate access.

46
MCQmedium

A company plans to implement a Zero Trust architecture using Microsoft security solutions. They want to ensure that all access to corporate resources is verified explicitly, uses least privilege, and assumes breach. Which Microsoft service should be the central policy engine for enforcing conditional access decisions?

A.Microsoft Entra ID Conditional Access
B.Microsoft Defender for Cloud
C.Microsoft Sentinel
D.Microsoft Intune
AnswerA

Conditional Access is the core policy engine for Zero Trust.

Why this answer

Microsoft Entra ID Conditional Access is the correct central policy engine because it directly enforces Zero Trust principles by evaluating signals (user, device, location, risk) in real time to grant or block access. It acts as the policy decision point (PDP) that enforces explicit verification, least privilege, and assumes breach by requiring continuous authentication and authorization for every access request.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud's security policy (which governs cloud resource configurations) with Entra ID's conditional access policy (which governs user access decisions), leading them to select Defender for Cloud as the central policy engine.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform, not a policy engine for conditional access decisions. Option C is wrong because Microsoft Sentinel is a SIEM/SOAR solution for threat detection and response, not a real-time access policy enforcer. Option D is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service that manages devices and apps but does not make conditional access policy decisions.

47
MCQhard

Your organization uses Microsoft Sentinel for SIEM. You need to ensure that security incidents are automatically responded to without human intervention for known false positives. What should you implement?

A.An analytics rule with alert suppression
B.A playbook that runs on incident creation
C.An entity behavior analytics rule
D.An automation rule with incident closure action
AnswerD

Automation rules can auto-close incidents based on conditions.

Why this answer

Option D is correct because automation rules in Microsoft Sentinel can be configured to automatically close incidents when specific conditions are met, such as when an incident is identified as a known false positive. This eliminates the need for human intervention by triggering an incident closure action based on predefined criteria, directly addressing the requirement for automated response to false positives.

Exam trap

The trap here is that candidates often confuse alert suppression (which prevents duplicate alerts) with incident closure automation, or they assume a playbook is always required for automation, when in fact a simple automation rule with a closure action is the direct and correct solution for automatically handling known false positives.

How to eliminate wrong answers

Option A is wrong because analytics rules with alert suppression only prevent the creation of duplicate alerts for the same event within a specified time window; they do not automatically respond to or close incidents that have already been created. Option B is wrong because a playbook that runs on incident creation can automate responses, but it requires a separate automation rule to trigger it and is typically used for complex orchestration, not simply for closing known false positives without human intervention. Option C is wrong because entity behavior analytics rules are designed to detect anomalous behavior based on historical patterns, not to automatically respond to or close incidents identified as false positives.

48
MCQmedium

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure resources. The security team wants to prioritize remediation of high-severity findings based on the greatest potential business impact. Which security policy or framework should you configure to align remediation with business priorities?

A.Use the Azure Security Benchmark initiative
B.Enable the Regulatory Compliance dashboard
C.Set up workflow automation for high-severity findings
D.Configure the Secure Score dashboard
AnswerB

Regulatory Compliance maps findings to compliance standards that reflect business priorities.

Why this answer

The Regulatory Compliance dashboard in Microsoft Defender for Cloud allows you to map security controls to specific regulatory standards (e.g., SOC 2, ISO 27001, PCI DSS) and track compliance posture. By selecting a framework that aligns with your organization's business obligations (e.g., a standard required by customers or regulators), you can prioritize remediation of high-severity findings based on the greatest potential business impact, such as fines or loss of certification.

Exam trap

The trap here is that candidates often confuse the Secure Score dashboard (which measures overall security posture) with the Regulatory Compliance dashboard (which aligns remediation to specific business-impacting standards), leading them to select D instead of B.

How to eliminate wrong answers

Option A is wrong because the Azure Security Benchmark initiative is a Microsoft-defined set of best practices for Azure security, but it does not inherently map to business-specific regulatory or compliance priorities; it focuses on technical security posture rather than business impact. Option C is wrong because workflow automation (e.g., sending emails or creating tickets) is a response mechanism for findings, not a framework for prioritizing which findings to remediate based on business impact. Option D is wrong because the Secure Score dashboard provides a numerical score based on security recommendations, but it does not allow you to configure or align remediation with specific business or regulatory frameworks; it is a general health indicator, not a prioritization tool.

49
MCQeasy

Your organization is adopting a Zero Trust security model. You need to design a solution that ensures continuous verification of user identity and device health before granting access to resources. Which Microsoft Entra ID feature should you prioritize?

A.Microsoft Entra ID Domain Services
B.Microsoft Entra ID Identity Protection
C.Microsoft Entra ID Conditional Access
D.Microsoft Entra ID Privileged Identity Management (PIM)
AnswerC

Conditional Access enforces access policies based on real-time signals, aligning with Zero Trust.

Why this answer

Option C is correct because Conditional Access is the primary Microsoft Entra ID feature that enforces continuous verification by evaluating user identity, device health (via compliance policies or Microsoft Defender for Endpoint signals), location, and risk in real-time before granting access. It directly supports the Zero Trust principle of 'never trust, always verify' by requiring authentication and authorization at every access attempt, not just at the perimeter.

Exam trap

The trap here is that candidates confuse Identity Protection's risk detection capabilities with the enforcement mechanism, but Identity Protection alone cannot block access based on device health or enforce conditional policies—it only provides signals that must be consumed by Conditional Access to make a decision.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID Domain Services provides managed domain services like LDAP, Kerberos, and NTLM for legacy applications, not continuous identity or device health verification. Option B is wrong because Identity Protection focuses on detecting and responding to identity-based risks (e.g., leaked credentials, anomalous sign-ins) but does not enforce access decisions based on device health or real-time verification; it feeds risk signals into Conditional Access. Option D is wrong because Privileged Identity Management (PIM) manages just-in-time privileged role activation and approval workflows, not continuous verification of all user identities or device health for general resource access.

50
Multi-Selecthard

Your organization is implementing Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data. You need to design a policy that prevents users from sharing credit card numbers via email. Which THREE components are required to build this DLP policy?

Select 3 answers
A.A policy tip to warn users before sending
B.A rule that includes a sensitive info type for credit card numbers
C.A trainable classifier for financial data
D.A policy scope that includes Exchange Online
E.An action to block the email and send a notification
AnswersB, D, E

Sensitive info types detect credit card patterns.

Why this answer

Option B is correct because a DLP policy must include a rule that defines the sensitive data to detect. For credit card numbers, Microsoft Purview provides a built-in sensitive info type (SIT) that uses pattern matching, checksum validation, and keyword proximity to accurately identify credit card numbers. Without this rule, the policy would have no criteria to trigger actions.

Exam trap

The trap here is that candidates often confuse optional enhancements (like policy tips or trainable classifiers) with mandatory components, but the core requirement is a rule with a sensitive info type, a scope (Exchange Online), and an action to block and notify.

51
MCQmedium

Your organization wants to implement a zero-trust security model for on-premises and cloud resources. As part of this strategy, you need to ensure that all access requests are authenticated and authorized based on dynamic risk signals. Which Microsoft security solution should you use to enforce conditional access policies based on real-time risk?

A.Microsoft Entra ID Conditional Access
B.Microsoft Intune
C.Microsoft Sentinel
D.Microsoft Defender for Cloud
AnswerA

Entra ID Conditional Access enforces access policies based on user, device, location, and risk signals, supporting zero-trust.

Why this answer

Microsoft Entra ID Conditional Access enables you to enforce access controls based on conditions such as user risk, sign-in risk, device compliance, and location. This aligns with zero-trust principles of verifying explicitly and using least privilege. Microsoft Defender for Cloud is for cloud security posture management, not conditional access.

Microsoft Intune manages devices, and Microsoft Sentinel is a SIEM.

52
MCQhard

Your organization plans to use Microsoft Purview to protect sensitive data in Microsoft 365. The compliance team needs to detect when users share credit card numbers via email and automatically apply encryption. Which solution should you implement?

A.Microsoft Purview Audit
B.Microsoft Purview eDiscovery
C.Microsoft Purview Information Protection
D.Microsoft Purview Data Loss Prevention (DLP)
AnswerD

DLP policies can detect sensitive information and automatically apply encryption via transport rules.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) is the correct solution because it is specifically designed to detect sensitive data types—such as credit card numbers—in email messages and automatically apply protective actions like encryption. DLP policies can inspect email content in transit via Exchange Online, match patterns against predefined sensitive info types (e.g., credit card number regex), and trigger actions such as 'Encrypt the message' using Azure Rights Management. This directly meets the requirement to detect sharing of credit card numbers and enforce encryption automatically.

Exam trap

Microsoft often tests the distinction between Information Protection (labeling/classification) and Data Loss Prevention (content inspection and automated enforcement), leading candidates to pick Information Protection because they confuse 'protecting data' with 'detecting and acting on sensitive content.'

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Audit only logs user and admin activities for forensic review; it cannot inspect email content for sensitive data or apply encryption. Option B is wrong because Microsoft Purview eDiscovery is used for searching and exporting content in legal or compliance investigations, not for real-time detection and automated protection of sensitive data in transit. Option C is wrong because Microsoft Purview Information Protection focuses on classifying and labeling documents and emails (e.g., sensitivity labels), but it does not natively scan for specific sensitive data patterns like credit card numbers or enforce automatic encryption based on content detection—that requires DLP policies to trigger the label or encryption action.

53
MCQhard

Refer to the exhibit. Your organization is required to comply with PCI DSS. You need to prioritize remediation efforts to meet PCI DSS requirements. Based on the exhibit, which recommendation should you address first?

A.Enable MFA on accounts with owner permissions
B.Migrate VMs from classic to ARM
C.Enable vulnerability assessment on SQL databases
D.Enable diagnostic logs in Key Vault
AnswerA

PCI DSS requirement 8.3.1 requires multi-factor authentication for all administrative access.

Why this answer

PCI DSS requires strong access control, including multi-factor authentication for remote access and for all accounts with administrative access. The recommendation 'MFA should be enabled on accounts with owner permissions' directly impacts PCI DSS requirements for authentication. While vulnerability assessment is important, MFA is a key control for PCI DSS.

The other recommendations are less directly related to PCI DSS.

54
MCQhard

Refer to the exhibit. You are analyzing an Azure PowerShell script that checks a blob property. The output of the last command returns 'False'. What does this indicate about the blob storage configuration?

A.Diagnostic logging is not configured for the container.
B.Access time tracking is disabled for the storage account.
C.The blob has an immutability policy applied.
D.Server-side encryption is disabled for the blob.
AnswerB

The property being false indicates access time tracking is not enabled.

Why this answer

The property 'IsAccessTimeTrackingEnabled' is a blob storage setting that, when enabled, tracks the last access time of blobs for lifecycle management. A value of 'False' means access time tracking is disabled. Option A is wrong because access time tracking is not related to encryption.

Option B is wrong because it is not about immutability. Option D is wrong because it is not about logging.

55
MCQhard

Your organization uses Microsoft Sentinel as its SIEM. You need to design a solution to automatically respond to detected threats in Azure resources. The response must include isolating the affected virtual machine and creating a support ticket. Which approach should you use?

A.Create a Microsoft Sentinel automation rule that triggers a playbook when an incident is generated. The playbook uses Azure Logic Apps to isolate the VM and create a ticket in your IT service management tool.
B.Create an Azure Policy initiative that automatically remediates non-compliant resources
C.Create a Microsoft Sentinel analytics rule that runs a KQL query and automatically sends an email to the security team
D.Create an Azure Automation runbook that runs on a schedule to check for threats and isolate VMs
AnswerA

Automation rules and playbooks provide event-driven, orchestrated response.

Why this answer

Option C is correct because automation rules in Microsoft Sentinel can trigger playbooks (Logic Apps) to isolate VMs and create tickets. Option A is wrong because Azure Policy is for compliance, not incident response. Option B is wrong because Azure Automation runbooks lack the integration to create tickets directly.

Option D is wrong because custom KQL queries only surface alerts, not automated response.

56
Multi-Selecteasy

Your company is using Microsoft Entra ID and wants to implement passwordless authentication to improve security. Which THREE authentication methods should you consider?

Select 3 answers
A.Microsoft Authenticator app with phone sign-in
B.Windows Hello for Business
C.FIDO2 security keys
D.SMS one-time passcode
E.App passwords
AnswersA, B, C

Phone sign-in is a passwordless authentication method.

Why this answer

Microsoft Authenticator app with phone sign-in is a passwordless authentication method because it uses a cryptographic key pair stored on the user's device to sign authentication requests, eliminating the need for a password. When the user approves a notification on their phone, the app signs a challenge from Microsoft Entra ID using the private key, and the service verifies it with the public key. This aligns with the passwordless goal by replacing the password with a possession-based factor (the phone) and a biometric or PIN gesture.

Exam trap

The trap here is that candidates confuse 'something you have' (like a phone or SMS) with passwordless, but SMS OTP still requires a password as the first factor in most Entra ID configurations, making it a multi-factor method, not a passwordless one.

57
MCQeasy

Your organization is implementing a Zero Trust security model. Which Microsoft security solution should you use to enforce conditional access policies based on user, device, location, and real-time risk signals?

A.Microsoft Entra ID Conditional Access
B.Microsoft Defender for Cloud Apps
C.Microsoft Intune
D.Microsoft Purview
AnswerA

Microsoft Entra ID Conditional Access enforces access control decisions based on conditions and signals.

Why this answer

Microsoft Entra ID Conditional Access is the correct solution because it is the native policy engine in Azure AD that evaluates signals from user identity, device compliance, location (IP ranges or countries), and real-time risk from Microsoft Entra ID Protection to enforce access decisions. It directly implements the 'explicit verification' and 'assume breach' principles of Zero Trust by blocking or requiring step-up authentication based on these dynamic conditions.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps as the primary policy enforcement point because of its session monitoring capabilities, but it is actually a downstream consumer of Conditional Access decisions, not the engine that evaluates user, device, location, and risk signals in real time.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides shadow IT discovery, session controls, and data protection, but it does not natively enforce conditional access policies based on user, device, location, and risk signals—it integrates with Conditional Access for those decisions. Option C is wrong because Microsoft Intune is a Mobile Device Management (MDM) and Mobile Application Management (MAM) solution that manages device compliance and app protection policies, but it does not evaluate real-time risk signals or enforce access policies at the authentication layer. Option D is wrong because Microsoft Purview is a data governance, compliance, and information protection solution focused on data classification, labeling, and eDiscovery, not on enforcing authentication-time conditional access based on user, device, location, or risk.

58
MCQeasy

Your organization is adopting a Zero Trust network strategy. Which Microsoft solution should you use to implement micro-segmentation and enforce identity-based access controls for on-premises and cloud resources?

A.Microsoft Entra ID Conditional Access
B.Microsoft Defender for Cloud Apps
C.Microsoft Intune
D.Microsoft Sentinel
AnswerA

Conditional Access enforces access policies based on identity and context, supporting Zero Trust.

Why this answer

Microsoft Entra ID Conditional Access enforces identity-based access policies, which is a core component of Zero Trust. Option B is wrong because Microsoft Defender for Cloud Apps is a CASB. Option C is wrong because Microsoft Intune manages devices.

Option D is wrong because Microsoft Sentinel is a SIEM.

59
MCQmedium

Your company uses Microsoft Sentinel as its SIEM. You need to design a solution that automatically responds to high-severity incidents by creating a ticket in ServiceNow and notifying the security team via Teams. Which Sentinel feature should you configure?

A.Workbooks
B.Automation rules
C.Analytics rules
D.Hunting queries
AnswerB

Automation rules trigger playbooks for response actions.

Why this answer

Automation rules in Microsoft Sentinel are designed to trigger automated responses to incidents based on conditions like severity. They can integrate with external systems via playbooks (Azure Logic Apps) to create ServiceNow tickets and send Teams notifications, making them the correct choice for this requirement.

Exam trap

The trap here is that candidates often confuse Analytics rules (which generate alerts) with Automation rules (which respond to incidents), failing to recognize that incident response orchestration requires the latter's trigger-and-action pipeline.

How to eliminate wrong answers

Option A is wrong because Workbooks are visualization tools for querying and displaying data, not for automated response actions. Option C is wrong because Analytics rules generate alerts from log data but do not directly orchestrate multi-step responses like ticket creation or Teams notifications. Option D is wrong because Hunting queries are proactive, ad-hoc searches for threats and do not provide automated incident response capabilities.

60
Multi-Selecthard

Which THREE Microsoft security solutions can be used to detect and respond to threats across hybrid cloud environments? (Choose three.)

Select 3 answers
A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Office 365
D.Microsoft Intune
E.Microsoft Defender for Identity
AnswersA, B, E

Provides threat detection for workloads across clouds and on-premises.

Why this answer

Microsoft Defender for Cloud is correct because it provides unified security management and threat protection across hybrid cloud workloads, including Azure, on-premises, and other cloud platforms like AWS and GCP. It uses integrated vulnerability assessment, just-in-time access, and adaptive application controls to detect and respond to threats in real time, leveraging Microsoft Defender plans for servers, SQL, storage, and containers.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365 with a broader hybrid cloud security solution, but it is limited to the Microsoft 365 suite and does not cover compute, network, or identity threats across hybrid cloud workloads.

61
MCQmedium

Your company uses Microsoft Defender XDR to protect endpoints. The security team wants to implement automated response actions when a malicious file is detected on a device. Which Microsoft security feature should you configure to automatically isolate the affected device from the network?

A.Automated investigation and response (AIR) capabilities
B.Microsoft Sentinel automation rules
C.Attack surface reduction rules
D.Microsoft Intune compliance policies
AnswerA

AIR in Microsoft Defender XDR can automatically isolate devices upon detection of malicious activity.

Why this answer

Automated investigation and response (AIR) in Microsoft Defender XDR is the correct feature because it includes built-in playbooks that can automatically isolate a device from the network when a malicious file is detected. AIR leverages the Microsoft 365 Defender portal's automation capabilities to run investigation steps and execute response actions, such as device isolation, without manual intervention. This directly meets the requirement for automated response upon file detection.

Exam trap

The trap here is that candidates often confuse the proactive prevention capabilities of Attack surface reduction rules with the automated response capabilities of AIR, or they overestimate the real-time response abilities of Intune compliance policies, which are designed for configuration enforcement rather than incident response actions like network isolation.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel automation rules are designed for cloud-scale SIEM and SOAR across multiple data sources, not for endpoint-specific automated isolation triggered by Defender XDR detections; they require custom analytics and playbooks to achieve similar behavior, making them less direct for this use case. Option C is wrong because Attack surface reduction rules are proactive policies that block or audit specific behaviors (e.g., Office apps creating child processes) to prevent infection, but they do not perform automated response actions like device isolation after a file is already detected as malicious. Option D is wrong because Microsoft Intune compliance policies enforce device configuration and health requirements (e.g., requiring encryption or a minimum OS version) and can trigger conditional access blocks, but they cannot automatically isolate a device from the network in real time based on a malicious file detection; that action is outside Intune's scope.

62
MCQhard

A company needs to design a secure DevOps pipeline using GitHub Actions and Microsoft Defender for Cloud. They want to scan infrastructure-as-code (IaC) templates for misconfigurations before deployment. What should they integrate?

A.Microsoft Defender for Cloud Infrastructure as Code scanning
B.Microsoft Purview Compliance Manager
C.Microsoft Sentinel
D.Microsoft Defender for Cloud Apps
AnswerA

Defender for Cloud can scan IaC templates for misconfigurations.

Why this answer

Microsoft Defender for Cloud includes a native Infrastructure as Code (IaC) scanning capability that integrates directly with GitHub Actions. This feature automatically analyzes IaC templates (such as ARM, Bicep, Terraform, and CloudFormation) for security misconfigurations during the CI/CD pipeline, providing pre-deployment guardrails. By failing the pipeline on critical findings, it ensures only compliant infrastructure is deployed, aligning with the secure DevOps principle of shifting security left.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud's IaC scanning with Microsoft Sentinel's threat detection capabilities, mistakenly thinking Sentinel can scan code before deployment, when in fact Sentinel only analyzes logs and alerts from already-deployed resources.

How to eliminate wrong answers

Option B (Microsoft Purview Compliance Manager) is wrong because it focuses on regulatory compliance posture management and risk assessments, not on scanning IaC templates for misconfigurations in a DevOps pipeline. Option C (Microsoft Sentinel) is wrong because it is a SIEM and SOAR solution for threat detection and incident response after deployment, not a pre-deployment IaC scanning tool. Option D (Microsoft Defender for Cloud Apps) is wrong because it is a CASB (Cloud Access Security Broker) for controlling user access and data protection in SaaS applications, not for scanning infrastructure code.

63
MCQmedium

Wide World Importers uses Azure Active Directory (now Microsoft Entra ID) and Microsoft 365. They have a hybrid identity with password hash sync. They want to implement a passwordless authentication strategy to improve security and user experience. They have a mix of Windows 10/11 devices and mobile devices (iOS/Android). They also have some shared computers in kiosk mode. The solution must support all user scenarios and align with Microsoft's authentication best practices. What should you recommend?

A.Use SMS-based authentication for all users. Deploy OATH tokens for shared computers. Implement Azure AD Conditional Access to require passwordless for admins only.
B.Implement Windows Hello for Business for all Windows devices. Use smart cards for mobile devices. Use FIDO2 keys for shared computers.
C.Implement Windows Hello for Business for Windows 10/11 devices. Deploy Microsoft Authenticator for mobile devices for passwordless sign-in. Use FIDO2 security keys for shared computers and kiosk scenarios. Enable combined registration for self-service password reset and Microsoft Authenticator.
D.Use the Microsoft Authenticator app for all users. Configure passwordless sign-in with the app. Use QR codes for kiosk computers.
AnswerC

Comprehensive passwordless approach covering all device types.

Why this answer

Option A is correct because it covers all user scenarios: Windows Hello for Business for Windows devices, Microsoft Authenticator for mobile, and FIDO2 security keys for shared computers. Option B is wrong because SMS and OATH tokens are not passwordless (SMS is not truly passwordless). Option C is wrong because it relies on Microsoft Authenticator only, missing Windows devices.

Option D is wrong because it excludes mobile devices.

64
Multi-Selectmedium

You are designing a solution to protect Microsoft 365 data from insider threats. Which TWO Microsoft Purview features should you use?

Select 2 answers
A.Microsoft Purview Insider Risk Management
B.Microsoft Purview Data Loss Prevention (DLP)
C.Microsoft Purview Communication Compliance
D.Microsoft Purview Audit (Premium)
E.Microsoft Purview eDiscovery (Premium)
AnswersA, B

Detects and investigates risky user activities.

Why this answer

Microsoft Purview Insider Risk Management is correct because it is specifically designed to detect, investigate, and act on malicious and accidental insider risks by correlating signals from Microsoft 365 and Azure services, such as unusual file downloads or data exfiltration patterns. It uses predefined risk indicators and machine learning models to identify risky user activities that could lead to data breaches, making it a primary tool for protecting data from insider threats.

Exam trap

The trap here is that candidates often confuse Data Loss Prevention (DLP) as the primary insider threat tool, but DLP is a content-aware policy enforcement mechanism that blocks or alerts on data sharing based on rules, whereas Insider Risk Management focuses on behavioral analytics and user risk scoring to detect threats that DLP might miss, such as slow data exfiltration or credential misuse.

65
MCQhard

A security architect is designing a solution to protect sensitive data stored in SharePoint Online from being shared with unauthorized users. The solution must block sharing of files containing credit card numbers when shared externally. What should they use?

A.Configure a conditional access policy to block access from untrusted networks when credit card numbers are detected
B.Create a Microsoft Purview sensitivity label that automatically applies encryption and blocks external sharing when credit card numbers are detected
C.Create a Microsoft Purview Data Loss Prevention (DLP) policy that blocks external sharing when credit card numbers are detected
D.Use Azure Information Protection to label and protect files with credit card numbers
AnswerB

Sensitivity labels can automatically classify and protect data, and enforce restrictions like blocking external sharing.

Why this answer

Option B is correct because Microsoft Purview sensitivity labels can be configured with automatic classification for sensitive data types (e.g., credit card numbers) and enforce encryption while blocking external sharing. This directly meets the requirement to prevent unauthorized external sharing of files containing credit card numbers in SharePoint Online.

Exam trap

The trap here is that candidates often confuse DLP policies (which block sharing based on content) with sensitivity labels (which can both block sharing and apply encryption), leading them to select Option C without considering the need for encryption.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies control access based on conditions like network location, not content inspection or sharing restrictions; they cannot detect credit card numbers within files. Option C is wrong because a DLP policy can block external sharing when credit card numbers are detected, but it does not automatically apply encryption to the files, which is a key part of the solution requirement to protect data at rest. Option D is wrong because Azure Information Protection (AIP) is a legacy labeling solution that has been largely replaced by Microsoft Purview Information Protection; while it can label and protect files, it lacks the integrated automatic classification and sharing control capabilities of Purview sensitivity labels in SharePoint Online.

66
MCQmedium

Your company uses Microsoft Sentinel as a SIEM. You need to create an analytics rule that detects when a user account is created outside of business hours. The rule should trigger an incident for investigation. Which type of analytics rule should you use?

A.Anomaly rule
B.Fusion rule
C.Scheduled query rule
D.NRT query rule
AnswerC

Scheduled query rules run periodically and can trigger incidents based on query results.

Why this answer

A scheduled query rule is the correct choice because it allows you to define a KQL query that checks for user account creation events (e.g., from the SecurityEvent or AuditLogs table) and then use the query scheduling settings to run the query at a specific interval. You can then add a condition in the rule logic to filter for events occurring outside business hours (e.g., using the `datetime_part` function to check the hour of the event). When the query returns results, Sentinel automatically generates an incident for investigation.

Exam trap

The trap here is that candidates often confuse scheduled query rules with NRT query rules, assuming that 'near-real-time' is always better for time-sensitive detections, but NRT rules cannot apply complex time-based filters like 'outside business hours' because they only support a 1-minute lookback and no custom scheduling logic.

How to eliminate wrong answers

Option A is wrong because anomaly rules use machine learning to detect unusual patterns over time without a predefined query, and they cannot be configured with a specific KQL query to filter for account creation outside business hours. Option B is wrong because Fusion rules correlate alerts from multiple products to detect multistage attacks, and they do not allow you to define a custom query for a single event type like user account creation. Option D is wrong because NRT (near-real-time) query rules run queries every minute with a 1-minute lookback, which is not suitable for checking events against a static time window like 'outside business hours' and does not support the same flexible scheduling and incident creation logic as scheduled query rules.

67
MCQmedium

A security architect needs to design a solution that provides a unified view of security alerts from multiple clouds (Azure, AWS, GCP) and on-premises systems. The solution must also support automated response using playbooks. Which Microsoft service should they use?

A.Microsoft Defender XDR
B.Microsoft Defender for Cloud
C.Microsoft Purview
D.Microsoft Sentinel
AnswerD

Sentinel is a SIEM/SOAR that supports multi-cloud and on-premises with automated playbooks.

Why this answer

Microsoft Sentinel is the correct choice because it is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution that ingests security alerts from multiple clouds (Azure, AWS, GCP) and on-premises systems via connectors. It supports automated response through playbooks built on Azure Logic Apps, enabling unified alert management and remediation workflows.

Exam trap

The trap here is confusing Microsoft Defender for Cloud (a CSPM tool) with Microsoft Sentinel (a SIEM/SOAR), as both appear in the Azure portal and deal with security alerts, but only Sentinel provides native multi-cloud SIEM ingestion and automated playbook orchestration for cross-cloud incident response.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender XDR is an extended detection and response solution focused on correlating signals across Microsoft 365, endpoints, and identities, but it does not natively ingest alerts from AWS, GCP, or on-premises systems for a unified multi-cloud SIEM view. Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform that provides security recommendations and alerts primarily for Azure and hybrid environments, but it lacks the native multi-cloud SIEM ingestion and SOAR playbook automation of Sentinel. Option C is wrong because Microsoft Purview is a data governance, risk, and compliance solution (e.g., data classification, eDiscovery, insider risk management) and does not provide SIEM alert correlation or automated response playbooks for security incidents.

68
MCQmedium

Your organization uses Microsoft Defender XDR for incident response. You need to design a process to automatically isolate a compromised device when a high-severity incident is triggered. Which automation approach should you use?

A.Create a compliance policy in Microsoft Intune that marks the device as noncompliant
B.Configure an Azure Automation runbook to poll Defender alerts and isolate devices
C.Set up a Power Automate flow triggered by email notifications from Defender
D.Use automation rules in Microsoft Sentinel with a playbook that runs a Defender for Endpoint isolation action
AnswerD

Sentinel automation rules can trigger playbooks that invoke Defender APIs to isolate devices.

Why this answer

Option D is correct because Microsoft Sentinel's automation rules can directly trigger a playbook (Azure Logic App) that executes the Microsoft Defender for Endpoint 'Isolate device' action. This provides near-real-time, event-driven isolation without polling, aligning with the requirement to automatically isolate a compromised device when a high-severity incident is triggered in Defender XDR.

Exam trap

The trap here is that candidates confuse 'marking a device as noncompliant' (Option A) with actual network isolation, or assume that any automation (Options B and C) is sufficient, overlooking the requirement for event-driven, low-latency integration with Defender for Endpoint's native isolation capability.

How to eliminate wrong answers

Option A is wrong because a compliance policy in Microsoft Intune marks a device as noncompliant but does not perform device isolation; it can trigger conditional access or wipe actions, not the network-level isolation needed for incident response. Option B is wrong because polling Defender alerts via an Azure Automation runbook introduces latency and inefficiency, and it bypasses the native event-driven automation capabilities of Microsoft Sentinel and Defender XDR. Option C is wrong because email notifications are unreliable and introduce delay; Power Automate flows triggered by email cannot guarantee timely, automated isolation and lack direct integration with Defender for Endpoint's isolation API.

69
Multi-Selectmedium

Your company is implementing Microsoft Purview Data Loss Prevention (DLP) to protect sensitive data in Microsoft 365. The compliance team needs to monitor and block the sharing of credit card numbers in emails. Which THREE actions should they configure in a DLP policy?

Select 3 answers
A.Encrypt the email automatically
B.Notify the user with a policy tip
C.Block sharing of emails containing the sensitive data
D.Detect sensitive information type (credit card number)
E.Apply a sensitivity label automatically
AnswersB, C, D

Policy tips educate users about policy violations.

Why this answer

Correct answers: A, B, C. DLP policies can detect sensitive info types (credit card numbers), block sharing, and notify users. Option D is wrong because encryption is a separate feature, not a DLP action.

Option E is wrong because auto-labeling is a classification action, not a DLP enforcement action.

70
MCQhard

Your organization is deploying Microsoft Copilot for Security (Microsoft 365 Copilot). You need to design a solution that ensures Copilot queries are audited and that access to Copilot is restricted to authorized users based on their role. Which Microsoft Purview capabilities should you use together?

A.Data Lifecycle Management and Records Management
B.Audit (Standard) and Communication Compliance
C.Data Loss Prevention (DLP) and Insider Risk Management
D.eDiscovery and Compliance Manager
AnswerB

Audit logs all Copilot interactions; Communication Compliance monitors for inappropriate use.

Why this answer

Audit (Standard) captures and logs all Copilot for Security queries, providing a record of who asked what and when. Communication Compliance then allows you to define policies to review those queries for policy violations, such as unauthorized data sharing or inappropriate content, and restrict access based on user roles. Together, they fulfill both the auditing and role-based access control requirements.

Exam trap

The trap here is that candidates often confuse 'auditing' with 'data loss prevention' or 'insider risk management', but the question specifically requires both query auditing and role-based access restriction, which only Audit and Communication Compliance provide together.

How to eliminate wrong answers

Option A is wrong because Data Lifecycle Management and Records Management focus on retention, deletion, and preservation of data, not on auditing queries or restricting access based on role. Option C is wrong because Data Loss Prevention (DLP) prevents data exfiltration and Insider Risk Management detects risky user behavior, but neither provides the granular query-level auditing or role-based access control needed for Copilot queries. Option D is wrong because eDiscovery is for searching and exporting content for legal cases, and Compliance Manager is for managing compliance scores and controls, not for auditing or restricting access to Copilot queries.

71
Multi-Selectmedium

Your organization is implementing a Zero Trust architecture for access to cloud applications. Which TWO of the following are core components of the Microsoft Zero Trust model?

Select 2 answers
A.Microsoft Purview Data Loss Prevention policies to protect sensitive data
B.Conditional Access policies that enforce access decisions based on user, device, location, and risk
C.Microsoft Entra ID as the centralized identity provider for authentication and authorization
D.Microsoft Intune for mobile device management and application management
E.Microsoft Defender for Cloud to assess the security posture of cloud workloads
AnswersB, C

Conditional Access is a key pillar of Zero Trust, enforcing explicit verification.

Why this answer

Option B is correct because Conditional Access policies are the core policy engine in Microsoft's Zero Trust model, enforcing access decisions dynamically based on signals such as user identity, device health, location, and real-time risk. This aligns with the Zero Trust principle of 'never trust, always verify' by continuously evaluating each access request.

Exam trap

The trap here is that candidates often confuse supporting security tools (like Purview, Intune, or Defender for Cloud) with the core Zero Trust components, which are specifically the identity provider (Entra ID) and the policy enforcement engine (Conditional Access).

72
MCQmedium

Your organization is migrating on-premises Active Directory to Microsoft Entra ID. You need to design a solution that aligns with the Zero Trust principle of 'verify explicitly'. Which approach should you recommend for user authentication?

A.Deploy passwordless authentication using Microsoft Authenticator with phone sign-in for all users
B.Enable users to sign in with Windows Hello for Business and allow password recovery via self-service
C.Implement password hash synchronization and enforce MFA only for privileged users
D.Deploy passwordless authentication using FIDO2 security keys for all users
AnswerD

FIDO2 security keys provide strong, phishing-resistant authentication without passwords, aligning with Zero Trust verify explicitly.

Why this answer

D is correct because FIDO2 security keys provide phishing-resistant, passwordless authentication that aligns with the Zero Trust 'verify explicitly' principle by requiring a hardware-bound cryptographic proof of identity at every sign-in. This eliminates reliance on shared secrets (passwords) and ensures that authentication is explicitly verified through a physical device, meeting the strictest security requirements for user authentication.

Exam trap

The trap here is that candidates often confuse 'passwordless' with 'phishing-resistant,' assuming any passwordless method (like Authenticator) meets Zero Trust requirements, but only FIDO2 keys provide the hardware-backed, explicit verification that fully satisfies the 'verify explicitly' principle.

How to eliminate wrong answers

Option A is wrong because Microsoft Authenticator with phone sign-in, while passwordless, relies on a mobile device that can be compromised via phishing or device theft, and does not provide the same hardware-backed, phishing-resistant assurance as FIDO2 keys. Option B is wrong because Windows Hello for Business, though strong, still allows password recovery via self-service, which reintroduces a password-based fallback that violates the 'verify explicitly' principle by not requiring explicit verification at every step. Option C is wrong because password hash synchronization retains the use of passwords, which are inherently vulnerable to replay and phishing, and enforcing MFA only for privileged users leaves non-privileged users without explicit verification, contradicting the Zero Trust mandate to verify every access request.

73
MCQmedium

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel that detects machines with more than two malware alerts in a day. The query returns no results even though you know there are machines with multiple malware alerts. What is the most likely reason?

A.The 'summarize' function is incorrectly used and creates duplicate counts.
B.The query filters out alerts with severity less than 'High'.
C.The query does not include a time range filter, so it returns data from all time.
D.The alert name in the environment is not exactly 'Malware detected'; it might include a suffix like 'on endpoint'.
AnswerD

The exact string match is too restrictive.

Why this answer

Option D is correct because the KQL query likely uses a hardcoded string 'Malware detected' in a where clause to filter alerts. If the actual alert names in the environment include a suffix like 'on endpoint' (e.g., 'Malware detected on endpoint'), the exact string match fails, causing the query to return no results. This is a common issue when alert naming conventions vary across Microsoft Defender for Endpoint or other data sources ingested into Sentinel.

Exam trap

The trap here is that candidates assume the query logic is correct and focus on aggregation or time range issues, overlooking the exact string match requirement in KQL, which is a frequent cause of false negatives in detection queries.

How to eliminate wrong answers

Option A is wrong because the 'summarize' function, when used with 'dcount' or 'count', does not create duplicate counts; it aggregates correctly. If duplicates existed, the query would return results, not zero. Option B is wrong because the query does not filter on severity; the question states it detects 'more than two malware alerts in a day' without any severity filter, so excluding high severity would not cause zero results if lower severity alerts exist.

Option C is wrong because omitting a time range filter would cause the query to return data from all time, which would likely return more results, not zero; the issue is the opposite—no results despite known alerts.

74
MCQhard

Refer to the exhibit. You are evaluating an Azure Policy definition that checks whether a web app redirects HTTP to HTTPS. The policy uses 'auditIfNotExists' effect. After assigning this policy to a subscription, you notice that a web app that does not redirect HTTP to HTTPS is marked as 'Healthy'. What is the most likely cause?

A.The policy assignment is scoped to a management group that does not include the web app's subscription.
B.The custom assessment referenced in the policy does not exist in Microsoft Defender for Cloud.
C.The policy definition has a syntax error in the 'existenceCondition' field.
D.The web app is not running and therefore not assessed.
AnswerB

If the custom assessment does not exist, the policy cannot evaluate it and defaults to compliant.

Why this answer

The 'auditIfNotExists' effect in Azure Policy requires a linked assessment in Microsoft Defender for Cloud to evaluate the existence condition. If the custom assessment referenced in the policy does not exist in Defender for Cloud, the policy cannot detect the missing HTTP-to-HTTPS redirect, causing non-compliant resources to be incorrectly marked as 'Healthy'.

Exam trap

The trap here is that candidates assume 'auditIfNotExists' works independently like 'audit' or 'deny', but it requires a pre-existing Defender for Cloud assessment to function, and a missing assessment silently produces a 'Healthy' result.

How to eliminate wrong answers

Option A is wrong because if the policy assignment scope (management group) did not include the web app's subscription, the web app would not be evaluated at all, not marked as 'Healthy'. Option C is wrong because a syntax error in the 'existenceCondition' field would cause the policy to fail during evaluation or return an error, not silently mark resources as 'Healthy'. Option D is wrong because Azure Policy evaluates the configuration of the web app resource itself, not its runtime state; a stopped web app is still assessed for compliance.

75
MCQhard

Your organization uses Microsoft Purview Information Protection to classify and protect sensitive data. The compliance team wants to automatically apply a 'Highly Confidential' sensitivity label to emails that contain credit card numbers. Which solution should you configure?

A.Microsoft Purview auto-labeling policy
B.Microsoft Defender for Office 365 Safe Attachments policy
C.Microsoft 365 Data Loss Prevention (DLP) policy
D.Microsoft Endpoint DLP
AnswerA

Auto-labeling can apply labels based on sensitive info types in emails.

Why this answer

Option C is correct because Microsoft Purview auto-labeling policies can automatically apply sensitivity labels based on sensitive information types like credit card numbers. Option A is wrong because Microsoft 365 DLP policies block or warn, not apply labels. Option B is wrong because endpoint DLP protects data on devices, not email.

Option D is wrong because Microsoft Defender for Office 365 protects against threats, not data classification.

Page 1 of 3 · 180 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Best Practices Priorities questions.