CCNA Security Best Practices Priorities Questions

30 of 180 questions · Page 3/3 · Security Best Practices Priorities topic · Answers revealed

151
MCQmedium

A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They want to ensure that all virtual machines have the Log Analytics agent installed and that missing system updates are remediated automatically. Which two recommendations should be enabled in a single policy initiative?

A.Assign two separate Azure Policy initiatives, one for each requirement.
B.Create a custom Azure Policy initiative that combines the two requirements.
C.Use Azure Blueprints to assign the policies to all subscriptions.
D.Enable the Microsoft Defender for Cloud 'System Updates' and 'Log Analytics agent' recommendations via a built-in initiative.
AnswerD

Defender for Cloud provides built-in initiatives that cover both.

Why this answer

Option D is correct because Microsoft Defender for Cloud includes a built-in policy initiative (the 'ASC Default' initiative) that contains both the 'System Updates' and 'Log Analytics agent' recommendations. Enabling this single initiative automatically assigns both requirements to the selected scope, ensuring that missing system updates are remediated and the Log Analytics agent is installed on all virtual machines without needing custom policies or separate assignments.

Exam trap

The trap here is that candidates often think they need to create custom initiatives or use separate assignments (Option A or B) because they assume the two requirements are unrelated, but Microsoft Defender for Cloud's built-in initiative already bundles them together, making Option D the simplest and most correct approach.

How to eliminate wrong answers

Option A is wrong because it suggests assigning two separate Azure Policy initiatives, which would require managing two distinct assignments and could lead to inconsistent enforcement; the built-in initiative already combines both requirements into a single assignment. Option B is wrong because creating a custom Azure Policy initiative is unnecessary and adds complexity when a built-in initiative that exactly meets the requirements already exists in Defender for Cloud. Option C is wrong because Azure Blueprints are used for deploying and governing entire environments with multiple artifacts (including policies, role assignments, and resource groups), not for simply enabling two specific recommendations within Defender for Cloud; using Blueprints here would be over-engineering and not the intended use case.

152
MCQmedium

A multinational corporation, Contoso Ltd., is implementing Microsoft Purview to manage data governance across their Azure and Microsoft 365 environments. They need to discover sensitive data (e.g., credit card numbers, passport numbers) in Azure Blob Storage, Azure SQL Database, and SharePoint Online. The data must be classified and labeled automatically. Additionally, they want to prevent sensitive data from being shared externally via email and Teams. The solution should align with Microsoft's data security best practices. What should you recommend?

A.Use Azure Policy to enforce tagging on resources. Use Microsoft Defender for Cloud to identify sensitive data. Configure retention labels in Microsoft 365. Use Azure AD Conditional Access to block external sharing.
B.Use Microsoft Defender for Cloud Apps to discover sensitive data in cloud apps. Use Microsoft Purview Information Protection to label. Use Azure AD Identity Governance to manage access.
C.Use Azure Information Protection (AIP) to classify documents. Use Azure SQL Data Discovery & Classification for databases. Configure manual labeling rules. Use Microsoft 365 DLP policies.
D.Deploy Microsoft Purview Data Map to scan Azure Blob Storage and Azure SQL Database. Create custom sensitivity labels to identify sensitive data types. Configure auto-labeling policies in Microsoft Purview to apply labels. Create Data Loss Prevention (DLP) policies in Microsoft Purview Compliance Portal to block external sharing of labeled content in email and Teams.
AnswerD

Comprehensive data discovery, classification, and DLP coverage.

Why this answer

Option A is correct because Microsoft Purview Data Map can scan and classify data in Azure sources, and sensitivity labels can be applied automatically. DLP policies in Microsoft 365 (via Purview) can block external sharing. Option B is wrong because Azure Policy does not classify data.

Option C is wrong because Azure Information Protection is deprecated. Option D is wrong because Defender for Cloud Apps is for cloud app security, not classification.

153
MCQmedium

Refer to the exhibit. You are reviewing a KQL query in Microsoft Sentinel. What is the primary purpose of this query?

A.To identify accounts with multiple failed logon attempts from a single IP.
B.To list all successful logon events in the last 7 days.
C.To calculate the total number of failed logons per hour.
D.To detect account lockout events.
AnswerA

The query aggregates failed logons by account and IP, filtering for >10 attempts.

Why this answer

The query uses the `SigninLogs` table and filters for `ResultType == 50057`, which specifically indicates a failed user sign-in due to an incorrect password. By then summarizing `count()` by `IPAddress` and `UserPrincipalName` and filtering for `FailedAttempts > 5`, the query identifies accounts that have experienced multiple failed logon attempts from a single IP address. This aligns with detecting brute-force or password-spray attacks, making option A correct.

Exam trap

The trap here is that candidates may confuse the `ResultType` code 50057 with a successful logon or lockout event, or overlook that the query groups by both IP and user, not by time, leading them to select options B, C, or D.

How to eliminate wrong answers

Option B is wrong because the query filters for `ResultType == 50057`, which is a failed logon event, not a successful one; successful logons would use `ResultType == 0`. Option C is wrong because the query summarizes by `IPAddress` and `UserPrincipalName`, not by time bins (e.g., `bin(TimeGenerated, 1h)`), so it cannot calculate failed logons per hour. Option D is wrong because account lockout events are represented by a different `ResultType` value (e.g., 50053 or 50074 in Azure AD), and the query does not filter for those codes.

154
Multi-Selectmedium

Which TWO of the following are benefits of using Microsoft Defender XDR (Extended Detection and Response)? (Choose two.)

Select 2 answers
A.Scans for vulnerabilities in VMs
B.Provides compliance assessments
C.Cross-domain correlation of alerts
D.Replaces the need for a firewall
E.Automated investigation and response
AnswersC, E

Defender XDR correlates alerts from multiple sources into incidents.

Why this answer

Option C is correct because Microsoft Defender XDR correlates alerts across endpoints, email, identities, and cloud apps to provide a unified incident view. This cross-domain correlation enables security teams to detect multi-stage attacks that span different attack surfaces, which is a core benefit of an XDR solution.

Exam trap

The trap here is that candidates confuse the broad capabilities of the Microsoft security portfolio (e.g., Defender for Cloud, Purview) with the specific scope of Defender XDR, leading them to select features that belong to other services.

155
MCQmedium

Litware, a software development company, has adopted a DevOps culture and uses Azure DevOps for CI/CD pipelines. They deploy applications to Azure Kubernetes Service (AKS) and Azure App Services. The security team wants to ensure that secrets (API keys, connection strings) are not exposed in source code or pipeline logs. They also need to scan container images for vulnerabilities before deployment and ensure that only approved images are used in production. The solution must integrate with Microsoft Defender for Cloud and follow security best practices. What should you include in the design?

A.Use Azure App Configuration to store secrets with encryption. Run vulnerability scans using a third-party tool integrated into the pipeline. Create a custom script to check image registry location.
B.Store secrets in Azure Key Vault and use Azure DevOps Variable Groups linked to Key Vault for retrieval during pipelines. Enable Microsoft Defender for Containers on AKS to scan container images for vulnerabilities. Use Azure Policy (specifically Azure Policy for AKS with Gatekeeper) to enforce that only images from approved registries are deployed.
C.Store secrets as encrypted pipeline variables in Azure DevOps. Use Azure Container Registry (ACR) tasks to scan images. Implement manual approval gates in release pipelines to verify image source.
D.Store secrets in Azure Key Vault but use a custom task to retrieve them. Scan images using Microsoft Defender for Cloud after deployment. Use role-based access control to restrict registry access.
AnswerB

Secret security via Key Vault, automated vulnerability scanning, and policy enforcement.

Why this answer

Option B is correct because it aligns with security best practices by using Azure Key Vault to securely store secrets and linking them to Azure DevOps Variable Groups for secure retrieval during pipelines, preventing exposure in source code or logs. It enables Microsoft Defender for Containers on AKS to scan container images for vulnerabilities before deployment, and uses Azure Policy with Gatekeeper to enforce that only images from approved registries are deployed, ensuring compliance and integration with Microsoft Defender for Cloud.

Exam trap

The trap here is that candidates often confuse Azure App Configuration with Azure Key Vault for secret storage, or assume that post-deployment scanning is acceptable, but the requirement explicitly demands scanning before deployment and integration with Microsoft Defender for Cloud.

How to eliminate wrong answers

Option A is wrong because Azure App Configuration is not designed for secret storage (it lacks native key rotation and access policies compared to Key Vault), and using a third-party tool for vulnerability scanning and a custom script for registry checks does not integrate with Microsoft Defender for Cloud as required. Option C is wrong because storing secrets as encrypted pipeline variables in Azure DevOps still exposes them in pipeline logs and does not provide centralized secret management or rotation, and ACR tasks scan images only after push, not before deployment, while manual approval gates do not enforce policy-based image source control. Option D is wrong because using a custom task to retrieve secrets from Key Vault bypasses the secure, native integration of Variable Groups linked to Key Vault, and scanning images after deployment (post-deployment) violates the requirement to scan before deployment, while RBAC alone does not enforce that only approved images are used.

156
MCQhard

Your organization uses Microsoft Sentinel for security operations. You need to design a solution to automatically respond to a DDoS attack detected by Azure DDoS Protection. The response should include blocking the attacker's IP address in Azure Firewall and sending an alert to the security team. Which approach should you use?

A.Configure an alert rule in Azure Monitor to send an email to the security team
B.Use Azure Policy to deny network traffic from the attacker's IP range
C.Configure a resource lock on the Azure Firewall to prevent changes
D.Create an automation rule in Microsoft Sentinel that triggers a playbook to block the IP in Azure Firewall
AnswerD

Sentinel automation rules with playbooks can orchestrate automated response actions.

Why this answer

Option D is correct because Microsoft Sentinel automation rules can trigger a playbook (an Azure Logic App) when a DDoS attack detection alert fires. The playbook can execute an action to block the attacker's IP address in Azure Firewall via its REST API or PowerShell cmdlets, and simultaneously send an alert to the security team (e.g., via email or Teams). This provides an automated, orchestrated response directly from the SIEM, aligning with security operations best practices.

Exam trap

The trap here is that candidates may confuse Azure Monitor alert rules (which only notify) with Sentinel automation rules (which can trigger remediation playbooks), or think Azure Policy can dynamically block IPs when it is actually a static compliance enforcement tool.

How to eliminate wrong answers

Option A is wrong because an Azure Monitor alert rule can only send notifications (e.g., email) and cannot perform remediation actions like blocking an IP in Azure Firewall; it lacks the orchestration capability needed for automated response. Option B is wrong because Azure Policy is a governance tool for enforcing compliance rules on resource configurations (e.g., denying creation of certain resources), not for dynamically blocking network traffic from a specific attacker IP in real time. Option C is wrong because a resource lock on Azure Firewall prevents accidental deletion or modification of the firewall itself, but does not block attacker IPs or send alerts; it actually hinders the automated response by locking the resource.

157
MCQmedium

Refer to the exhibit. You are reviewing an ARM template for an Azure storage account. Which security best practice is implemented?

A.Enforce HTTPS traffic only
B.Restrict network access by IP address
C.Deny all network traffic by default
D.Enable soft delete for blobs
AnswerC

defaultAction: Deny blocks all traffic unless explicitly allowed.

Why this answer

The template sets supportsHttpsTrafficOnly to true (enforces HTTPS) and minimumTlsVersion to TLS1_2 (requires TLS 1.2). It also sets networkAcls defaultAction to Deny (denies all traffic by default). All these are security best practices.

However, the question asks for which practice is implemented; the most notable is the network ACL default deny. The answer could also be enforcing HTTPS. But typical exam focuses on network access restriction.

158
MCQeasy

Your organization is a small business with 50 employees that uses Microsoft 365 Business Premium. You need to design a security baseline that protects against common threats like phishing, ransomware, and data leakage. The solution must be easy to manage and require minimal ongoing effort. You have the following requirements: 1. Block malicious emails and links. 2. Protect sensitive data from being shared externally. 3. Require multi-factor authentication for all users. 4. Keep devices healthy. Which combination of policies should you implement?

A.Enable Microsoft Defender for Office 365 for phishing protection. Use Microsoft Purview Information Protection to automatically label sensitive emails. Create a Conditional Access policy to require MFA for admins only. Use Azure Information Protection scanner.
B.Enable Exchange Online Protection (EOP) for spam and malware filtering. Create a Conditional Access policy to require MFA for all users. Enable device compliance policies in Microsoft Intune.
C.Enable Microsoft Defender for Office 365 Safe Links and Safe Attachments. Create a Microsoft Purview DLP policy to prevent external sharing of sensitive data. Create a Conditional Access policy to require MFA and device compliance.
D.Enable Microsoft Defender for Office 365 Safe Links and Safe Attachments. Create a Microsoft Purview DLP policy to block sharing of credit card numbers. Enable security defaults in Microsoft Entra ID to enforce MFA.
AnswerC

Covers all requirements: email protection, DLP, MFA, and device health via Conditional Access with device compliance.

Why this answer

Option C is correct because it directly addresses all four requirements: Microsoft Defender for Office 365 Safe Links and Safe Attachments blocks malicious emails and links; a Microsoft Purview DLP policy prevents external sharing of sensitive data, protecting against data leakage; a Conditional Access policy requiring MFA and device compliance enforces multi-factor authentication for all users and ensures devices are healthy. This combination is easy to manage with minimal ongoing effort, as it leverages built-in Microsoft 365 Business Premium capabilities without complex custom configurations.

Exam trap

The trap here is that candidates often confuse Exchange Online Protection (EOP) with Defender for Office 365, not realizing that EOP lacks advanced link and attachment protection, and they may overlook the need for device compliance policies when only security defaults are used for MFA.

How to eliminate wrong answers

Option A is wrong because it requires MFA for admins only, not all users, and uses Azure Information Protection scanner (which is not included in Business Premium and requires additional licensing) instead of a DLP policy for data leakage protection. Option B is wrong because Exchange Online Protection (EOP) alone does not block malicious links in emails or attachments at the same level as Defender for Office 365 Safe Links and Safe Attachments, and it lacks a DLP policy to prevent external sharing of sensitive data. Option D is wrong because it blocks only credit card numbers via DLP, not all sensitive data types, and security defaults in Microsoft Entra ID enforce MFA but do not include device compliance checks, failing the 'keep devices healthy' requirement.

159
MCQmedium

A company plans to implement a Zero Trust security model. Which of the following is the primary principle that should guide their strategy?

A.Assume breach and verify explicitly
B.Use a strong perimeter firewall as the primary defense
C.Grant trusted users full access to all resources
D.Trust but verify all internal traffic
AnswerA

This is a foundational Zero Trust principle.

Why this answer

The primary principle of Zero Trust is 'never trust, always verify,' which is operationalized as 'assume breach and verify explicitly.' This means every access request—regardless of source (internal or external)—must be authenticated, authorized, and encrypted before granting access. It eliminates implicit trust based on network location and enforces least-privilege access, which is foundational to the Zero Trust architecture.

Exam trap

The trap here is that candidates often confuse 'trust but verify' (Option D) with Zero Trust, but Zero Trust explicitly rejects any pre-established trust and requires verification at every access attempt, making 'assume breach and verify explicitly' the correct guiding principle.

How to eliminate wrong answers

Option B is wrong because relying on a strong perimeter firewall as the primary defense violates Zero Trust's core tenet of eliminating implicit trust based on network location; Zero Trust assumes the network is already compromised and requires micro-segmentation and per-request verification instead. Option C is wrong because granting trusted users full access to all resources contradicts the least-privilege principle of Zero Trust, which mandates that access be limited to only what is necessary for a specific task, regardless of user trust level. Option D is wrong because 'trust but verify' is the opposite of Zero Trust; Zero Trust requires 'never trust, always verify'—verification must occur before access is granted, not after trust is assumed.

160
Multi-Selecteasy

A company is implementing Microsoft Defender for Cloud to protect their Azure environment. Which TWO of the following are security best practices that should be enabled? (Choose two.)

Select 2 answers
A.Cloud Security Posture Management (CSPM)
B.Microsoft Defender for Cloud workload protection
C.Microsoft Defender for Office 365
D.Microsoft Defender for Endpoint onboarding
E.Microsoft Sentinel integration
AnswersA, B

CSPM provides continuous assessment of security controls.

Why this answer

Cloud Security Posture Management (CSPM) is a core feature of Microsoft Defender for Cloud that continuously assesses your Azure environment against security benchmarks (e.g., Azure Security Benchmark) and provides actionable recommendations to harden configurations. Enabling CSPM is a foundational best practice because it proactively identifies misconfigurations (like open management ports or unencrypted storage) before they can be exploited, directly aligning with the 'prevent' phase of the shared responsibility model.

Exam trap

The trap here is that candidates often confuse 'security best practices that should be enabled' with 'all available security products,' leading them to select options like Defender for Office 365 or Sentinel, which are valuable but not mandatory foundational practices for Azure environment protection in the context of Defender for Cloud.

161
MCQhard

Your organization is adopting Microsoft Copilot for Security. You need to ensure that the AI model does not expose sensitive data during interactions. What is the primary security control you should implement?

A.Microsoft Entra Conditional Access policies
B.Microsoft Entra Privileged Identity Management
C.Microsoft Purview Information Protection sensitivity labels
D.Microsoft Purview Data Loss Prevention policies for Copilot
AnswerD

DLP policies can detect and block sensitive data in Copilot interactions.

Why this answer

Microsoft Purview Data Loss Prevention (DLP) policies for Copilot for Security are the primary control to prevent sensitive data exposure because they can inspect and block sensitive information (e.g., credit card numbers, health records) in real-time during Copilot interactions. DLP policies integrate directly with Copilot to enforce data protection rules on both prompts and responses, ensuring that sensitive data is not leaked through the AI model. This is the most direct and effective control for preventing data exposure in AI interactions.

Exam trap

The trap here is that candidates often confuse data classification (sensitivity labels) with data loss prevention (DLP), assuming that labeling data is sufficient to prevent exposure, but DLP is the active enforcement mechanism required for real-time AI interactions.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra Conditional Access policies control access to resources based on conditions like location or device compliance, but they do not inspect or block sensitive data within Copilot interactions. Option B is wrong because Microsoft Entra Privileged Identity Management (PIM) manages just-in-time privileged role assignments and does not have any capability to scan or prevent data leakage in AI conversations. Option C is wrong because Microsoft Purview Information Protection sensitivity labels classify and protect data at rest (e.g., documents, emails) but do not enforce real-time data loss prevention rules during active Copilot sessions.

162
MCQmedium

You are designing a security solution for a hybrid identity environment that uses Microsoft Entra ID and on-premises Active Directory. The company wants to enforce Zero Trust principles by continuously verifying user access. Which feature should you implement?

A.Implement Microsoft Entra Hybrid Join for all devices
B.Implement Conditional Access policies that evaluate session risk in real time using continuous access evaluation
C.Implement Microsoft Entra Seamless Single Sign-On
D.Implement Microsoft Entra ID Protection to require multi-factor authentication for all users
AnswerB

CAE revokes tokens based on risk events, enforcing continuous verification.

Why this answer

Option B is correct because session risk-based Conditional Access with continuous access evaluation (CAE) enables real-time risk assessment and enforcement. Option A is wrong because Azure AD Join is for devices, not continuous verification. Option C is wrong because Seamless SSO simplifies sign-on but does not enforce continuous verification.

Option D is wrong because MFA registration does not provide continuous verification during sessions.

163
MCQeasy

A company is designing a Zero Trust architecture for their hybrid identity environment. They plan to require multifactor authentication (MFA) for all users accessing sensitive applications. Which Microsoft Entra ID capability should they use to enforce MFA based on risk level?

A.Self-service password reset
B.Microsoft Entra Privileged Identity Management
C.Conditional Access
D.Microsoft Entra ID Protection
AnswerC

Conditional Access policies enforce MFA based on risk signals.

Why this answer

Option D is correct because Conditional Access policies can enforce MFA based on sign-in risk and user risk. Option A is wrong because Identity Protection detects risks but doesn't enforce access controls by itself. Option B is wrong because PIM manages roles, not access conditions.

Option C is wrong because SSPR is unrelated to MFA enforcement.

164
Multi-Selecthard

Which THREE components are included in Microsoft Defender XDR?

Select 3 answers
A.Microsoft Defender for Office 365
B.Microsoft Defender for IoT
C.Microsoft Defender for Identity
D.Microsoft Defender for Endpoint
E.Microsoft Defender for Cloud
AnswersA, C, D

Defender for Office 365 is part of Defender XDR.

Why this answer

Microsoft Defender XDR (Extended Detection and Response) is a unified security suite that natively integrates Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Endpoint. These three components work together to correlate signals across email, identity, and endpoint layers, providing a single-pane-of-glass view for threat detection and automated response. Microsoft Defender for Office 365 protects against email-based threats like phishing and malware, Defender for Identity monitors on-premises Active Directory and cloud identities for lateral movement and privilege escalation, and Defender for Endpoint provides endpoint detection and response (EDR) for Windows, macOS, Linux, Android, and iOS devices.

Exam trap

The trap here is that candidates often assume all 'Defender' branded products are automatically part of Microsoft Defender XDR, but Microsoft Defender for IoT and Microsoft Defender for Cloud are separate services that integrate via connectors rather than being core components of the unified XDR suite.

165
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to detect anomalous behavior such as impossible travel. What should you configure?

A.Anomaly detection policies in Microsoft Defender for Cloud Apps
B.Data loss prevention (DLP) policies in Microsoft Purview
C.Session policies in Microsoft Defender for Cloud Apps
D.App permission policies in Microsoft Entra ID
AnswerA

These policies detect behavioral anomalies like impossible travel.

Why this answer

Option A is correct because Microsoft Defender for Cloud Apps uses anomaly detection policies to detect impossible travel and other suspicious activities. Option B is wrong because DLP policies focus on data protection, not activity anomalies. Option C is wrong because app permissions are for OAuth apps.

Option D is wrong because session policies control real-time access, not anomaly detection.

166
Multi-Selecteasy

Which THREE are components of Microsoft's Zero Trust model?

Select 3 answers
A.Data
B.Assume breach
C.Microsoft Defender for Cloud
D.Identities
E.Endpoints
AnswersA, D, E

Protect data at rest, in transit, and in use.

Why this answer

Option A is correct because data is one of the six foundational pillars of Microsoft's Zero Trust model (identities, endpoints, data, apps, infrastructure, and network). The Zero Trust model explicitly treats data as a critical asset that must be protected regardless of location, using encryption, labeling, and Data Loss Prevention (DLP) policies to enforce least-privilege access and continuous validation.

Exam trap

The trap here is that candidates confuse the Zero Trust guiding principles (like 'Assume breach') with the architectural components (identities, endpoints, data, apps, infrastructure, network), leading them to select 'Assume breach' as a component rather than a principle.

167
MCQhard

You are a security architect for a large multinational organization that uses Microsoft 365, Azure, and third-party SaaS applications. The organization has recently experienced a breach where an attacker compromised a user account via a phishing email and then used that account to access sensitive data in SharePoint Online and exfiltrate it via email. The security team wants to implement a comprehensive solution that aligns with the Zero Trust principles of 'verify explicitly', 'use least privilege', and 'assume breach'. You need to design a solution that includes identity protection, conditional access, data protection, and continuous monitoring. You have the following requirements: 1. Block phishing attacks in real time. 2. Enforce least privilege access to sensitive data. 3. Detect and respond to anomalous user behavior. 4. Protect data at rest and in transit. 5. Enable automated response to incidents. Which combination of Microsoft security services and configurations should you recommend?

A.Implement Microsoft Defender for Cloud Apps to discover and control SaaS apps. Use Conditional Access with app control. Deploy Microsoft Purview Data Lifecycle Management. Use Azure Sentinel for monitoring.
B.Implement Microsoft Entra ID Protection to detect and block risky sign-ins. Use Conditional Access policies to require MFA and block legacy authentication. Use Microsoft Purview sensitivity labels to classify data and Azure Monitor to collect logs.
C.Implement Microsoft Defender for Office 365 to block phishing emails. Use Conditional Access policies with session risk to enforce access controls. Deploy Microsoft Purview DLP and sensitivity labels to protect data. Use Microsoft Sentinel with automation rules and playbooks to detect and respond to incidents.
D.Implement Microsoft Defender for Identity to detect on-premises threats. Use Conditional Access with device compliance policies. Deploy Microsoft Purview Information Protection. Use Azure Security Center for monitoring.
AnswerC

Covers all requirements: phishing block, least privilege, data protection, and automated response.

Why this answer

Option B is correct because it combines Microsoft Defender for Office 365 to block phishing, Conditional Access with risk policies to enforce least privilege, Microsoft Purview DLP and sensitivity labels to protect data, and Microsoft Sentinel with automation to detect and respond. Option A is wrong because it uses Azure AD (now Entra ID) Identity Protection but lacks DLP and monitoring. Option C is wrong because it does not include phishing prevention.

Option D is wrong because it uses Microsoft Defender for Cloud Apps alone, which is insufficient for email and identity protection.

168
MCQhard

A company uses Microsoft Sentinel with a workspace in the East US region. They want to ingest logs from Azure resources in West Europe. To minimize data transfer costs, what should they do?

A.Use Azure ExpressRoute to connect West Europe to East US
B.Configure data collection rules to filter logs at source
C.Create a new Sentinel workspace in West Europe and ingest logs there
D.Use the existing workspace; inter-region costs are negligible
AnswerC

This minimizes data transfer costs by keeping logs in the same region.

Why this answer

To minimize costs, the best practice is to create a Sentinel workspace in the same region as the data sources. Since West Europe resources are in West Europe, a workspace there is optimal. However, the question states the workspace is already in East US.

To minimize transfer costs, they could create a new workspace in West Europe and ingest logs there, then use cross-workspace queries. But that adds complexity. Alternatively, they could continue to use the East US workspace and accept the costs.

The best answer is to create a new workspace in West Europe.

169
MCQeasy

A security architect is designing a solution to detect and respond to advanced threats across email, endpoints, and identities. Which Microsoft security solution should they use?

A.Microsoft Purview
B.Microsoft Sentinel
C.Microsoft Defender XDR
D.Microsoft Intune
AnswerC

Defender XDR provides integrated protection across email, endpoints, identities, and apps.

Why this answer

Microsoft Defender XDR (Extended Detection and Response) is the correct solution because it provides unified pre- and post-breach detection, investigation, and response across email, endpoints, and identities. It correlates signals from Microsoft Defender for Endpoint, Defender for Office 365, and Defender for Identity into a single incident queue, enabling automated remediation of advanced multi-vector attacks.

Exam trap

The trap here is that candidates confuse Microsoft Sentinel (a SIEM) with Microsoft Defender XDR (an XDR), but Sentinel is a log aggregation and analysis tool requiring manual correlation, while Defender XDR provides native, automated cross-domain detection and response across email, endpoints, and identities.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview is a data governance, compliance, and risk management solution (e.g., data loss prevention, eDiscovery, insider risk), not a threat detection and response platform. Option B is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR that ingests logs from multiple sources for broad security analytics, but it is not purpose-built for unified cross-domain detection and automated response across email, endpoints, and identities; it requires custom correlation rules and playbooks. Option D is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service for endpoint configuration and compliance, not a threat detection or response tool.

170
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only devices with a specific minimum OS version can access corporate resources. Which configuration should you use?

A.Device compliance policy with minimum OS version rule
B.Device configuration profile
C.Enrollment restrictions
D.App protection policy
AnswerA

Directly enforces OS version compliance.

Why this answer

A device compliance policy with a minimum OS version rule is the correct choice because Intune compliance policies evaluate device attributes—including OS version—against defined rules before granting access to corporate resources. When a device fails the minimum OS version check, Conditional Access blocks access until the device is updated or remediated, ensuring only compliant devices can connect.

Exam trap

The trap here is confusing enrollment restrictions (which only check OS version at the point of enrollment) with compliance policies (which enforce OS version continuously after enrollment), leading candidates to pick enrollment restrictions as a one-time gate rather than an ongoing control.

How to eliminate wrong answers

Option B is wrong because a device configuration profile manages settings and features on the device (e.g., Wi-Fi, VPN, restrictions) but does not enforce access control based on OS version; it lacks the conditional access integration needed to block non-compliant devices. Option C is wrong because enrollment restrictions control which devices can enroll in Intune (e.g., by platform, manufacturer, or OS version at enrollment time), but they do not enforce ongoing compliance after enrollment—a device could be enrolled with a compliant OS and later be downgraded or fail to update. Option D is wrong because an app protection policy (APP) manages data protection within applications (e.g., preventing copy/paste or requiring PIN) and does not evaluate device-level OS version; APP applies to apps on both managed and unmanaged devices, not to device compliance for resource access.

171
MCQeasy

A company is implementing Microsoft Purview to protect sensitive data in SharePoint Online. They need to automatically apply a 'Highly Confidential' label to documents that contain credit card numbers. What should they create?

A.A communication compliance policy
B.A data loss prevention (DLP) rule
C.A manual labeling policy
D.An auto-labeling policy for sensitivity labels
AnswerD

Auto-labeling policies scan documents and apply labels automatically.

Why this answer

Option D is correct because Microsoft Purview auto-labeling policies for sensitivity labels can automatically detect sensitive data types (e.g., credit card numbers) in SharePoint Online documents and apply a 'Highly Confidential' label without user intervention. This meets the requirement for automatic, policy-driven labeling based on content inspection.

Exam trap

The trap here is that candidates confuse DLP rules (which detect and protect data) with auto-labeling policies (which apply sensitivity labels), but the question specifically asks for automatic label application, not just detection or blocking.

How to eliminate wrong answers

Option A is wrong because communication compliance policies are designed to detect and remediate inappropriate communications (e.g., harassment, insider trading) in Exchange Online and Teams, not to automatically label documents based on sensitive data patterns. Option B is wrong because a data loss prevention (DLP) rule can detect credit card numbers and block or alert, but it does not apply sensitivity labels; DLP rules and sensitivity labels are separate controls. Option C is wrong because manual labeling requires users to apply the label themselves, which contradicts the requirement for automatic application.

172
MCQhard

A company plans to use Microsoft Purview to manage data governance across their on-premises SQL Server databases and Azure SQL databases. They need to classify sensitive data and create a unified data map. Which resource should they deploy?

A.Microsoft Purview
B.Azure Synapse Analytics
C.Azure Data Factory
D.Azure SQL Database
AnswerA

Microsoft Purview provides unified data governance and classification.

Why this answer

Microsoft Purview is the correct choice because it provides a unified data governance service that can scan both on-premises SQL Server and Azure SQL databases, automatically classify sensitive data using built-in classifiers (e.g., PII, financial info), and build a centralized data map. This aligns with the requirement to manage data governance across hybrid environments with a single pane of glass.

Exam trap

The trap here is that candidates often confuse Azure Data Factory's data movement capabilities with Purview's governance role, or mistakenly think Azure Synapse Analytics can perform classification because it includes data warehousing and some security features.

How to eliminate wrong answers

Option B (Azure Synapse Analytics) is wrong because it is an analytics service for large-scale data warehousing and big data processing, not a data governance or classification tool. Option C (Azure Data Factory) is wrong because it is a data integration and orchestration service for ETL/ELT pipelines, lacking native data classification and data map capabilities. Option D (Azure SQL Database) is wrong because it is a specific database platform, not a governance service; it cannot unify metadata or classify data across multiple sources like on-premises SQL Server.

173
Multi-Selectmedium

Which TWO actions should you take to implement a defense-in-depth strategy for an Azure application? (Choose two.)

Select 2 answers
A.Enable encryption at rest for all storage accounts
B.Enable Azure DDoS Protection on the virtual network
C.Enable Azure Firewall on all subnets
D.Use managed identities for Azure resources
E.Enable network security groups (NSGs) on all subnets
AnswersB, E

DDoS Protection mitigates large-scale attacks, adding a network layer.

Why this answer

Option B is correct because Azure DDoS Protection provides defense against volumetric network-layer attacks, which is a critical component of a defense-in-depth strategy. By enabling it on the virtual network, you add a layer of protection at the network perimeter, complementing other security controls. This aligns with the principle of layered security, where multiple controls address different attack vectors.

Exam trap

The trap here is that candidates often confuse defense-in-depth with a single security control, such as encryption or identity management, and fail to recognize that network-layer protections like DDoS Protection and NSGs are essential for a layered security posture.

174
MCQhard

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel. What is the purpose of this query?

A.Identify the top 10 users who have been targeted by Mimikatz attacks
B.Show the severity of Mimikatz alerts for each user
C.List all Mimikatz alerts with detailed entity information
D.Count the total number of Mimikatz alerts in the last 7 days
AnswerA

The query counts alerts per user and shows the top 10.

Why this answer

The KQL query uses the `summarize` operator with `count()` to aggregate Mimikatz alerts by `UserPrincipalName`, then sorts the results by count in descending order and limits the output to 10 rows. This directly identifies the top 10 users who have been targeted by Mimikatz attacks, as each alert represents a detection event associated with a specific user.

Exam trap

Microsoft often tests the distinction between aggregation (count, sum) and attribute display (severity, details), so candidates may mistakenly think a `count()` query shows severity or detailed entity information when it only provides numerical summaries.

How to eliminate wrong answers

Option B is wrong because the query does not include any field or aggregation related to severity (e.g., `Severity` column or `max(Severity)`), so it cannot show severity levels. Option C is wrong because the query only returns `UserPrincipalName` and a count, not detailed entity information such as IP addresses, process names, or device IDs. Option D is wrong because while the query counts alerts, it does not filter by a specific time range (e.g., `where TimeGenerated > ago(7d)`), so it does not count alerts only in the last 7 days.

175
MCQmedium

South Ridge School District uses Microsoft 365 Education and Azure for administrative systems. They have a large number of students and staff. The district wants to implement a security solution that protects against phishing attacks, ransomware, and inappropriate content. They also need to comply with the Children's Online Privacy Protection Act (COPPA) and other educational regulations. The solution should be cost-effective and easy to manage. What should you recommend?

A.Use Microsoft Sentinel to analyze security logs. Deploy Microsoft Defender for Endpoint on all devices. Use Azure Policy to enforce compliance. Implement third-party web filtering.
B.Upgrade to Microsoft 365 E5 for all users. Implement Azure AD Identity Protection and PIM. Use Microsoft Defender for Identity. Use Microsoft Sentinel for SIEM.
C.Use Microsoft 365 Business Premium for staff only. Use free Microsoft 365 Education for students. Implement Conditional Access policies. Use Microsoft Cloud App Security to block risky apps.
D.Use Microsoft Defender for Office 365 to protect against phishing and malware. Deploy Microsoft Intune for Education to manage student devices and enforce security policies. Enable Microsoft Purview Communication Compliance to monitor for inappropriate content. Use Microsoft Entra ID (free tier) with Security Defaults for identity protection.
AnswerD

Education-appropriate, cost-effective, covers key threats.

Why this answer

Option D is correct because it provides a cost-effective, education-focused security solution that directly addresses the district's requirements. Microsoft Defender for Office 365 protects against phishing and malware in email and collaboration tools, Microsoft Intune for Education enables policy enforcement and device management for students, Microsoft Purview Communication Compliance monitors for inappropriate content to meet COPPA and other regulations, and Microsoft Entra ID (free tier) with Security Defaults provides baseline identity protection without additional licensing costs.

Exam trap

The trap here is that candidates often assume a full E5 or SIEM solution is necessary for compliance and security, but the SC-100 exam emphasizes cost-effective, education-specific solutions that leverage free tiers and built-in capabilities like Security Defaults and Intune for Education.

How to eliminate wrong answers

Option A is wrong because it recommends Microsoft Sentinel, which is a SIEM solution that requires significant cost and expertise, and Azure Policy is for Azure resource compliance, not student device or content monitoring; third-party web filtering adds unnecessary complexity and cost. Option B is wrong because upgrading all users to Microsoft 365 E5 is prohibitively expensive for a school district and includes features like Microsoft Defender for Identity and Sentinel that are overkill for the stated requirements, while not specifically addressing student content monitoring or device management. Option C is wrong because using Microsoft 365 Business Premium for staff only leaves students unprotected against phishing and malware, and Microsoft Cloud App Security (now part of Microsoft Defender for Cloud Apps) requires additional licensing and does not directly address inappropriate content monitoring or device management for students.

176
Multi-Selecthard

You are designing a Microsoft Purview data security solution for a multinational organization subject to GDPR and CCPA. Which THREE Purview capabilities should you include to meet regulatory requirements?

Select 3 answers
A.Data Loss Prevention (DLP) policies
B.Advanced eDiscovery
C.Microsoft Purview Audit (Premium) and Activity Explorer
D.Data classification and sensitivity labels
E.Data Lifecycle Management (retention policies)
AnswersA, C, D

Prevents unauthorized sharing of personal data.

Why this answer

Data Loss Prevention (DLP) policies are correct because they allow the organization to detect and prevent the accidental or intentional sharing of sensitive data—such as personally identifiable information (PII) covered under GDPR and CCPA—across email, SharePoint, OneDrive, and endpoints. By scanning content for sensitive information types (e.g., credit card numbers, EU passport numbers) and applying protective actions (e.g., blocking transmission, showing policy tips), DLP directly enforces data protection mandates required by these regulations.

Exam trap

The trap here is that candidates often confuse 'detective' controls (like eDiscovery) with 'preventive' controls (like DLP and sensitivity labels), or they mistakenly think retention policies alone satisfy data security requirements, when in fact GDPR and CCPA demand active protection against data breaches and unauthorized disclosure.

177
MCQeasy

Your organization wants to implement a security information and event management (SIEM) solution that can ingest logs from multiple sources, including on-premises servers, Azure resources, and third-party SaaS applications. Which Microsoft service should you choose?

A.Microsoft Purview
B.Microsoft Defender for Cloud
C.Microsoft Sentinel
D.Azure Monitor
AnswerC

Sentinel is a scalable SIEM for log ingestion from diverse sources.

Why this answer

Microsoft Sentinel is the correct choice because it is a cloud-native SIEM solution specifically designed to ingest logs from diverse sources, including on-premises servers, Azure resources, and third-party SaaS applications, using built-in connectors for over 100 data sources. It provides centralized security analytics, threat detection, and incident response, making it the appropriate service for this multi-source log ingestion requirement.

Exam trap

The trap here is that candidates often confuse Azure Monitor with a SIEM because it collects logs and metrics, but it lacks the security-specific correlation, threat intelligence integration, and incident management features that define a true SIEM like Microsoft Sentinel.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview is a data governance and compliance solution focused on data classification, labeling, and risk management, not a SIEM for ingesting and analyzing security logs. Option B is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection platform that provides security recommendations and alerts for Azure and hybrid resources, but it lacks the comprehensive log ingestion and SIEM capabilities needed for multi-source log aggregation. Option D is wrong because Azure Monitor is a monitoring and diagnostics service for Azure resources and applications, primarily collecting metrics and logs for performance and operational health, not a SIEM solution designed for security event correlation and threat hunting across diverse sources.

178
Multi-Selecteasy

Which TWO of the following are best practices for securing Microsoft 365 tenants? (Choose two.)

Select 2 answers
A.Enable security defaults in Microsoft Entra ID
B.Use Conditional Access policies to enforce MFA
C.Enable basic authentication for all apps
D.Disable modern authentication for legacy protocols
E.Allow all external sharing in SharePoint
AnswersA, B

Security defaults enforce common security policies like MFA.

Why this answer

Enabling security defaults provides a baseline of security. Using Conditional Access policies allows granular access control. These are best practices.

Disabling modern authentication is counterproductive. Allowing all external sharing is risky. Using basic authentication is insecure.

So the correct two are A and B.

179
MCQeasy

A company wants to protect sensitive email data from being exfiltrated by malicious insiders. They need a solution that can detect and block anomalous outbound email traffic in real time. Which Microsoft solution should they use?

A.Microsoft Purview Information Protection
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Office 365
D.Microsoft Sentinel
AnswerC

Defender for Office 365 includes anti-phishing, anti-spam, and anomaly detection for email.

Why this answer

Microsoft Defender for Office 365 (MDO) is the correct solution because it provides real-time detection and blocking of anomalous outbound email traffic through its outbound spam filtering and anti-phishing policies. MDO uses machine learning models to analyze email sending patterns, such as sudden spikes in volume or unusual recipient domains, and can automatically quarantine or block suspicious outbound messages to prevent data exfiltration by malicious insiders.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps (a CASB for cloud app activity monitoring) with Defender for Office 365, which is specifically built to protect email traffic at the transport layer, including outbound anomaly detection.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview Information Protection focuses on classifying, labeling, and encrypting data at rest or in transit, but it does not provide real-time detection or blocking of anomalous outbound email traffic. Option B is wrong because Microsoft Defender for Cloud Apps is a CASB that monitors cloud app usage and can detect anomalous behavior, but it is not designed to inspect and block outbound email traffic in real time at the email transport layer. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR solution that aggregates and analyzes security logs for threat detection and response, but it does not natively perform real-time email traffic inspection or blocking at the mail flow level.

180
MCQhard

Proseware, a pharmaceutical company, is deploying a new AI-powered application using Azure OpenAI Service. The application will process sensitive research data and must comply with HIPAA. The security team wants to ensure that the data sent to the Azure OpenAI endpoint is not logged or stored by Microsoft, and that access to the service is restricted to authorized users with appropriate data classification. They also need to monitor for potential data exfiltration and prompt injection attacks. What should you recommend?

A.Use Azure OpenAI Service with default settings. Implement Microsoft Sentinel to detect threats. Use Azure Policy to enforce tagging of resources. Use Azure AD Conditional Access to require MFA for access.
B.Use Azure OpenAI Service with a private endpoint. Deploy Azure Information Protection to classify data. Use Azure Firewall to restrict access. Implement Azure DDoS Protection.
C.Use Azure OpenAI Service with managed identity. Configure Conditional Access to restrict access by IP. Use Azure Monitor to track usage. Implement Azure Key Vault for API keys.
D.Provision Azure OpenAI Service with a 'data processing addendum' (DPA) to ensure no data is stored or logged. Configure Content Filtering to block sensitive data. Use Microsoft Purview Data Classification to label research data. Use Microsoft Defender for Cloud Apps (part of Defender XDR) to create a session policy that monitors and blocks data exfiltration attempts. Enable audit logging to Microsoft Sentinel for anomaly detection.
AnswerD

Addresses data privacy, classification, and real-time exfiltration protection.

Why this answer

Option D is correct because it combines a Data Processing Addendum (DPA) to contractually prevent Microsoft from logging or storing data, Microsoft Purview Data Classification for labeling sensitive research data, and Microsoft Defender for Cloud Apps session policies to monitor and block data exfiltration. Additionally, enabling audit logging to Microsoft Sentinel provides anomaly detection for prompt injection attacks, fulfilling all HIPAA compliance and security requirements.

Exam trap

The trap here is that candidates often overlook the contractual Data Processing Addendum (DPA) as a requirement for HIPAA compliance, assuming technical controls alone suffice, and may confuse deprecated Azure Information Protection with the current Microsoft Purview solution.

How to eliminate wrong answers

Option A is wrong because default Azure OpenAI Service settings do not prevent Microsoft from logging or storing data, and Azure Policy tagging does not restrict access or monitor for data exfiltration. Option B is wrong because Azure Information Protection is deprecated in favor of Microsoft Purview, and Azure Firewall alone cannot monitor application-level data exfiltration or prompt injection. Option C is wrong because Conditional Access by IP does not prevent data logging by Microsoft, and Azure Monitor tracks usage but does not block data exfiltration or detect prompt injection attacks.

← PreviousPage 3 of 3 · 180 questions total

Ready to test yourself?

Try a timed practice session using only Security Best Practices Priorities questions.