Describe the concepts of security, compliance, and identity

A security analyst is explaining the core principles of information security to a new team member. Which principle ensures that data is not modified by unauthorized parties?

A company is moving its on-premises database to Azure SQL Database. According to the shared responsibility model, which security tasks remain the responsibility of the customer?

A security architect is adopting a new security model that assumes breach and verifies every access request. The model eliminates implicit trust and requires continuous validation. Which security model is being implemented?

A company is migrating its on-premises workloads to Azure. The CISO wants to understand the division of security responsibilities between Microsoft and the customer across cloud service models. For which cloud service model does the customer have the most security responsibility?

A security architect is designing a new security posture based on the Zero Trust model. The architect wants to ensure that every access request is fully authenticated, authorized, and encrypted before granting access, and that access is granted only to the minimum necessary resources. Which three principles of Zero Trust align with these requirements? (Choose three.)

A company's security policy requires that customer data must only be accessible by authorized sales representatives. Which security principle does this requirement directly enforce?

A company uses Microsoft Entra ID and has multiple departments with separate organizational units (OUs) in its on-premises Active Directory. The help desk team needs to be able to reset passwords for users only in the Finance department. What feature should be used to delegate this administrative scope?

A security administrator is explaining the concept of defense in depth to a new team member. Which statement best describes this approach?

A user logs into a company's financial application using their Microsoft Entra ID credentials. After successful sign-in, the application displays a dashboard with data for only the regions the user is authorized to manage. Which two security concepts are demonstrated in this scenario? (Select all that apply.)

A security manager wants to ensure that an employee who sends an email cannot later deny having sent it. Which security concept and associated technology is best suited to achieve this?

A company assigns permissions to users based strictly on their job title (e.g., Sales Manager can edit documents, Sales User can only read). Which identity and access management concept is being implemented?

A company implements a security measure to ensure that only authorized employees can view sensitive customer records. Which principle of the CIA triad does this measure primarily protect?

A company implements regular data backups and a disaster recovery plan to restore critical systems after an outage. Which security principle is primarily being addressed by these measures?

A security administrator configures user accounts so that employees have only the permissions necessary to perform their job functions and no more. Which security concept is being applied?

A company uses cryptographic hashes to verify that a downloaded software file has not been modified by an attacker during transmission. Which principle of the CIA triad is primarily being addressed?

A healthcare organization stores patient records in an encrypted database. Access to the database is restricted to authorized medical staff only. Which security principle is primarily being addressed by these measures?

A financial institution uses digital signatures to ensure that a transaction record has not been altered after it was processed. Which security principle is primarily addressed?

A company requires all employees to provide a one-time passcode generated by an authenticator app in addition to their password when accessing the corporate VPN. This practice is an example of which security concept?

A security architect is designing a system where user access rights are reviewed and certified on a regular basis by data owners. The goal is to ensure that users continue to have only the permissions necessary to perform their job functions and that no excessive permissions exist. Which security principle is primarily being implemented through these regular reviews?

A company configures its access control system so that each user can only access the data and perform actions that are strictly necessary for their job role. This configuration is a direct implementation of which security principle?

A company hosts a line-of-business application on an Azure virtual machine. The IT team is responsible for configuring the operating system, installing security updates, and managing the application code. An auditor asks who is responsible for the physical security of the data center where the virtual machine runs. According to the shared responsibility model for cloud services, who is responsible?

A company regularly performs automated backups of its critical databases and has a disaster recovery plan to restore operations quickly after a system failure. Which security principle is primarily being addressed by these measures?

A security architect is designing a defense strategy for the organization's network. The architect assumes that an attacker may already have breached the perimeter and is operating inside the network. Therefore, the design does not automatically trust any user or device, even if they are inside the corporate network, and requires continuous verification for every access request. Which security principle does this approach best represent?

A company implements a security strategy that includes multiple layers of controls: a perimeter firewall, an intrusion detection system, endpoint antivirus software, and multi-factor authentication for user access. The goal is that if one layer fails, another layer is in place to prevent or mitigate an attack. Which security principle does this approach best represent?

A security manager explains that the company's security strategy relies on multiple layers of controls, such as firewalls, antivirus software, and multi-factor authentication, so that if one layer fails, another can still prevent an attack. Which security principle does this strategy best represent?

A company is deploying a web application on Azure App Service. The security officer states that according to the shared responsibility model, the customer is responsible for managing access to the application and securing the application code. Which of the following responsibilities does Microsoft retain for Azure App Service?

A security architect is designing a defense strategy for a company's IT infrastructure. The strategy includes deploying a network firewall, using an intrusion detection system, installing antivirus software on all endpoints, and requiring multi-factor authentication for all user accounts. The architect explains that if the firewall fails, the IDS can detect an intrusion, and if the IDS misses something, the antivirus might catch it, and MFA can protect even if credentials are compromised. Which security principle best describes this layered approach?

A company uses digital signatures to ensure that a sender cannot later deny having sent a message. Which security principle does this primarily address?

An attacker gains access to a company's email system and reads confidential customer emails. Which security principle has been compromised?

A company subscribes to Microsoft 365 E5, a Software-as-a-Service (SaaS) offering. The IT department is responsible for configuring user accounts and managing data in Exchange Online and SharePoint Online. According to the shared responsibility model, which security responsibility is retained by Microsoft for this SaaS deployment?

A company operates an e-commerce website that must remain accessible during high-traffic holiday seasons. The IT team deploys additional web servers and implements automatic failover to a secondary data center if the primary site goes down. Which security principle is the company primarily addressing?

A company has a document management system. The security policy requires that a user in the Sales department can only view documents related to sales and cannot access documents in the Finance or HR folders. Which security principle is being applied?

A company has implemented a security model where every access request is fully authenticated, authorized, and encrypted before granting access, regardless of where the request originates (corporate network or internet). The model assumes that no entity is inherently trustworthy and requires continuous verification. This model is known as:

A company implements a sign-in process where a user must provide their password and then enter a temporary code sent to their mobile phone. Which security principle is this process primarily enforcing?

A user logs into the company's network using their username and password. After successful login, the user attempts to open a financial report but receives an access denied message because they are not a member of the 'Finance' security group. Which security concept is best illustrated by the access denial?

A company deploys a web application on Azure virtual machines (VMs) in an Infrastructure-as-a-Service (IaaS) model. The company is responsible for managing the guest operating system, the application code, and the data stored on the VMs. According to the shared responsibility model, which of the following security responsibilities does Microsoft retain in this scenario?

A hotel uses a key card system. Guests insert their card into the door lock, which reads the card's ID number. The system checks the ID number against a list of authorized rooms. If the ID matches an authorized room, the door unlocks. In this scenario, which concept is demonstrated when the system checks the ID number against the list of authorized rooms?

A user logs into a company's application using their username and password. After logging in, the application checks whether the user belongs to the 'Admin' role before granting access to the user management page. Which security concept is primarily illustrated by the role check?

A company deploys firewalls, intrusion detection systems, and endpoint antivirus software at multiple layers of its network. This strategy is intended to ensure that if one security control fails, others still provide protection. Which security concept does this approach represent?

An organization stores sensitive customer data in a cloud database. The security team uses encryption to protect the data while it is stored and while it is transmitted. They also implement role-based access control to ensure only authorized users can modify the data. Which two security principles are primarily being upheld by these actions?

A company secures its network by deploying a firewall at the perimeter, an intrusion prevention system on internal segments, endpoint antivirus on all workstations, and encrypting sensitive data at rest and in transit. This layered approach ensures that if one control fails, others still provide protection. Which security concept does this strategy best represent?

A company requires users to enter a password and then a temporary code from a mobile app to sign in. After signing in, a user attempts to open a confidential document but is denied because they are not a member of the 'Managers' group. Which two security concepts are primarily demonstrated in this scenario?

A user receives an encrypted email from their bank. They use their private key to decrypt the message. After reading it, they verify that the message content has not been altered during transit. Which security principle is primarily demonstrated by the verification that the content was not altered?

A company implements multiple layers of security controls: firewalls at the perimeter, intrusion detection systems on internal segments, antivirus software on all workstations, and encryption for sensitive data at rest and in transit. This strategy is intended to ensure that if one control fails, others still provide protection. Which security concept does this approach represent?

A company subscribes to a SaaS human resources application hosted by an external provider. The provider is responsible for maintaining the physical data centers, network infrastructure, and the underlying application software. The company is responsible for managing user accounts, configuring user permissions, and classifying the data they upload. Which security model does this arrangement primarily describe?

A user authenticates to a company's network by entering their password and then approving a push notification on their mobile phone. After authentication, the user attempts to access a shared folder containing financial reports. The access is denied because the user's account is not a member of the 'Finance' group. Which security concept is demonstrated when the user is denied access to the folder?

A user downloads a software update from a company's internal website. The update file is hashed, and the hash value is published on a separate secure page. After downloading, the user computes the hash of the downloaded file and compares it to the published hash. The two values match. Which security concept is primarily demonstrated by this comparison?

A company implements a security model where no user or device is automatically trusted, even if they are inside the corporate network. Every access request must be authenticated, authorized, and encrypted before granting access, regardless of the request origin. This model is known as:

A security administrator is configuring permissions for a new cloud-based expense reporting application. The administrator assigns each employee only the permissions they need to perform their job functions. For example, employees in the Sales department can view expense reports but cannot approve or modify financial data. Which security principle is the administrator implementing?

A healthcare organization stores sensitive patient records in a cloud database. The database is encrypted at rest using AES-256. If an attacker gains access to the physical storage media, they cannot read the data. Which security concept does this encryption primarily provide?

A company hosts a mission-critical customer portal on Azure virtual machines. To ensure continuous availability, they deploy the application across two separate Azure regions. If one region experiences a failure, traffic is automatically routed to the other region with minimal disruption. Which security goal is primarily being addressed by this architecture?

A company issues laptops to all employees with BitLocker full-disk encryption enabled. If a laptop is stolen, the data on the hard drive cannot be read without the recovery key. Which security principle does this measure primarily protect?

A company uses digital signatures on all official emails sent to customers. The signature is created using the sender’s private key, allowing recipients to verify that the email truly came from the claimed sender and that it was not altered in transit. Which security goal is primarily achieved by the digital signature?

A company uses a financial accounting system where the employee who creates a purchase order cannot also approve it. This policy is designed to prevent a single individual from committing fraud by both initiating and approving a transaction. Which security principle does this practice primarily implement?

A hospital encrypts patient data stored in a database using AES-256 encryption. If an attacker manages to copy the database file, they cannot read the protected information. Which security goal is primarily achieved by this encryption measure?

A company is migrating its on-premises applications to Azure. The CIO states that the company is fully responsible for managing the security of its own applications and data, while Microsoft is responsible for the security of the underlying physical infrastructure, such as hardware and data centers. This division of security responsibilities is an example of which concept?

A company implements multiple layers of security controls including a firewall, an intrusion detection system (IDS), antivirus software on endpoints, and regular security awareness training for employees. This approach is an example of which security concept?

A security analyst downloads a software installer from a vendor's website. To ensure the file has not been tampered with during transmission, the analyst compares the SHA-256 hash of the downloaded file against the hash published on the vendor's official site. This practice primarily validates which security goal?

A company is moving its on-premises infrastructure to Azure. The CISO wants to understand the division of security responsibilities between the cloud provider and the customer. Which of the following models defines this division?

An organization is redesigning its security architecture based on the Zero Trust model. Which principle requires that every access request must be fully authenticated, authorized, and encrypted before granting access, regardless of the network location?

A security architect is explaining identity management concepts to the IT team. Which statement correctly describes the difference between authentication and authorization?

A security analyst is explaining the concept of 'defense in depth' to a new team member. Which of the following best describes the defense in depth strategy?

An organization adopts a Zero Trust security model. Which principle requires that every access request must be explicitly verified and granted least privilege regardless of the user's location or device?

A company uses Azure SQL Database, which is a Platform as a Service (PaaS) offering. The security team is reviewing the shared responsibility model and wants to know who is responsible for applying operating system patches to the underlying infrastructure that hosts the database. Who is responsible for this task?

A company stores application secrets and encryption keys in Azure Key Vault. They want to move from the older vault access policy model to a more scalable and granular permission model that integrates with Azure's role-based access control (RBAC). They also need to audit permissions using Azure Policy. Which access configuration should they choose for Azure Key Vault?

An organization is moving a virtual machine to Azure Infrastructure as a Service (IaaS). According to the shared responsibility model, which of the following security tasks is the customer responsible for?

A security administrator is explaining authentication and authorization to new IT staff. Which statement correctly describes the difference between these two processes?

A multinational company stores customer data across multiple Azure regions. A new regulation requires that customer data must remain within the country's borders and cannot be transferred abroad. Which concept does this regulation primarily relate to?

A company deploys a custom application on Azure App Service (PaaS). Which of the following security responsibilities falls completely under the customer's scope according to the shared responsibility model?

A company uses a cloud-based SaaS (Software as a Service) application for customer relationship management. According to the shared responsibility model, which security responsibility is primarily handled by the customer?

A security analyst is explaining the concept of 'Least Privilege' to a new team member. Which statement best describes the principle of least privilege?

A security architect is designing a Zero Trust strategy. Which principle ensures that network location alone does not grant trust, and all access requests must be verified?

According to the Zero Trust security model, which principle assumes that a breach has already occurred and therefore requires segmenting access and monitoring for lateral movement?

A security administrator is explaining the shared responsibility model to a new team member. The company uses a Software-as-a-Service (SaaS) application such as Microsoft 365. For which of the following items is the customer primarily responsible under this model?

A security architect is designing a Zero Trust security model for a hybrid organization. Which principle of Zero Trust requires that every access request must be fully authenticated and authorized regardless of the network location, and that access should be granted with the minimum level required?

A company uses a cloud-based Customer Relationship Management (CRM) system that is delivered as Software-as-a-Service (SaaS). According to the shared responsibility model, which security responsibility is primarily handled by the customer?

An organization is implementing a Zero Trust security model. Which principle requires that every access request must be fully authenticated, authorized, and verified based on all available signals, regardless of the user's network location?

A company is migrating its on-premises applications to Azure Infrastructure-as-a-Service (IaaS). According to the shared responsibility model, which of the following security responsibilities shifts from the customer to Microsoft during this migration?

A company is migrating its on-premises virtual machines to Azure Infrastructure-as-a-Service (IaaS). Which security responsibility primarily shifts from the customer to Microsoft during this migration?

A security architect explains the Zero Trust model to the board. They state that every access request must be fully authenticated and authorized based on identity, device health, location, and risk, regardless of whether the user is on the corporate network. Which Zero Trust principle does this statement represent?

A security architect is implementing a Zero Trust security model. The architect insists that the network perimeter should not be trusted and that security controls must be applied to all traffic, even within the corporate network. They also emphasize the need for continuous monitoring and detection of threats as if a breach has already occurred. Which Zero Trust principle is the architect primarily applying?

A security administrator is explaining the Zero Trust model to a new colleague. The administrator states that trust should never be granted based solely on network location, and every access request must be fully authenticated and authorized using all available signals. Which Zero Trust principle does this statement describe?

A security architect is explaining the evolution of the security perimeter. They state that because users access corporate resources from anywhere on any device, the traditional network perimeter is no longer sufficient. What does the architect identify as the new primary security perimeter?

A security architect is explaining the Zero Trust model to the board. The architect emphasizes that the network perimeter can no longer be considered a safe zone. Which statement best describes the modern primary security perimeter according to Zero Trust principles?

A company subscribes to a cloud-based email service that is delivered as Software-as-a-Service (SaaS). According to the shared responsibility model, who is primarily responsible for the physical security of the data centers where the email data is stored?

A hospital stores patient medical records electronically. An attacker gains access to the system and modifies patient diagnoses. Which principle of the CIA triad has been violated?

A user logs into a corporate laptop by inserting a smart card and entering a PIN. The user then attempts to open a confidential folder. The operating system checks the user's access rights and denies access. Which security concepts are demonstrated in this scenario?

A company is implementing a new security policy that requires every user to have only the minimum permissions necessary to perform their job duties. Which security principle does this policy align with?

A company's IT department deploys a multi-layered security strategy that includes a perimeter firewall, network segmentation, endpoint antivirus software, data encryption, and employee security awareness training. Which security model does this approach represent?

A security architect is implementing a Zero Trust strategy. They state that all access requests must be verified continuously, regardless of where the request originates (corporate network or remote). They also emphasize that access is granted based on a policy that evaluates user identity, device health, location, and risk in real-time. Which Zero Trust guiding principle does this scenario primarily illustrate?

A company deploys full disk encryption on all employee laptops to protect data in case a device is lost or stolen. Which security goal does this measure primarily address?

A company uses Microsoft 365 E5. An employee's corporate laptop is infected with keylogging malware that captures the employee's credentials. The attacker uses these credentials to sign in to Exchange Online and forward sensitive emails to an external account. Under the shared responsibility model, who is primarily responsible for the security incident?

A company's security policy requires that all data transferred between the corporate data center and the cloud must be protected from unauthorized access during transmission. They use encryption protocols such as TLS to achieve this. Which security goal is primarily being addressed?

A company is implementing security controls to protect data during transmission between their on-premises database and a cloud storage service. They decide to use TLS encryption. Which security goal is primarily addressed by ensuring that data is not altered during transit?

An organization is migrating its on-premises applications to Azure Infrastructure-as-a-Service (IaaS). According to the shared responsibility model, which of the following security responsibilities remain with Microsoft? (Select two.)

A user scans their fingerprint to unlock a corporate laptop. After unlocking, the user attempts to open a confidential database. The system checks the user's role and grants access because the user is a member of the 'Data Analyst' group. Which two security concepts are demonstrated in this scenario?

A company's IT department implements a policy for server administrators: they must submit an access request to perform privileged tasks on critical servers. Each request is approved by a manager, and the granted elevated permissions automatically expire after four hours. This approach reduces the risk of standing privileges being exploited. Which security concept is primarily being applied?

A company deploys a custom web application on Azure App Service (PaaS). The application stores user data in Azure SQL Database. The security team is responsible for securing the application code, managing authentication, and configuring TLS for data in transit. According to the Microsoft shared responsibility model, which security responsibility remains with Microsoft for this PaaS deployment?

A company stores sensitive customer data in an Azure SQL database. To protect this data, the database files are encrypted at rest using Transparent Data Encryption (TDE). Additionally, all network traffic between the application and the database is encrypted using TLS. Which security goal is primarily addressed by these encryption measures?

A company implements multiple layers of security controls, including firewalls, antivirus software, access controls, and security awareness training. Which security concept does this approach best represent?

A user authenticates with a smart card and is then granted access to a specific database based on their job role in the finance department. Which security concept describes the process of determining what the authenticated user is allowed to do?

A company uses a cloud-based email service. The service provider ensures that the physical data centers are secure and that the email platform is patched and available. The company is responsible for managing user accounts and ensuring that employees use strong passwords. This division of responsibilities is an example of which concept?

A healthcare company stores patient records in an Azure SQL database. To protect the data, they enable Transparent Data Encryption (TDE) for the database and require all client connections to use TLS. Which security goal is being primarily addressed by these measures?

A company deploys a custom web application on Azure App Service (PaaS). The application stores data in Azure SQL Database. The security team needs to identify which security responsibilities fall under the customer according to the Microsoft shared responsibility model. Which of the following is primarily the customer's responsibility for this PaaS deployment?

A company implements a security policy where employees must use a smart card to log into their workstations. After logging in, they can only access file shares that correspond to their department. Which two security concepts are demonstrated in this scenario?

An organization adopts a security model where they never trust a request by default, even if it comes from inside the corporate network. Every access request must be authenticated, authorized, and encrypted. They also assume that a breach will happen and design their systems to minimize the blast radius. Which security model does this describe?

A financial company processes stock trades. To ensure that a trader cannot later deny having submitted a specific trade order, the system captures a digital signature from the trader for each order. Which security goal is being addressed by this practice?

A company deploys a virtual machine on Azure IaaS. According to the Microsoft shared responsibility model, which of the following security responsibilities is primarily the customer's responsibility?

A healthcare organization uses digital signatures on electronic medical records to ensure that the records have not been tampered with during transmission. Which security goal is primarily being addressed by this practice?

A company configures its identity and access management system so that employees are granted only the permissions necessary to perform their job functions. For example, a sales representative has read-only access to the customer database and cannot modify financial records. Which security principle is being applied in this scenario?

A company's security team has adopted a strategy that assumes a breach has already occurred. They implement network segmentation, apply strict least privilege access, continuously verify all access requests, and never trust users or devices solely because they are inside the network perimeter. This approach best describes which security model?

A company wants to ensure that data is not altered during transmission between a client and a server. They use TLS encryption. Which security goal does this primarily address?

An organization implements a policy where users must provide two forms of verification, such as a password and a text message code, to access the corporate network. Which security concept does this demonstrate?

A company implements a policy where each employee is granted only the permissions necessary to perform their specific job role. For example, a marketing specialist has read-only access to the customer database and cannot modify financial records. Which security principle is primarily being applied?

A company uses an on-premises Active Directory (AD) and wants to enable single sign-on (SSO) for users to access Microsoft 365 and a third-party SaaS application. They plan to use an external identity provider (IdP) that supports Security Assertion Markup Language (SAML) 2.0. Which identity concept does this implementation primarily rely on?

A financial organization implements a security control that logs every access attempt to sensitive financial records, including who accessed the data, when it was accessed, and from which device. The logs are regularly reviewed by the security team. This control primarily addresses which security concept?

A company's security team configures network firewall rules so that only a dedicated jump server's IP address can initiate RDP connections to production servers. This is an example of which security principle?

A user successfully authenticates to a system using a smart card. After authentication, the system checks whether the user's device is compliant with security policies before granting access to the network. This additional check is an example of which security concept?

An organization uses a system where users first provide a username and password (Step 1) and then the system checks whether the user has permission to view a specific folder (Step 2). Which two security concepts are demonstrated in this process? (Choose two.)

A company's security team implements a system where every access attempt to sensitive data is recorded, including who accessed the data and when. The logs are regularly reviewed to detect unauthorized access and to hold users accountable for their actions. Which security goal is primarily being addressed by this logging practice?

An organization implements a security policy where users must authenticate using a smart card and PIN. After successful authentication, the system checks whether the user's device is managed by the organization and complies with security baselines. If the device is compliant, the user is granted access to the corporate network. If not, access is denied. This approach most directly reflects which security model?

A company stores critical financial reports in a SharePoint Online library. To ensure that the reports have not been tampered with, the security team compares a calculated hash of each file against a stored baseline. This verification process primarily protects which security goal?

A financial institution uses digital signatures to sign all transaction records. This ensures that the records have not been altered after signing. Which security goal does this primarily protect?

A user logs into a company portal by entering a username and password. After successful login, the system checks if the user is a member of the 'Sales' group and then grants access to the sales dashboard. Which two security concepts are demonstrated in this process? (Choose all that apply.) (Choose two.)

A company uses a hashing algorithm to verify that a downloaded software file has not been tampered with during transmission. This practice primarily protects which security principle?

An organization adopts a security model that requires explicit verification of every access request, uses least privilege principles, and assumes that a breach has already occurred. Which security model does this describe?