Q01. You have an Azure subscription that is used for training purposes

Q01. You have an Azure subscription that is used for training purposes.
You need to allow external users to create resources in the subscription.
Which identity provider can be used to access the subscription?
Ans.
Facebook
Google
Twitter
Amazon Web
Services (AWS)
You can enable Facebook or Google accounts to be used to access Azure subscriptions, but only Google identities can be used for B2B, which is required for resource management. You cannot use Twitter or AWS accounts to access Azure resources.
Identity providers for External Identities - Azure AD - Microsoft Entra | Microsoft Learn
Deploy Federation with Azure AD - Training | Microsoft Learn
Q02. You need to delegate the ability to configure sign-in risk policies. The solution must follow the principle of least privilege.
Which role should you assign?
Ans.
Conditional Access Administrator
Security Administrator
Authentication Policy Administrator
Authentication Administrator
Q03. You manage Azure AD for a retail company.
You need to ensure that employees using shared Android tablets can use passwordless authentication when accessing the Azure portal.
Which authentication method should you use?
Ans. the Microsoft Authenticator app
Windows Hello for Business security keys
Windows Hello
You can only use the Microsoft Authenticator app or one-time password login on shared devices. Windows Hello can only be used for Windows devices. You cannot use security keys on shared devices.
Plan a passwordless authentication deployment in Azure Active Directory - Microsoft Entra | Microsoft Learn
Implement passwordless authentication - Training | Microsoft Learn
Q04. You need to configure passwordless authentication. The solution must follow the principle of least privilege.
Which role should assign to complete the task?

Ans.
Global Administrator
Security Administrator
Authentication Policy Administrator
Authentication Administrator
Configuring authentication methods requires Global Administrator privileges. Security administrators have permissions to manage other security-related features. Authentication policy administrators can configure the authentication methods policy, tenant-wide multi-factor authentication (MFA) settings, and password protection policy. Authentication administrators can set or reset any authentication methods, including passwords, for non-administrators and some roles.
Create an access review of Azure resource and Azure AD roles in PIM - Azure AD - Microsoft Entra | Microsoft Learn
Least privileged roles by task - Azure Active Directory - Microsoft Entra | Microsoft Learn
Investigate roles in Azure AD - Training | Microsoft Learn
Q05. You have an Azure AD tenant.
You need to recommend a passwordless authentication method. The solution must support near-field communication
(NFC) devices.
Which two authentication methods should you recommend? Each correct answer presents a complete solution.
Ans.
FIDO2 security keys
OATH software tokens voice call verification
Windows Hello for Business
FIDO2 incorporates the web authentication (WebAuthn) specification. Users can register, and then select a FIDO2 security key at sign-in as their main means of authentication. FIDO2 security keys are typically USB devices but can also use Bluetooth or
NFC. OATH software tokens and voice call voice call verification is unsupported as a primary authentication method.
Windows Hello for Business can be used as a primary authentication method and can be installed on a device that uses NFC.
Administer FIDO2 and passwordless authentication methods - Training | Microsoft Learn
Q06. You are implementing an Azure Kubernetes Service (AKS) cluster for a production workload.
You need to ensure that the cluster meets the following requirements:
• Provides the highest networking performance possible
• Manages ingress traffic by using Kubernetes tools
What should you use?
Ans.
Kubenet networking with Azure load balancers
Kubenet networking with ingress resources and controllers
CNI networking with Azure load balancers

CNI networking with ingress resources and controllers
CNI networking provides the best performance since it does not require IP forwarding and UDR, and ingress controllers can be managed from within Kuberbetes. Kubenet networking requires defined routes and IP forwarding, making the network slower. Azure load balancers cannot be managed by using Kubernetes tools.
Best practices for network resources - Azure Kubernetes Service | Microsoft Learn
Enable Containers security - Training | Microsoft Learn
Q07. You have an Azure subscription that contains an Azure container registry named ACR1 and a user named User1.
You need to ensure that User1 can administer images in ACR1. The solution must follow the principle of least privilege.
Which two roles should you assign to User1? Each correct answer presents part of the solution.
Ans.
Contributor
AcrPush
AcrPull
AcrDelete
Reader
AcrImageSigner
To administer images in ACR1, a user must be able to push and pull images to ACR1 and delete images from ACR1. The
AcrPush and AcrDelete roles are required to push, pull, and delete images in ACR1. AcrPull only allows the Push image permission, not pull. Contributor can also perform these operations, however it also has many additional permissions, which means that it does not follow the principle of least privilege. Reader and AcrImageSigner do not have adequate permissions.
Registry roles and permissions - Azure Container Registry | Microsoft Learn
Enable Containers security - Training | Microsoft Learn
Q08. You have an Azure subscription that contains an Azure container registry named ACR1 and a user named User1.
You need to ensure that User1 can administer images in ACR1. The solution must follow the principle of least privilege.
Which two roles should you assign to User1? Each correct answer presents part of the solution.
Ans.
Azure Kubernetes Service RBAC Reader
Azure Kubernetes Service RBAC Writer
Azure Kubernetes Service RBAC Admin
Azure Kubernetes Service RBAC Cluster Admin
Q09. Your company has an Azure subscription and an Amazon Web Services (AWS) account.
You plan to deploy Kubernetes to AWS.

You need to ensure that you can use Azure Monitor Container insights to monitor container workload performance.
What should you deploy first?
Ans.
Azure Kubernetes Service (AKS)
AKS Engine
Azure Container Instances
Azure Stack HCI
Azure Arc-enabled Kubernetes
Azure Arc-enabled Kubernetes is the only configuration that includes Kubernetes and can be deployed to AWS.
Overview of Container insights in Azure Monitor - Azure Monitor | Microsoft Learn
Configure and manage Azure Monitor - Training | Microsoft Learn
Q10. You have an Azure subscription that contains a virtual machine named VM1. VM1 is configured with just-in-time (JIT)
VM access.
You need to request access to VM1.
Which PowerShell cmdlet should you run?
Ans.
Start-AzJitNetworkAccessPolicy
Set-AzJitNetworkAccessPolicy
Get-AzJitNetworkAccessPolicy
Add-AzNetworkSecurityRuleConfig
The start-AzJitNetworkAccesspolicy PowerShell cmdlet is used to request access to a JIT-enabled virtual machine. Set-
AzJitNetworkAccessPolicy is used to enable JIT on a virtual machine. Get-AzJitNetworkAccessPolicy and Add-
AzNetworkSecurityRuleConfig are not used to start a request access.
Bns.
Just-in-time virtual machine access in Microsoft Defender for Cloud | Microsoft Learn
Cns.
Enable and manage Microsoft Defender for Cloud - Training | Microsoft Learn
Q11. You have an Azure virtual network named VNet1. VNet1 is in a resource group named RG1. VNet1 contains the following two subnets:
Subnet1: 10.0.1.0/24
Subnet2: 10.0.2.0/24
You need to configure access to a storage account named sa1 in a resource group named RG2. The solution must ensure that sa1 can only be accessed from Subnet2.
What should you run?

az storage account network-rule add --resource-group "RG1" --account-name "SA1" --ip-address "10.0.2.0" az storage account network-rule add --resource-group "RG2" --account-name "SA1" --ip-address "10.0.2.0/24" az storage account update --default-action deny --name sa1 --resource-group RG2
az network nsg rule create -g RG1 --nsg-name NSG1 -n RULE1 --priority 400 --source-address-prefixes
VirtualNetwork --destination-address-prefixes Storage --destination-port-ranges '*' --direction Outbound --access Allow -- protocol Tcp az network nsg rule create -g RG1 --nsg-name NSG1 -n RULE1 --priority 400 --source-address-prefixes
VirtualNetwork --destination-address-prefixes Storage --destination-port-ranges '*' --direction Outbound --access Allow -- protocol Udp
The correct CLI command adds a rule to allow access from the 10.0.2.0/24 subnet to the storage account. The resource group should be for RG2, not RG1. The CLI commands that create network security group (NSG) rules simply allow the entire virtual network to send requests to all storage endpoints.
Q12. You have an Azure App Service web app named App1.
Users authenticate to App1 by using Azure AD.
You plan to implement network security controls for App1.
You need to ensure that only authenticated users from your corporate network can sign in to App1. The solution must not require the configuration of virtual network rules.
Which two actions should you perform? Each correct answer presents part of the solution.
Configure application security groups.
Configure network conditions to Conditional Access.
Configure App Service authentication.
Configure an Azure Front Door IP restriction rule.
You can configure the network conditions to Conditional Access, ensuring that the location is determined by the public IP address a client provides to Azure AD or the GPS coordinates provided by the Microsoft Authenticator app. You need to configure App Service authentication, specifically the Action to take when request is not authenticated option. Application security groups are unsupported by web apps and configuring a Front Door IP restriction rule does not affect sa1.
Location condition in Azure Active Directory Conditional Access - Microsoft Entra | Microsoft Learn
Authentication and authorization - Azure App Service | Microsoft Learn
Configure network security - Training | Microsoft Learn
Deploy Azure AD identity protection - Training | Microsoft Learn
Q13. You have an Azure subscription that contains the following resources:
• A virtual machine named VM1 that has a network interface named NIC1
• A virtual network named VNet1 that has a subnet named Subnet1
• A public IP address named PubIP1
• A load balancer named LB1

You create a network security group (NSG) named NSG1.
To which two resources can you associate NSG1? Each correct answer presents a complete solution.
VM1
NIC1
VNet1
Subnet1
PubIP1
LB1
You can associate an NSG to a virtual network subnet and network interface only. You can associate zero or one NSGs to each virtual network subnet and network interface on a virtual machine. The same NSG can be associated to as many subnets and network interfaces as you choose.
Network security group - how it works | Microsoft Learn
Configure network security - Training | Microsoft Learn
Q14. You have an Azure subscription that contains the following resources:
• Storage accounts
• Virtual machines
• Azure Firewall
• Azure Key Vault
• Azure SQL databases
Which three resources support service endpoints? Each correct answer presents a complete solution storage accounts virtual machines
Azure Firewall
Azure Key Vault
Azure SQL databases
You can configure service endpoints for Azure Storage, Key Vault, and Azure SQL Database. You cannot configure service endpoints for virtual machines and Azure Firewall.
Azure virtual network service endpoints | Microsoft Learn
Configure network security - Training | Microsoft Learn
Q15. You have an Azure subscription that contains a virtual machine named VM1 and a storage account named storage1.
You need to ensure that VM1 can access storage1 over the Azure backbone network.
What should you implement?

service endpoints private endpoints a subnet a VPN gateway
Service endpoints route the traffic inside of Azure backbone, allowing access to the entire service, for example, all Microsoft
SQL servers or the storage accounts of all customers. Private endpoints provide access to a specific instance. A subnet does not allow isolation or route traffic to the Azure backbone. A VPN gateway does not allow traffic isolation to all resources.
Secure network access to PaaS services with virtual network service endpoints - Training | Microsoft Learn
Virtual network integration of Azure services for network isolation | Microsoft Learn
Q16. You have an Azure subscription that contains a web app named WebApp1 and a virtual network named VNet1.
VNet1 contains the following subnets:
• Subnet1: Connected to a virtual machine
• Subnet2: Has a Microsoft.Storage service endpoint
• Subnet3: Has subnet delegation to the Microsoft.Sql/managedInstances service
• Subnet4: Has no additional configurations
You need to integrate WebApp1 with VNet1.
To which subnets can you connect WebApp1?
Subnet4 only
Subnet2 and Subnet4 only
Subnet3 and Subnet4 only
Subnet2, Subnet3, and Subnet4 only
Subnet1, Subnet2, Subnet3, and Subnet4
You can integrate a web app only to a dedicated subnet of a virtual network that does not have any connected resources.
The subnet can have service endpoints, but subnet delegation should either not be configured or must be configured to the
Microsoft.Web/serverFarms service, otherwise you will get the following error: Subnet is missing a delegation to
Microsoft.Web/serverFarms. Please add the delegation and try again. For this scenario, you can integrate WebApp1 with
Subnet2 and Subnet4 only.

Enable integration with an Azure virtual network - Azure App Service | Microsoft Learn
Configure application security features - Training | Microsoft Learn
Q17. You have an Azure subscription that contains a virtual network named VNet1.
VNet1 contains the following subnets:
• Subnet1: Has a connected virtual machine
• Subnet2: Has a Microsoft.Storage service endpoint
• Subnet3: Has subnet delegation to the Microsoft.Web/serverFarms service

• Subnet4: Has no additional configurations
You need to deploy an Azure SQL managed instance named managed1 to VNet1.
To which subnets can you connect managed1?
Subnet4 only
Subnet2 and Subnet4 only
Subnet3 and Subnet4 only
Subnet2, Subnet3, and Subnet4 only
Subnet1, Subnet2, Subnet3, and Subnet4
You can deploy an SQL managed instance to a dedicated virtual network subnet that does not have any resource connected.
The subnet can have a service endpoint or can be delegated for a different service. For this scenario, you can deploy managed1 to Subnet2, Subnet3, and Subnet4 only. You cannot deploy managed1 to Subnet1 because Subnet1 has a connected virtual machine.

Connectivity architecture - Azure SQL Managed Instance | Microsoft Learn
Configure network security - Training | Microsoft Learn
Q18. You have an Azure App Service web app named App1.
You need to configure network controls for App1. App1 must only allow user access through Azure Front Door.
Which two components should you implement? Each correct answer presents part of the solution. access restrictions based on service tag header filters application security groups access restrictions based on the IP address of Azure Front Door
Traffic from Front Door to the app originates from a well-known set of IP ranges defined in the AzureFrontDoor.Backend service tag. This includes every Front Door. To ensure traffic only originates from your specific instance, you will need to further filter the incoming requests based on the unique HTTP header that Front Door sends.
Azure App Service access restrictions - Azure App Service | Microsoft Learn
Configure network security - Training | Microsoft Learn
Q19. You have an Azure subscription that contains a virtual machine named VM1. VM1 runs a web app named App1.
You need to protect App1 by implementing Web Application Firewall (WAF).
What should you use?
Azure Firewall
Azure Application Gateway

Azure Traffic Manager
Azure Front Door
WAF is a tier of Application Gateway. If you want to deploy WAF, you must deploy Application Gateway and select the WAF or WAF V2 tier.

What is Azure Application Gateway | Microsoft Learn
Implement an Azure application gateway - Training | Microsoft Learn
Q20. You have a workload in Azure that uses multiple virtual machines and Azure functions to access data in a storage account.
You need to ensure that all access to the storage account is done by using a single service principal. The solution must reduce the overhead of managing the service principal.
Which type of service principal should you use? user group user-assigned managed identity system-assigned managed identity
A user assigned managed identity can be shared across Azure resources, and its password changes are handled by Azure. An user needs to manually handle password changes. You cannot use a group as a service principle. Multiple Azure resources cannot share system-assigned managed identities.
Managed identities for Azure resources - Microsoft Entra | Microsoft Learn
Enable managed identities - Training | Microsoft Learn
Q21. You need to configure the IP firewall of an Azure Cosmos DB account. The solution must meet the following requirements:
• Allow an Azure App Service web app to access the account.
• Allow a user named User1 to access the account from the Azure portal.
• Block all other access to the account.
Which two actions should you perform? Each correct answer presents part of the solution.
Add the web app’s outbound IP addresses to the allowed IP address range of the Azure Cosmos DB account.
This answer is correct.
Select Allow access from Azure Portal.
This answer is correct.
Add the IP address of User1 to the allowed IP address range of the Azure Cosmos DB account.
Sign in as User1 and select Add my current IP to the allowed IP address range.

Adding the web app’s outbound IP addresses to the Azure Cosmos DB account’s allowed IP address range allows access from the web app. Enabling the Allow access from Azure Portal option allows portal access for anyone, including User1.
Portal access will still not be allowed after adding the IP address of User1 to the Azure Cosmos DB account’s allowed IP address range or signing in as User1 and selecting Add my current IP to the allowed IP address range.
Q22. You have an Azure subscription that contains the following resources:
• Two virtual networks o
VNet1: Contains two subnets o
VNet2: Contains three subnets
• Virtual machines: Connected to all the subnets on VNet1 and VNet2
• A storage account named storage1
You need to recommend how many service endpoints are required to meet the following requirements:
• Virtual machines that are connected to the subnets of VNet1 must be able to access storage1 over the Azure backbone.
• Virtual machines that are connected to the subnets of VNet2 must be able to access Azure AD over the Azure backbone.
What should you recommend?
2 3
4 5
A service endpoint is configured for a specific server at the subnet level. Based on the requirements, you need to configure two service endpoints for
Microsoft.Storage on VNet1 because VNet1 has two subnets and three service endpoints for
Microsoft.AzureActiveDirectory on VNet2 because VNet2 has three subnets. The minimum number of service endpoints that you must configure is five.

Azure virtual network service endpoints | Microsoft Learn
Configure network security - Training | Microsoft Learn
Q23. You have an Azure subscription that contains the following resources:
• An web app named WebApp1 in the West US Azure region
• A virtual network named VNet1 in the West US 3 Azure region
You need to integrate WebApp1 with VNet1.
What should you implement first? peering
Azure Front door a service endpoint

a VPN gateway
WebApp1 and VNet1 are in different regions and cannot use regional integration; you can use only gateway-required virtual network integration. To be able to implement this type of integration, you must first deploy a virtual network gateway in
VNet1.

Integrate your app with an Azure virtual network - Azure App Service | Microsoft Learn
Configure application security features - Training | Microsoft Learn
Q24. You host a web app on an Azure virtual machine. Users access the app through a public load balancer.
You need to offload SSL traffic to the web app at the edge.
What should you do?
Configure an Azure firewall and switch access to the app via an internal load balancer.
Configure Azure Front Door and switch access to the app via an internal load balancer.
Configure Azure Traffic Manager with performance traffic routing.
Configure Azure Application Gateway.
Front Door allows for SSL offloading at the edge and can route traffic to an internal load balancer. Traffic Manager does not to perform SSL offloading. Neither Azure Firewall nor an Application Gateway can be deployed at the edge.
Connect Azure Front Door Premium to an internal load balancer origin with Private Link - Azure Private Link | Microsoft Learn
Configure network security - Training | Microsoft Learn
Q25. You have an Azure subscription.
You plan to deploy Microsoft Entra Verified ID.
You need to identify which administrative roles are required for the solution. The solution must follow the principle of least privilege.
Which three roles should you identify? Each correct answer presents part of the solution.
Global Administrator
Authentication Policy Administrator
Privileged Authentication Administrator
Application Administrator
Contributor
User Administrator

The Authentication Policy Administrator role can configure policies and create and manage verified credentials. The
Application Administrator role is used to complete app registrations, including granting admin consent. The Contributor role is required to manage all the resources in the subscription. The Global Administrator role does not meet the requirements of least privilege. The User Administrator role only manages users. The Privileged Authentication Administrator role cannot create and manage verified credentials.
Tutorial - Configure your tenant for Microsoft Entra Verified ID - Microsoft Entra | Microsoft Learn
Manage user authentication - Training | Microsoft Learn
Q26. You need to provide an administrator with the ability to configure access reviews in Azure AD Privileged Identity
Management (PIM). The solution must follow the principle of least privilege.
Which role should you assign to the administrator?
Privileged Role Administrator
Global Administrator
Security Administrator
Privileged Authentication Administrator
Privileged role administrators can manage PIM. Assigning the Global Administrator role does not follow the principle of least privilege. Security administrators have permissions to manage security-related features. Privileged authentication administrators can set or reset any authentication method, including passwords, for any user, including global administrators.
Create an access review of Azure resource and Azure AD roles in PIM - Azure AD - Microsoft Entra | Microsoft Learn
Least privileged roles by task - Azure Active Directory - Microsoft Entra | Microsoft Learn
Investigate roles in Azure AD - Training | Microsoft Learn
Q27. You manage Azure AD.
You disable the Users can register applications option in Azure AD.
A user reports that they are unable to register an application.
You need to ensure that that the user can register applications. The solution must follow the principle of least privilege.
What should you do?
Enable the Users can register applications option.
Assign the Application Developer role to the user.
Assign the Authentication Administrator role to the user.
Assign the Cloud App Security Administrator role to the user.
The Application Developer role has permissions to register an application even if the Users can register applications option is disabled. The Users can register applications option allows any user to register an application. The Authentication
Administrator role and the Cloud App Security Administrator role do not follow the principle of least privilege.
Azure AD built-in roles - Azure Active Directory - Microsoft Entra | Microsoft Learn
Configure application security features - Training | Microsoft Learn

Q28. You create a role by using the following JSON.
{
"Name": "Virtual Machine Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/*"]
}
A user that is part of the new role reports that they are unable to restart a virtual machine by using a PowerShell script.
What should you do to ensure that the user can restart the virtual machine?
Instruct the user to sign out and back in to their account.
Ask the user to restart the virtual machine by using the Azure portal.
Add Microsoft.Compute/*/read to the list of Actions in the role.
Add Microsoft.Compute/virtualMachines/login/action to the list of DataActions in the custom role.
The role needs read access to virtual machines to restart them. The user does not need to authenticate again for the role to be in effect, and the user will not be able to access the virtual machine from the portal.
Adding
Microsoft.Compute/virtualMachines/login/action to the list of
DataActions in the role allows the user to sign in as a user, but not to restart the virtual machine.
Azure custom roles - Azure RBAC | Microsoft Learn
Design an enterprise governance strategy - Training | Microsoft Learn
Q29. You create an Azure AD app registration.
You need to consent to the use of a given API in your app for all users.
What should you add to your app registration?

a scope an application ID URI a permission a client application
A permission allows the application to use a given API. A scope is used to request consent to run a given function on an API.
An application ID URI does not handle permissions.
Quickstart: Configure an app to access a web API - Microsoft Entra | Microsoft Learn
Configure application security features - Training | Microsoft Learn
Q30. You have an Azure subscription.
You plan to use the az aks create command to deploy an Azure Kubernetes Service (AKS) cluster named AKS1 that has
Azure AD integration.
You need to ensure that local accounts cannot be used on AKS1.
Which flag should you use with the command?
disable-local-accounts kubelet-config generate-ssh-keys windows-admin-username
When deploying an AKS cluster, local accounts are enabled by default. Even when enabling RBAC or Azure AD integration, -- admin access still exists essentially as a non-auditable backdoor option. To disable local accounts on an AKS cluster, you should use the --disable-local-accounts flag with the az aks create command. The remaining options do not remove local accounts.
Use Azure AD in Azure Kubernetes Service - Azure Kubernetes Service | Microsoft Learn
Manage Azure RBAC in Kubernetes From Azure - Azure Kubernetes Service | Microsoft Learn
Use Azure AD in Azure Kubernetes Service - Azure Kubernetes Service | Microsoft Learn
Enable Containers security - Training | Microsoft Learn
Q31. You have an Azure subscription that contains an Azure container registry named CR1.
You use Azure CLI to authenticate to the subscription.
You need to authenticate to CR1 by using Azure CLI.
Which command should you run? az acr login docker login az acr config

az acr credential
The az acr login command is needed to authenticate to an Azure container registry from the Azure CLI. Docker login is used to sign in to a Docker repository. az acr config is used for configuring Azure Container Registry. az acr credential is used for managing login credentials for Azure Container Registry.
Registry authentication options - Azure Container Registry | Microsoft Learn
Enable Containers security - Training | Microsoft Learn
Q32. You have an Azure Blob storage account named sa1 and an app named App1. A binary file named File1 is stored in sa1.
You need to share File1 with a customer. The solution must limit access to the IP address that the customer used when completing a purchasing flow in App1. The solution must support more than 10,000 customers. Other users must be prevented from accessing File1.
What should you configure? a SAS token that includes the signedIP field network conditions to Conditional Access a storage account firewall an Azure Front Door IP restriction rule
Configuring a SAS token that includes the signedIP field specifies an IP address or a range of IP addresses from which to accept requests. Configuring network conditions to Conditional Access and a Front Door IP restriction rule affects App1, but not sa1. Configuring a storage account firewall allows access to all the files in sa1, not just File1.
Create a service SAS - Azure Storage | Microsoft Learn
Configure network security - Training | Microsoft Learn
Q33. You have an application that runs on-premises on a Linux virtual machine. The application uses a connection string to connect to an Azure storage account.
You need to test the application by using data from the storage account. The solution must ensure that the application can only access the storage account during a five-day test period.
Which authentication method should you use to access the storage account?
Azure AD on-premises Active Directory Domain Services (AD DS) a storage account access key a SAS
You can specify a policy with expiration time by using a SAS key. A shared key, Azure AD, and on-premises AD DS does not allow you to specify a time period.
Choose how to authorize access to blob data in the Azure portal - Azure Storage | Microsoft Learn

Implement storage security - Training | Microsoft Learn
Q34. You need to implement access control for Azure Files. The solution must provide the highest level of security.
What should you use?
SAS a storage account key
Azure AD
Azure AD is supported by Azure Files and follows the principle of least privilege. SAS is unsupported by Azure Files. A storage account key is supported by Azure Files, but it does not follow the principle of least privilege.
Authorize operations for data access - Azure Storage | Microsoft Learn
Implement storage security - Training | Microsoft Learn
Q35. You need to allow only Azure AD-authenticated principals to access an existing Azure SQL database.
Which three actions should you perform? Each correct answer presents part of the solution.
Add an Azure AD administrator.
Assign your account the SQL Security Manager built-in role.
Select Support only Azure Active Directory authentication for this server.
Connect to the database by using Microsoft SQL Server Management Studio (SSMS).
Connect to the database using the Azure portal.
Adding an Azure AD administrator and assigning your account the SQL Security Manager built-in role are prerequisites for enabling Azure AD-only authentication. Selecting Support only Azure AD authentication for this server enforces the Azure
SQL logical server to use Azure AD authentication. A connection to the data plane of the logical server is not needed.
Enable Azure Active Directory only authentication - Azure SQL Database & Azure SQL Managed Instance | Microsoft Learn
Configure and manage SQL database security - Training | Microsoft Learn
Q36. You have an Azure SQL database that contains sensitive information.
You need to ensure that when sensitive information is queried by operators, the data is not fully displayed.
What should you enable for the database?
Transparent Data Encryption (TDE) dynamic data masking
Always Encrypted symmetric key encryption

Dynamic data masking masks the data from users. TDE still allows users managing the database to see data. Always
Encrypted saves the encrypted data and only the client driver can decrypt it. Symmetric key encryption uses keys stored in a
SQL database, not the client application.
Azure portal: Dynamic data masking - Azure SQL Database | Microsoft Learn
Configure dynamic data masking - Training | Microsoft Learn
Q37. You have an application that securely shares files hosted in Azure Blob storage to external users by using an account
SAS.
One of the SAS tokens is compromised.
How should you stop the compromised SAS token from being used?
Set the Allow public anonymous access to setting for the storage account.
Switch to managed identities.
Regenerate the storage account shared keys.
Set the Secure transfer required property for the storage account.
Regenerating the storage account shared keys invalidates any SAS tokens that were created. Switching to managed identities is functionally the same as using Azure AD authentication. This does not affect existing SASs. Setting the Secure transfer required property for the storage account or setting the Allow public anonymous access to setting for the storage account does not stop the compromised SAS token from being used.
Grant limited access to data with shared access signatures (SAS) - Azure Storage | Microsoft Learn
Configure Azure Storage firewalls and virtual networks | Microsoft Learn
Configure anonymous public read access for containers and blobs - Azure Storage | Microsoft Learn
Implement storage security - Training | Microsoft Learn
Q38. You need to provide public anonymous access to a file in an Azure Storage account. The solution must follow the principle of least privilege.
Which two actions should you perform? Each correct answer presents part of the solution.
For the container, set Public access level to Blob.
For the storage account, set Blob public access to Enabled.
For the storage account, set Blob public access to Disabled.
For the container, set Public access level to Container.
Unless prevented by another setting, setting Public access level to Blob allows public access to the blob only. Setting Blob public access to Enabled is a prerequisite for setting the access level of container or blob. Setting Blob public access to Disabled prevents any public access and setting Public access level to Container also allows any current and future blobs in the container, which does not follow the principle of least privilege.
Configure anonymous public read access for containers and blobs - Azure Storage | Microsoft Learn
Implement storage security - Training | Microsoft Learn

Q39. You have a workload in Azure that uses a virtual machine named VM1. VM1 is in a resource group named RG1.
You need to create and assign an identity to VM1 that will be used to access Azure resources. Other virtual machines must be able to use the same identity.
Which PowerShell script should you run?
New-AzUserAssignedIdentity -ResourceGroupName RG1 -Name VMID $vm = Get-AzVM -ResourceGroupName
RG1 -Name VM1 Update-AzVM -ResourceGroupName RG1 -VM $vm -IdentityType UserAssigned -IdentityID
"/subscriptions/ID>/resourcegroups/RG1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/VMID"
New-AzUserAssignedIdentity -ResourceGroupName RG1 -Name VMID $vm = Get-AzVM -ResourceGroupName
RG1 -Name VM1 Update-AzVM -ResourceGroupName RG1 -VM $vm -IdentityType UserAssigned -IdentityID
"/subscriptions/ID>/resourcegroups/RG1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/VM1"
$vm = Get-AzVM -ResourceGroupName RG1 -Name VM1 Update-AzVM -ResourceGroupName RG1 -VM $vm -
IdentityType SystemAssigned
$vm = Get-AzVM -ResourceGroupName RG1 -Name VM1 Update-AzVM -ResourceGroupName RG1 -VM $vm -
IdentityType SystemAssignedUserAssigned
Only user-assigned managed identities can be shared by different Azure resources. Once a managed identity is created, you need to update the virtual machines to use the identity by passing its resource ID.
Configure managed identities on an Azure VM using PowerShell - Azure AD - Microsoft Entra | Microsoft Learn
Update-AzVM (Az.Compute) | Microsoft Learn
Enable managed identities - Training | Microsoft Learn
Q40. You are configuring Azure AD risk policies.
You need to configure a policy that minimizes the impact on user experience while following the Zero Trust architecture.
Your users are not registered for multi-factor authentication (MFA), and self-service password reset (SSPR) is disabled.
What should you do?
Set the user risk policy threshold to high.
Set the user risk policy threshold to low.
Allow self-remediation options.
Set the sign-in risk policy to low.

Choosing a high threshold reduces the number of times a policy is triggered and minimizes the impact on users. Setting the sign-in risk policy to low introduces more user interrupts. Self-remediation requires MFA and SSPR. As they are unavailable, administrator intervention is required. Setting the user risk policy to low introduces more user interrupts.
Risk policies - Azure Active Directory Identity Protection - Microsoft Entra | Microsoft Learn
Implement user risk policy - Training | Microsoft Learn
Q41. You create an Azure policy by using the following snippet.
"then": {
"effect": "",
"details": [{
"field": "Microsoft.Storage/storageAccounts/networkAcls.ipRules",
"value": [{
"action": "Allow",
"value": "134.5.0.0/21"
}]
}]
}
You need to ensure that the policy is applied whenever a new storage account is created or updated. There is no managed identity assigned to the policy initiative.
Which effect should you use?
Modify
Append
DeployIfNotExists
Audit
Append is used to add fields to existing properties. Modify is used to add, update, or remove properties, it does not ensure that a field has value. DeployIfNotExists is used to deploy resources. Audit is used to check for compliance.
Understand how effects work - Azure Policy | Microsoft Learn
Design an enterprise governance strategy - Training | Microsoft Learn
Q42. You create a new Azure subscription.
You need to ensure that all the resources created in the subscription have a tag named CostCenter and an associated value.
You create a custom policy that uses the following snippet.
01 "if": {
02 "allOf": [{
03 "field": "type",
04 "equals": "Microsoft.Resources/subscriptions/resourceGroups"
05 },

06 {
07 "field": "tags['CostCenter']",
08 "exists": false
09 }
10 ]
11 },
12 "then": {
13 "effect": ""
14 }
Which effect should you use in line 13?
Append
Modify
Deny
DeployIfNotExists
We want to deny the creation or modification of a resource if the CostCenter tag is not present. Append adds a field, but it does not ensure the tag exists and is populated. Modify adds, replaces, or removes a property. DeployIfNotExists is used to deploy an existing resource.
Tutorial: Manage tag governance - Azure Policy | Microsoft Learn
Design an enterprise governance strategy - Training | Microsoft Learn
Q43. You have an Azure subscription.
You need to assign a security policy to the subscription.
Which Microsoft Defender for Cloud setting should you use?
Environment settings
Security solutions
Security posture
Workload protections
Environment settings allows you to select the Azure subscription, and then select Security Policy. From there, you can assign a security policy to the subscription. The remaining options do not allow you to add a custom initiative.
Create custom Azure security policies in Microsoft Defender for Cloud | Microsoft Learn
Enable and manage Microsoft Defender for Cloud - Training | Microsoft Learn
Q44. You have Azure SQL databases that contain credit card information.
You need to identify and label columns that contain credit card numbers.
Which Microsoft Defender for Cloud feature should you use?

hash reputation analysis
SQL Servers on machines
SQL information protection inventory filters
SQL information protection allows you to identify and label data. Hash reputation analysis prevents suspicious files from being stored in Azure Storage, inventory filters are used to filter resources protected by Defender, and SQL Servers on machines protects Microsoft SQL Server running on virtual machines or on-premise machines.
SQL information protection policy in Microsoft Defender for Cloud | Microsoft Learn
Enable and manage Microsoft Defender for Cloud - Training | Microsoft Learn
Q45. You have a resource group named RG1 that contains 10 virtual machines.
You need to raise an alert any time the average CPU time for RG1 exceeds 80 percent.
How should you configure the alert?
Create an alert rule for each virtual machine and set the number of violations to 10.
Create an alert rule for each virtual machine and split by dimension on the virtual machine name.
Create an individual alert rule for CPU time and set the number of violations to 10.
Create an individual alert rule and split by dimension on the resource group name.
Creating an individual alert rule and splitting by dimension on the resource group name will use the alert for the entire resource group instead of individual virtual machines. Setting the number of violations to 10, creating an alert rule for each virtual machine, and splitting by dimension on the virtual machine name will not fire the alert at the appropriate time.
Create Azure Monitor alert rules - Azure Monitor | Microsoft Learn
Configure and manage Azure Monitor - Training | Microsoft Learn
Q46. You have a Linux virtual machine in an on-premises datacenter that is used as a forwarder for Microsoft Sentinel by using CEF-formatted logs.
The timestamp on events retrieved from the forwarder is the time the agent on the forwarder received the event, not the time the event occurred on the system it came from.
You need to ensure that Microsoft Sentinel receives the time the event was generated.
What should you do?
Run TimeGenerated.py on the CEF forwarder.
Run TimeGenerated.py on each system that sends events to the forwarder.
Run cef_gather_info.py on CEF forwarder.
Run cef_gather_info.py on each system that sends events to the forwarder.

Running TimeGenerated.py on the CEF forwarder changes the logging on the forwarder to the use the event time instead of the time the event was received by the agent on the forwarder. Running TimeGenerated.py on each system will not change the way events are logged on the forwarder. Running cef_gather_info.py gathers data, but it does not change the timestamp.
Get CEF-formatted logs from your device or appliance into Microsoft Sentinel | Microsoft Learn
Configure and monitor Microsoft Sentinel - Training | Microsoft Learn
Q47. You have custom alert rules in Microsoft Sentinel. The rules exceed the query length limitations.
You need to resolve the issue.
Which function should you use for the rule?
Azure functions with a timer trigger
ADX functions user-defined functions stored procedures
You can use user-defined functions to overcome the query length limitation. Timer trigger runs in a scheduled manner (pull, not push). Using ADX functions to create Azure Data Explorer queries inside the Log Analytics query window is unsupported.
Stored procedures are unsupported by Azure Data Explorer.
Create custom analytics rules to detect threats with Microsoft Sentinel | Microsoft Learn
User-defined functions - Azure Data Explorer | Microsoft Learn
Configure and monitor Microsoft Sentinel - Training | Microsoft Learn
Q48. You have the following security policy deployed to an Azure subscription. policyRule: { if: { allOf: [
{ field: "type", equals: "Microsoft.Storage/storageAccounts"
},
{ field: "Microsoft.Storage/storageAccounts/allowSharedKeyAccess", equals: "true"
}
]
}, then: { effect: "Deny"
}
}
You successfully deploy a new storage account.
Which statements is true?

Usage of Azure AD authentication is enforced.
Usage of the storage account shared key is allowed.
Accessing the data in the storage account is enabled for users that have the Storage Account Contributor role.
Accessing the data by using SAS tokens is disabled.
Enforcing Azure AD authentication prevents using shared keys, and leaves only data plane RBAC as an authentication option.
The policy prevents account shared keys for storage accounts. The Storage Account Contributor role is not a data plane RBAC role, but leverages shared keys. SAS tokens can still be created by using a delegated SAS model (Azure AD).
Understand how effects work - Azure Policy | Microsoft Learn
Design an enterprise governance strategy - Training | Microsoft Learn
Q49. You are configuring an Azure Policy in your environment.
You need to ensure that any resources that are missing a tag named CostCenter inherit a value from a resource group.
You create a custom policy that uses the following snippet.
"policyRule": {
"if": {
"field": "tags['CostCenter']",
"exists": "false"
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [{
"operation": "addOrReplace ",
"field": "tags['CostCenter']",
"value": "[resourcegroup().tags['CostCenter']]"
}]
}
}
}
Which policy mode should you use? indexed all
Append
DeployIfNotExists indexed mode ensures that the policy skips resource groups. all includes resource groups, which cannot be nested. Append and DeployIfNotExists are policy effects.
Details of the policy definition structure - Azure Policy | Microsoft Learn

Tutorial: Manage tag governance - Azure Policy | Microsoft Learn
Design an enterprise governance strategy - Training | Microsoft Learn
Q50. You have an Azure subscription.
You need to recommend a solution that uses crawling technology of Microsoft to discover and actively scan assets within an online infrastructure. The solution must also discover new connections over time.
What should you include in the recommendation?
Microsoft Defender External Attack Surface Management (EASM)
Microsoft Defender for Servers the Microsoft cloud security benchmark (MCSB) a Microsoft Defender for Cloud custom initiative
Defender EASM applies the crawling technology of Microsoft to discover assets that are related to your known online infrastructure and actively scans these assets to discover new connections over time. Attack Surface Insights are generated by applying vulnerability and infrastructure data to showcase the key areas of concern for your organization.
External attack surface management (EASM) - Defender EASM and External Attack Surface Management (EASM) and
Defender for Cloud | Microsoft Learn
Enable and manage Microsoft Defender for Cloud - Training | Microsoft Learn
Q51. You set Periodic recurring scans to ON while implementing a Microsoft Defender for SQL vulnerability assessment.
How often will the scan be triggered? once a week once a day once a month at a recurrence that you configure
Recurring scans will be triggered once a week. This value cannot be changed and is set by Microsoft.
Microsoft Defender for SQL - Azure SQL Database | Microsoft Learn
Scan your Azure SQL databases for vulnerabilities using Microsoft Defender for Cloud | Microsoft Learn
Configure and manage SQL database security - Training | Microsoft Learn
Q52. You are implementing a Microsoft Defender for SQL vulnerability assessments.
Where are the scan results stored? a Azure Storage account an Azure Monitor workspace
Microsoft Sentinel

Azure SQL Database
The scan results must be stored in an Azure Storage account. The results can be sent to the Azure Monitor workspace or
Microsoft Sentinel from the initial location. The results are stored outside of the database.
Microsoft Defender for SQL - Azure SQL Database | Microsoft Learn
Scan your Azure SQL databases for vulnerabilities using Microsoft Defender for Cloud | Microsoft Learn
Configure and manage SQL database security - Training | Microsoft Learn
Q53. You configure Microsoft Sentinel to connect to different data sources.
You are unable to configure a connector that uses an Azure Functions API connection.
Which permissions should you change? read and write permissions for the workspaces used by Microsoft Sentinel read and write permissions Azure Functions read permissions for the workspaces used by Microsoft Sentinel read permissions Azure Functions
You need to have read and write permissions to Azure Functions to configure a connector that uses an Azure Functions API connection. You were able to add other connectors, which proves that you have access to the workspace. Read permissions for the workspaces used by Microsoft Sentinel allow you to read data in Microsoft Sentinel. Read permissions to Azure
Functions allows you to run functions, not create them.
Use Azure Functions to connect Microsoft Sentinel to your data source | Microsoft Learn
Configure and monitor Microsoft Sentinel - Training | Microsoft Learn
Q54. You are configuring retention for Azure activity logs in Azure Monitor logs. The retention period for the Azure Monitor logs is set to 30 days.
You need to meet the following compliance requirements:
• Store the Azure activity logs for 90 days.
• Encrypt the logs by using your own encryption keys.
• Use the most cost-efficient storage solution for the logs.
What should you do?
Leave the default settings as they are.
Configure a workspace retention policy.
Configure diagnostic settings and send the logs to Azure Storage.
Configure diagnostic settings and send the logs to Azure Event Hubs Standard.
Configuring diagnostic settings and sending the logs to Azure Storage meets both the retention time and encryption requirements. Activity log data type is kept for 90 days by default, but the logs are stored by using Microsoft-managed keys.
Configuring a workspace retention policy is not the most cost-efficient solution for this. Event Hubs is a real-time event

stream engine and is not designed to be used instead of a database or as a permanent store for indefinitely held event streams.
Azure activity log - Azure Monitor | Microsoft Learn
Configure data retention and archive in Azure Monitor Logs - Azure Monitor | Microsoft Learn
Configure data retention and archive in Azure Monitor Logs - Azure Monitor | Microsoft Learn
Configure and manage Azure Monitor - Training | Microsoft Learn
Q55. You are collecting Azure activity logs to Azure Monitor. The retention period for Azure Monitor logs is set to 30 days.
To meet compliance requirements, you need to send a copy of the Azure activity logs to your SOC partner.
What should you do?
Install the Microsoft Sentinel security information and event management (SIEM) connector.
Configure a workspace retention policy.
Configure diagnostic settings and send the logs to Azure Storage.
Configure diagnostic settings and send the logs to Azure Event Hubs.
Configuring diagnostic settings and sending the logs to Event Hubs will enable log export to the SOC partner. Configuring a workspace retention policy and diagnostic settings and sending the logs to Azure Storage does not export the logs outside of Azure. Installing the SIEM connector enables Microsoft Sentinel to import the logs from the on-premises SIEM.
Configure data retention and archive in Azure Monitor Logs - Azure Monitor | Microsoft Learn
Configure data retention and archive in Azure Monitor Logs - Azure Monitor | Microsoft Learn
Configure and manage Azure Monitor - Training | Microsoft Learn
Q56. You plan to deploy storage accounts and limit the use of shared access key access by using Azure Policy.
Which two effects in an Azure policy will audit any attempts to use shared access keys? Each correct answer presents a complete solution.
Disabled
Audit
Deny
DeployIfNotExists
Audit and Deny will both audit any attempts to use storage account shared keys. Deny also prevents the attempts. Disabled disables the evaluation of the policy and DeployIfNotExists is unsupported.
Deploy content using FTP/S - Azure App Service | Microsoft Learn
Design an enterprise governance strategy - Training | Microsoft Learn
Q57. You have an Azure solution that uses a key in Azure Key Vault to encrypt data stored in an Azure SQL database.
You need to design a solution that automatically generates a new key in SQL and stores it in the key vault whenever the key vault requires a key rotation. The solution must minimize costs.

What should you include in the solution?
Azure Event Grid and Azure Functions
Azure Event Grid and a web app
Log Analytics and Azure Functions
Log Analytics and a web app
Event Grid can capture key rotation events from Key Vault and trigger an Azure function to generate a new key in SQL and store it in Key Vault. A web app can get events from Event Grid to create and rotate a key, but it costs more than using a
Azure Functions. Log Analytics cannot trigger a function.
Rotation tutorial for resources with one set of authentication credentials stored in Azure Key Vault | Microsoft Learn
Deploy and secure Azure Key Vault - Training | Microsoft Learn
Q58. You are configuring automatic key rotation for an encryption key stored in Azure Key Vault.
You need to implement an alert to be triggered five days before the keys are rotated.
What should you use?
Microsoft Defender for Key Vault an action group alert
Azure Event Grid
Application Insights
Using Event Grid triggers the Microsoft.KeyVault.CertificateNearExpiry event. Key Vault cannot be monitored by using
Application Insights. Defender for Key Vault is used to alert for unusual and unplanned activities. Key Vault key expiration cannot be monitored by using action group alerts.
Configure cryptographic key auto-rotation in Azure Key Vault | Microsoft Learn
Deploy and secure Azure Key Vault - Training | Microsoft Learn
Q59. You are operating in a cloud-only environment. Users have computers that run either Windows 10 or 11. The users are located across the globe.
You need to secure access to a point-to-site (P2S) VPN by using multi-factor authentication (MFA).
Which authentication method should you implement?
Authenticate by using native Azure AD authentication.
Authenticate by using Active Directory Domain Services (AD DS).
Authenticate by using native Azure certificate-based authentication.
Authenticate by using RADIUS.
With Azure AD authentication, you can configure a Conditional Access policy that grants access and requires MFA. During authentication, Azure VPN Gateway acts as a pass-through and forwards authentication messages back and forth between

the authentication server and the connecting device. Azure certificate-based authentication does not include interactive authentication.
About Azure Point-to-Site VPN connections - Azure VPN Gateway | Microsoft Learn
Conditional access for VPN connectivity using Azure AD | Microsoft Learn
Deploy Azure AD identity protection - Training | Microsoft Learn
Q60. You have an Azure subscription that contains an Azure firewall named FW1.
You need to create a new rule named Rule1. The solution must ensure that Rule1 has the highest priority in the FW1 firewall policy.
Which priority setting should you configure for Rule1?
0 1
100 1,000 65,000
Rules can have a priority between 100 (highest priority) to 65,000 (lowest priority).
Azure Firewall rule processing logic | Microsoft Learn
Deploy a web application firewall - Training | Microsoft Learn
Q61. You have an Azure subscription that contains an web app named WebApp1.
You need to recommend a web traffic security and management solution. The solution must meet the following requirements:
• Support SSL off-loading.
• Provide host header routing.
• Provide application load balancing
What should you include in the recommendation?
Azure Application Gateway
Azure Front Door
Azure Traffic Manager
Azure Load Balancer
Application Gateway is a web traffic load balancer that enables you to manage traffic to web apps. Application Gateway works at Layer 7, which enables routing based on path or host headers as well as SSL off-loading. Front Door is implemented globally. Traffic Manager is implemented globally and does not allow path-based routing. Azure Load Balancer does not provide path-based routing.
Configure Azure Application Gateway - Training | Microsoft Learn
What is Azure Application Gateway | Microsoft Learn

Load-balancing options - Azure Architecture Center | Microsoft Learn
Q62. You have an Azure subscription that contains a network security group (NSG) named NSG1.
You plan to add a security rule named Rule1 to NSG1 that will allow incoming RDP traffic.
You need to ensure that the other security rules of NSG1 cannot override Rule1.
Which priority setting should you use for Rule1?
0 1
100 1,000 65,000
The priority setting for a security rule can be a number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers, which results in lower numbers having a higher priority. Once traffic matches a rule, processing stops. To ensure that other rules cannot override Rule1, you must configure Rule1 to have the highest priority, which means that it must be configured with a priority of 100.
Azure network security groups overview | Microsoft Learn
Configure network security - Training | Microsoft Learn
Q63. You have an Azure subscription that contains two virtual networks named VNet1 and VNet2 and a user named
Admin1.
You plan to create a custom Azure RBAC role named Role1 and assign Role1 to Admin1.
You need to ensure that Admin1 can create network peering between VNet1 and VNet2.
Which two permissions should you add to Role1? Each correct answer presents part of the solution.
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write
Microsoft.Network/virtualNetworks/peer/action
Microsoft.ClassicNetwork/virtualNetworks/peer/action
Microsoft.Network/virtualNetworks/join/action
Microsoft.Network/privateDnsZones/*
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write and Microsoft.Network/virtualNetworks/peer/action are the required permissions for resource manager operations.
Microsoft.ClassicNetwork/virtualNetworks/peer/action is only for classic interface operations. Microsoft.Network/virtualNetworks/join/action is not for peering features. Microsoft.Network/privateDnsZones/* is for DNS.
Create, change, or delete an Azure virtual network peering | Microsoft Learn

Configure network security - Training | Microsoft Learn
Q64. You manage external guest users in an Azure AD tenant. The tenant uses the default settings.
Which capability is available to the guest users?
Invite other guests.
Read all directory information.
Register new applications.
Read subscriptions.
By default, guest users can invite other guests. They are unable to read all directory information, register new applications, or read subscriptions.
Default user permissions - Azure Active Directory - Microsoft Entra | Microsoft Learn
Create and manage Azure AD users - Training | Microsoft Learn
Q65. You have an Azure AD tenant.
Users have both Windows and non-Windows devices. All users have smart phones.
You plan to implement Azure AD Multi-Factor Authentication (MFA).
You need to ensure that Azure MFA is used to authenticate users to Azure resources. The solution must be implemented without any additional cost.
Which three Azure MFA method should you implement? Each correct answer presents a complete solution.
Windows Hello for Business the Microsoft Authenticator app
FIDO2 security keys
OATH software tokens
SMS verification voice call verification
The Microsoft Authenticator app, SMS verification, and voice call verification only require a smart phone. Because all users already have smart phones, those three options don’t require any additional cost.
Windows Hello for Business requires that all users would have Windows devices, which is not the case.
FIDO2 keys need to be purchased, which introduces additional costs.
OATH tokens require a third-party app to be purchased.
Deployment considerations for Azure AD Multi-Factor Authentication - Microsoft Entra | Microsoft Learn
Manage user authentication - Training | Microsoft Learn
Q66. You need to ensure that users signing in to the Azure portal are prompted to sign in every 48 hours.

What should you configure?
Conditional Access Sign-in frequency
Conditional Access App Control
Conditional Access Persistent browser session
Azure AD Privileged Identity Management (PIM)
Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource.
Conditional Access App Control and PIM do not allow the control of authentication session management. A persistent browser session allows users to remain signed in after closing and reopening their browser window.
Plan an Azure Active Directory Conditional Access deployment - Microsoft Entra | Microsoft Learn
Session controls in Conditional Access policy - Azure Active Directory - Microsoft Entra | Microsoft Learn
Configure authentication session management - Azure Active Directory - Microsoft Entra | Microsoft Learn
Configure conditional access conditions - Training | Microsoft Learn
Q67. You use Azure Blueprints to deploy resources to a resource group named RG1.
After the deployment, you try to add a disk to a virtual machine created by using Blueprints, but you get an access denied error.
You open RG1 and check your access. You notice that you are listed as part of the Virtual Machine Contributor role for
RG1, and there are no deny assignments or classic administrators in the resource group scope.
Why are you unable to manage the virtual machine?
You must be part of the Disk Pool Operator role.
You must be part of the Virtual Machine Administrator Login role.
Blueprints created a deny assignment for the virtual machine resource.
Blueprints removed the user from the Classic Administrator role.
Blueprints must have created a deny assignment at the resource level. The Disk Pool Operator role allows users to provide permissions to the StoragePool resource provider, and the Virtual Machine Administrator Login role allows users to view the virtual machine in the portal and sign in as an administrator. You still have the Contributor role and should be able to manage a virtual machine unless a deny assignment is in place.
Quickstart - Check access for a user to Azure resources - Azure RBAC | Microsoft Learn
Design an enterprise governance strategy - Training | Microsoft Learn
Q68. You create a role that contains the following permissions.
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",

"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.HybridCompute/machines/*/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Compute/virtualMachines/login/action"
],
"notDataActions": []
}
],
Which three actions can be performed by users that are assigned the role? Each correct answer presents a complete solution.
View the attributes of a virtual machine in an Azure subscription.
View the attributes of an Azure Arc-connected virtual machine.
Sign in as an administrator to a virtual machine in an Azure subscription.
Sign in as an administrator to an Azure Arc-connected virtual machine.
Sign in as a regular user to a virtual machine in an Azure subscription.
Sign in as a regular user to an Azure Arc-connected virtual machine.
Microsoft.Compute/virtualMachines/*/read allows a user to view the attributes of a virtual machine in an Azure environment.
Microsoft.HybridCompute/Machines/*/read allows a user to view the attributes of a virtual machine in an Azure Arc subscription.
Microsoft.Compute/virtualMachines/login/action allows a user to sign in as a regular user to a virtual machine in an Azure subscription.
Azure resource provider operations | Microsoft Learn
Design an enterprise governance strategy - Training | Microsoft Learn
Q69. You are creating an Azure AD app registration. You are configuring credentials for the app registration and have the following requirements:
• Ensure that the credentials are not transmitted during authentication.
• Ensure that the credentials are stored securely.
• Ensure that credential usage follows the principle of least privilege.
What should you do?
Use certificate credentials.
Use password credentials.
User multiple credentials in one app.
Commit credentials using code.
Using certificate credentials ensures that the credentials are not transmitted during authentication, that they are stored securely, and that the credential usage follows the principle of least privilege.
Security best practices for application properties - Microsoft Entra | Microsoft Learn

Configure application security features - Training | Microsoft Learn
Q70. You have an Azure AD tenant that uses the default settings.
You are configuring the Azure AD External collaboration settings.
You need to ensure that only users that are assigned Azure AD administrative roles can invite guests.
What should you do?
Enable security defaults.
Set Admins and users in the guest inviter role can invite to Yes.
Set Guest user access restrictions to Guest user access is restricted to properties and memberships of their