Microsoft AZ-500 Azure Security Technologies Exam Dumps and Practice Test Questions Set 11 Q151-165

Visit here for our full Microsoft AZ-500 exam dumps and practice test questions.

Question 151

You need to enforce privileged access workflows for critical Azure resources by requiring approval-based access and time-limited role assignment. What should you configure?

A) Azure AD Privileged Identity Management
B) Azure RBAC
C) Azure Policy
D) Microsoft Defender for Cloud

Answer: A) Azure AD Privileged Identity Management

Explanation:

Azure AD Privileged Identity Management provides a governance-based method for controlling privileged access within Azure. It allows administrators to configure just-in-time activation for roles, meaning users are not permanently assigned to high-risk roles. Instead, they must activate these roles when needed, and such activation can require approval, justification, MFA, or ticket references. This reduces the attack surface significantly, since critical roles have no standing privileges. Activation events are logged and alerts can be generated when suspicious activity is detected. PIM also supports access reviews, ensuring that long-term assignments are removed if no longer needed. This feature promotes least privilege and provides strong oversight and accountability.

Azure RBAC provides role-based permissions but does not include approval workflows, time-bound assignment activation, or privileged governance features. RBAC establishes authorization but lacks the lifecycle, review, and governance controls needed for privileged roles.

Azure Policy manages compliance for Azure resources, such as enforcing required tags, allowed SKUs, or encryption rules. However, it does not regulate identity lifecycle tasks such as granting or approving privileged role assignments. Azure Policy is focused on resource governance, not identity or privileged-role governance.

Microsoft Defender for Cloud enhances security monitoring, provides threat detection, vulnerability management, and recommendations, but it does not control privileged identity assignments or provide workflows for just-in-time role activation. It complements PIM but cannot replace governance requirements.

Azure AD Privileged Identity Management is the correct answer because it manages privileged roles with the necessary oversight, enabling organizations to implement zero-trust principles, reduce insider threat risk, meet compliance requirements, and minimize attack exposure. Its alerting, approval workflows, privileged access reviews, and time-limited assignment capabilities provide complete governance over high-risk roles.

Question 152

You need a solution that encrypts Azure SQL Database, ensures compliance with regulatory standards, and manages keys using a customer-controlled key hierarchy. What should you configure?

A) Transparent Data Encryption with customer-managed keys
B) SQL auditing
C) Azure Policy
D) Azure Monitor

Answer: A) Transparent Data Encryption with customer-managed keys

Explanation:

Transparent Data Encryption protects Azure SQL Database by encrypting data at rest using AES encryption. When combined with customer-managed keys stored in Azure Key Vault, organizations maintain control over the entire key lifecycle, including creation, rotation, deletion, and revocation. This configuration supports compliance frameworks such as HIPAA, PCI DSS, and ISO standards, as customers control the encryption keys rather than relying on platform-managed ones. It also enables key revocation if a breach occurs or if contractual or regulatory obligations require immediate invalidation of access.

SQL auditing logs database events for monitoring and compliance, but it does not encrypt data at rest. Auditing helps detect unauthorized access but does not control or manage encryption keys or enforce encryption policies.

Azure Policy enforces governance and compliance requirements but does not directly encrypt SQL databases or manage encryption keys. It can audit whether TDE is enabled, but it cannot provide the cryptographic protections required at the database layer.

Azure Monitor provides metrics and logs for performance and operational insights, but it does not encrypt data or manage keys. It supports observability but not encryption or key control.

Transparent Data Encryption with customer-managed keys is the correct answer because it ensures full encryption for Azure SQL Database and gives organizations direct control over key management. This model supports compliance, provides greater assurance against internal misuse, and enables complete lifecycle control of cryptographic assets.

Question 153

You need to restrict outbound traffic from Azure virtual machines and enforce that only approved domains can be accessed. What should you implement?

A) Azure Firewall with FQDN filtering
B) Network Security Groups
C) Application Gateway
D) Azure Bastion

Answer: A) Azure Firewall with FQDN filtering

Explanation:

Azure Firewall provides advanced traffic filtering for outbound traffic and allows administrators to configure fully qualified domain name (FQDN) filtering. This means outbound traffic is allowed only to approved domain names, enabling fine-grained egress control. Azure Firewall also supports threat intelligence filtering, network rules, NAT rules, and application rules. It centralizes security management while providing logging through Azure Monitor for compliance and auditing. This approach ensures that virtual machines cannot communicate with unauthorized external endpoints, reducing exfiltration risk and ensuring strict adherence to corporate egress policies.

Network Security Groups offer basic traffic filtering using IP addresses and ports, but they cannot filter traffic based on domain names. They are insufficient when control must be enforced at the application or domain layer.

Application Gateway provides web traffic load balancing and supports features like WAF, but it does not control outbound VM traffic or filter by FQDN. It is designed for inbound application delivery scenarios.

Azure Bastion provides secure RDP/SSH access but does not control outbound egress traffic. It is an administrative connectivity solution, not an outbound filtering technology.

Azure Firewall with FQDN filtering is the correct solution because it provides the visibility, control, and security needed to regulate outbound communication, meet compliance requirements, prevent data leaks, and align with zero-trust egress policy principles.

Question 154

You need to ensure that only approved container images are deployed to Azure Kubernetes Service (AKS). What should you implement?

A) Azure Policy with AKS allowed registries and allowed image rules
B) Azure Key Vault
C) Network Security Group
D) Azure Bastion

Answer: A) Azure Policy with AKS allowed registries and allowed image rules

Explanation:

Azure Policy provides governance for AKS by enforcing that only images from approved registries or specific repositories can be deployed. This prevents unauthorized or insecure images from being used in production clusters. Policy initiatives allow administrators to enforce compliance such as requiring images to originate from Azure Container Registry or a trusted private registry. Violations can be denied at deployment time or audited depending on policy mode. This model ensures supply chain security and reduces the likelihood of deploying vulnerable or malicious container images.

Azure Key Vault stores secrets, keys, and certificates, but it does not control which container images are deployed. It supports secure secret management but not deployment governance.

Network Security Groups manage network-level filtering and do not enforce container image compliance or registry controls.

Azure Bastion provides secure administrative access for virtual machines but does not govern container image deployment.

Azure Policy with AKS registry enforcement is the correct solution because it ensures that all workloads align with organizational standards, prevents malicious images from entering clusters, supports compliance, and strengthens the overall container supply chain.

Question 155

You need to monitor Azure virtual machines for vulnerabilities, missing patches, insecure configurations, and compliance issues. What should you implement?

A) Microsoft Defender for Cloud
B) Azure Policy
C) Azure Monitor
D) Log Analytics

Answer: A) Microsoft Defender for Cloud

Explanation:

Microsoft Defender for Cloud is a comprehensive security management platform that provides organizations with advanced tools to protect their Azure virtual machines and other cloud resources. Its primary function is to continuously monitor workloads for security vulnerabilities, misconfigurations, and compliance gaps, giving organizations a unified view of their security posture. Defender for Cloud leverages built-in benchmarks, such as the Azure Security Benchmark (ASB) and Center for Internet Security (CIS) standards, to evaluate resources against recognized best practices. This ensures that virtual machines are configured securely and remain compliant with organizational and regulatory requirements.

One of the key features of Microsoft Defender for Cloud is its ability to identify vulnerabilities at both the operating system and application levels. It can detect missing patches, outdated software, misconfigured services, and insecure configurations that could be exploited by attackers. The platform integrates with third-party vulnerability scanners, providing a more thorough assessment of potential risks and helping security teams understand the priority and severity of vulnerabilities. Findings are displayed in a secure score dashboard, which quantifies the organization’s overall security posture and highlights areas that require immediate attention. This allows administrators to prioritize remediation efforts effectively, focusing resources on the most critical risks first.

Defender for Cloud also supports automated response and remediation. In addition to identifying vulnerabilities and misconfigurations, it provides recommendations for correcting them and, in some cases, can apply fixes automatically. This reduces the risk of human error and ensures that security improvements are implemented consistently across the environment. The integration with compliance reporting further enables organizations to demonstrate adherence to standards such as GDPR, HIPAA, or PCI DSS. By consolidating vulnerability management, compliance reporting, and remediation workflows into a single platform, Defender for Cloud simplifies security operations and enhances overall efficiency.

While other Azure services contribute to operational governance and monitoring, they do not provide the same level of vulnerability management and security assessment. Azure Policy is focused on enforcing configuration compliance; it evaluates resources to ensure they meet defined standards, but it does not scan for vulnerabilities, missing patches, or insecure software. Azure Monitor collects metrics and logs to provide observability into system performance and operational health, yet it does not perform security benchmarking or detect risks within workloads. Log Analytics allows for centralized storage and querying of logs, supporting investigation and diagnostics, but it is a log management tool rather than a solution for vulnerability detection or security improvement recommendations.

Microsoft Defender for Cloud is therefore the appropriate solution for organizations looking to secure Azure virtual machines comprehensively. Its continuous evaluation of workloads, identification of threats and vulnerabilities, and actionable recommendations provide a proactive approach to cloud security. By integrating monitoring, compliance assessments, vulnerability detection, and automated remediation workflows, Defender for Cloud strengthens the security posture of an organization, reduces the risk of breaches, and ensures that cloud resources remain protected in alignment with industry best practices. The combination of these capabilities makes Defender for Cloud an essential tool for maintaining robust security in modern cloud environments.

Question 156

You need to ensure that Azure Key Vault secrets accessed by an application are never exposed through client-side code or configuration files. What should you use to secure the application’s authentication to Key Vault?

A) Managed Identity
B) Shared Access Signature
C) Service Principal with client secret
D) Azure AD group assignment

Answer: A) Managed Identity

Explanation:

Using Managed Identity allows the application to securely access Azure Key Vault without storing authentication material in code or configuration files. Managed Identity provides an automatically managed identity within Azure AD, enabling the application to request tokens to access key resources without developers needing to create, store, or rotate credentials. This significantly reduces the risk of credential leakage, accidental exposure, or misconfiguration. Managed Identity integrates seamlessly with Key Vault, and access can be granted directly through access policies or RBAC role assignments.

Shared Access Signatures work well for storage accounts, but they are token-based and must still be generated, distributed, and protected. They do not integrate with Azure Key Vault and cannot replace identity-based authentication for secrets.

Service Principals with client secrets require the application to store secrets somewhere, such as in configuration files or environment variables. These secrets must be rotated and protected, introducing operational overhead and security risk. They also create additional exposure if the secrets are ever leaked.

Azure AD group assignment can help streamline access control but does not handle authentication for applications. Azure AD groups manage which identities can access a resource, but they do not remove the need for the application to authenticate using credentials. The application would still require a service principal or some credential-based method, which brings back the challenge of storing secrets.

Managed Identity solves this by eliminating credentials entirely. Azure automatically creates and maintains the identity, handles token issuance, and supports automatic key rotation. It works for both system-assigned and user-assigned versions, providing flexibility to support scaling, multi-instance scenarios, or shared identity approaches across services. Applications such as Web Apps, Virtual Machines, Function Apps, Kubernetes pods, and Logic Apps can all use Managed Identity to securely access Key Vault without storing any sensitive authentication details. This ensures proper security posture by removing secret sprawl and centralizing identity management. For these reasons, Managed Identity is the best solution to ensure secrets are never exposed through code or configuration.

Question 157

You need to enforce that all newly created Azure Storage accounts in a subscription automatically enable advanced threat protection. What should you deploy?

A) Azure Policy with a “deployIfNotExists” effect
B) Blueprint Assignment
C) Microsoft Defender for Cloud alerts
D) RBAC role assignment

Answer: A) Azure Policy with a “deployIfNotExists” effect

Explanation:

Azure Policy with a deployIfNotExists effect ensures that whenever a new storage account is created, advanced threat protection is automatically enabled, even if the creator forgets or lacks awareness of the requirement. This policy actively checks the resource configuration at deployment time, and if the feature is missing, it deploys it automatically. This ensures consistent security enforcement across the organization. Azure Policy enables compliance tracking, remediation, auditing, and consistent governance across all resources.

Blueprint Assignment provides a predefined set of resources, policies, and role assignments. While it helps with initial environment setup, it does not automatically enforce settings for resources created after the blueprint deployment. Blueprints are more suited for environment standardization rather than ongoing configuration enforcement.

Microsoft Defender for Cloud alerts notify security administrators about threats or misconfigurations but do not enforce settings automatically. Alerts occur after issues arise, so they do not prevent misconfiguration of newly created storage accounts.

RBAC role assignments help manage who can perform certain actions, but they cannot enforce configuration settings. RBAC defines who can do what, not how resources must be configured. Therefore, RBAC alone cannot be used to ensure that security features are automatically enabled for new storage accounts.

Azure Policy with deployIfNotExists ensures continuous enforcement, remediation, and proactive compliance, making it the correct solution.

Question 158

You need to improve the security of virtual machines by restricting inbound traffic based on threat intelligence sources. What should you configure?

A) Azure Firewall Threat Intelligence
B) NSG rule with priority override
C) Route Table with UDR
D) Application Gateway WAF

Answer: A) Azure Firewall Threat Intelligence

Explanation:

Azure Firewall Threat Intelligence allows inbound and outbound traffic to be filtered based on Microsoft’s threat intelligence feeds, which identify potentially harmful IP addresses and domains. When configured in alert or deny mode, Azure Firewall evaluates traffic and automatically blocks communication associated with known malicious sources. This enhances VM security by providing dynamic protection against evolving threats such as botnets, command-and-control servers, and malware distribution hosts.

NSG rules filter traffic based on manually defined IPs, ports, and protocols. NSGs cannot subscribe to threat intelligence feeds, and they cannot dynamically respond to emerging malicious sources. NSGs are static by design and require manual updates, making them unsuitable for threat-based filtering.

Route Tables with UDR control routing behavior, such as forcing traffic through firewalls or proxies. They cannot inspect threats, block malicious IPs, or apply intelligence-based filtering. Their function is strictly routing, not security enforcement.

Application Gateway WAF protects web applications by filtering HTTP and HTTPS traffic using OWASP rule sets. It does not block general inbound network threats, nor does it protect non-web workloads. It is not suited for VM-level protection across all traffic types.

Azure Firewall Threat Intelligence provides dynamic protection, continuously updated feeds, and seamless integration with VM traffic routing, making it the correct solution.

Question 159

A development team needs temporary access to a production Key Vault for 24 hours. You must ensure the access expires automatically. What should you use?

A) Azure AD Privileged Identity Management
B) Azure RBAC permanent assignment
C) Key Vault Access Policies
D) Azure Monitor alert rules

Answer: A) Azure AD Privileged Identity Management

Explanation:

Azure Active Directory Privileged Identity Management (PIM) is a critical tool for managing time-bound access to sensitive resources, such as Azure Key Vault. PIM enables organizations to assign eligible roles to users in a way that requires them to activate their access only when it is actually needed. For example, the development team can be assigned eligible roles that allow them to access Key Vault, but this access is not permanent. They can activate it for a limited duration, such as 24 hours, after which the permissions are automatically revoked. This time-bound approach ensures that users have only the level of access necessary for their current tasks, significantly reducing the risk of prolonged exposure of sensitive information.

In addition to time-bound access, PIM offers a range of security features that support a comprehensive least-privilege model. Activation of eligible roles can require multi-factor authentication (MFA), which adds an extra layer of protection by verifying that the user requesting access is indeed authorized. PIM also supports approval workflows, where access requests can be reviewed and approved by managers or administrators before activation, providing an additional safeguard against unauthorized access. Activation notifications alert administrators whenever privileged roles are activated, helping to maintain visibility and accountability. Furthermore, access reviews can be scheduled regularly to ensure that users who no longer need certain privileges have them removed promptly. All activations and changes are logged, providing a complete audit trail that supports compliance and security monitoring.

In contrast, traditional role-based access control (RBAC) permanent assignments grant users ongoing access to resources. While RBAC is effective for general access management, it does not provide time-bound control. Permanent assignments are inherently misaligned with the principle of least privilege because users retain access indefinitely, even if it is not needed on a continuous basis. This prolonged access increases the attack surface and can leave sensitive resources vulnerable to misuse or compromise.

Similarly, Key Vault access policies can grant granular permissions for specific operations, but they lack built-in mechanisms for automatic expiration. Administrators would need to manually remove permissions once they are no longer required, which is both labor-intensive and prone to human error. Without automation, there is a significant risk that permissions remain active longer than necessary, exposing the organization to potential security breaches.

Azure Monitor can provide alerts about suspicious or unusual activity, but it does not enforce access expiration or manage identity privileges. While alerts can notify administrators of events, they do not have the ability to revoke permissions or control when and how users access sensitive resources.

Ultimately, PIM is the only solution that combines temporary access enforcement, auditing, and comprehensive security controls in a single service. By leveraging PIM, organizations can ensure that sensitive resources like Key Vault are protected through time-bound access, automated expiration, and full visibility into who has access and when. This approach enforces the principle of least privilege, reduces administrative overhead, and minimizes the risk associated with long-term access to critical systems.

Question 160

You need to prevent ex-employees from using previously issued refresh tokens to access Azure resources after their account is disabled. What should you configure?

A) Azure AD Conditional Access Token Lifetime
B) Access Package Catalog
C) Privileged Access Group
D) Azure Policy Initiative

Answer: A) Azure AD Conditional Access Token Lifetime

Explanation:

Azure AD token lifetime controls provide organizations with a critical mechanism for managing session security and ensuring that access to resources is appropriately time-bound. Refresh tokens are a key component of modern authentication workflows, allowing users to maintain access to applications without repeatedly signing in. However, these tokens also represent a potential security risk if they remain valid indefinitely, especially when an employee leaves the organization or a device is compromised. By configuring token lifetime policies, administrators can enforce limits on how long refresh tokens remain active, reducing the risk of unauthorized access and ensuring that organizational resources remain secure.

Administrators can set policies to shorten refresh token lifetimes, meaning that even if a token is compromised, it will expire quickly, limiting the window in which it could be misused. Additionally, token lifetime controls can be used in conjunction with account lifecycle events, such as disabling or deleting user accounts. When a refresh token is revoked or the account is disabled, Azure AD immediately evaluates token refresh attempts against the current lifecycle policy. This prevents ex-employees or other unauthorized individuals from continuing to access resources with previously valid tokens. In modern identity and access management strategies, particularly those aligned with zero-trust principles, this capability is essential to ensure that access is granted only to legitimate, active users.

While Azure AD token lifetime controls manage the security of user sessions directly, other Azure services address different aspects of access governance but do not provide equivalent control over token validity. Access Package Catalogs, for instance, are part of entitlement management and help administrators organize and streamline access to groups, applications, and resources. They make it easier to manage who has access to what, but they do not influence how long a token remains valid or enforce session revocation. Similarly, Privileged Access Groups allow organizations to manage assignments for highly privileged roles, controlling who can perform critical administrative functions, but they do not affect refresh tokens or the duration of user sessions.

Azure Policy Initiatives are used to enforce compliance and configuration standards across Azure resources. They ensure that resources meet organizational or regulatory requirements by controlling properties such as encryption, allowed VM sizes, or networking configurations. While these policies are essential for maintaining consistent resource configurations and operational governance, they operate at the resource plane rather than the identity plane. As such, Azure Policy cannot manage token lifetimes, session expiration, or authentication behaviors, which are strictly identity-related concerns.

Conditional Access in Azure AD can work alongside token lifetime policies to enforce session security dynamically. For example, Conditional Access policies can require reauthentication or multi-factor authentication based on user risk, device compliance, or location, complementing token lifetime settings by adding another layer of control. By combining token lifetime controls with Conditional Access policies, organizations can precisely manage session duration, enforce secure authentication workflows, and respond to evolving security risks.

Azure AD token lifetime controls are the correct solution for managing session security and preventing lingering access after offboarding or account changes. By limiting refresh token validity, immediately revoking tokens when accounts are disabled, and integrating with Conditional Access, organizations can enforce secure, time-bound sessions that align with zero-trust principles. This approach reduces the risk of unauthorized access, strengthens identity security, and ensures that only active, verified users can continue to access corporate resources. Token lifetime management is therefore a critical element in a comprehensive identity and access management strategy.

Question 161

You need to ensure that an Azure Web App can securely retrieve secrets from Azure Key Vault without storing any credentials in its configuration settings. What should you configure?

A) System-assigned Managed Identity
B) Connection string with shared key
C) Service Principal with embedded secret
D) Azure Storage SAS token

Answer: A) System-assigned Managed Identity

Explanation:

A system-assigned Managed Identity allows an Azure Web App to authenticate to Azure Key Vault without storing secrets, keys, passwords, or tokens in its configuration or code. When enabled, Azure automatically creates an identity tied directly to the web app lifecycle. This identity can be granted access to Key Vault through access policies or RBAC roles. Once configured, the Web App retrieves secrets using authentication requests handled by Azure AD, eliminating the need for developers to manage or rotate credentials. This significantly improves security by reducing attack vectors like secret leakage, misconfiguration, and inadvertent exposure through source control.

Connection strings with shared keys expose sensitive material that must be protected. Shared keys do not offer identity-based authentication and increase operational risk. If these keys are leaked, an attacker can access resources without restrictions or identity verification. This method does not integrate with Key Vault for secure retrieval.

A Service Principal with an embedded secret requires storing the client secret somewhere. Even if stored in application settings, it leaves sensitive information at risk. These secrets must be manually rotated, and any exposure compromises the application’s identity. This approach duplicates administrative overhead and weakens security posture compared to Managed Identity.

Azure Storage SAS tokens provide delegated access to storage accounts. They are not used for authenticating to Key Vault. SAS tokens also carry the risk of accidental exposure and require lifecycle management. They do not address the requirement to avoid stored credentials and do not integrate with Azure Key Vault authentication flows.

System-assigned Managed Identity is the best and most secure approach. It provides seamless integration, credential-free authentication, automatic identity lifecycle management, and reduced risk of exposure. This method enforces strong identity security and ensures the Web App accesses Key Vault securely without storing sensitive authentication material.

Question 162

You need to ensure Azure Kubernetes Service (AKS) nodes can pull images securely from a private Azure Container Registry. What should you configure?

A) Managed Identity with ACR pull role
B) Admin-enabled ACR access keys
C) Service Principal credentials stored in Kubernetes secrets
D) Public registry access

Answer: A) Managed Identity with ACR pull role

Explanation:

Using Managed Identity with a pull role assignment allows AKS nodes to authenticate securely to Azure Container Registry (ACR) without storing credentials. AKS supports both system-assigned and user-assigned Managed Identities, which Azure handles automatically. Granting the AcrPull role to this identity ensures that only authorized AKS components can retrieve container images. This creates a secure, identity-based integration that eliminates risks associated with secret exposure, mismanagement, or accidental leakage. The identity is fully managed, and token issuance is handled seamlessly.

Admin-enabled ACR access keys expose permanent credentials that allow full access to the registry. These keys cannot be scoped or restricted. They must be stored somewhere—typically in Kubernetes secrets—which increases the attack surface. If leaked, they grant full registry control to attackers.

Using a Service Principal stored in Kubernetes secrets requires manual rotation and secure secret storage. Kubernetes secrets are base64-encoded, not encrypted, unless additional tools are configured. This method introduces significant credential management overhead and potential risk.

Public registry access weakens security by making images available to any anonymous user. This violates security best practices and exposes container images to unauthorized access.

Managed Identity with the pull role provides identity security, no credentials, automatic token handling, and the least privilege model.

Question 163

You need to restrict Azure VM outbound traffic to only approved FQDNs while blocking all other internet access. What should you implement?

A) Azure Firewall with FQDN filtering
B) NSG outbound rules
C) Route table with forced tunneling
D) Azure Front Door

Answer: A) Azure Firewall with FQDN filtering

Explanation:

Azure Firewall with fully qualified domain name (FQDN) filtering provides a robust solution for controlling outbound traffic from virtual machines (VMs) in Azure by allowing access to specific domain names. Unlike traditional network controls that rely solely on IP addresses, Azure Firewall operates at layer-7, meaning it can inspect HTTP and HTTPS traffic and make decisions based on the actual domain names being accessed. This capability is particularly important because many modern applications and services use domains that resolve to dynamic IP addresses. Without FQDN filtering, relying only on IP-based rules can be ineffective, as IP addresses associated with cloud services or external resources can change frequently, potentially leading to either unintended access or overly permissive rules. Azure Firewall addresses this challenge by enabling application rules that explicitly define which domains are allowed while blocking all other outbound internet traffic. This ensures that VMs can only reach authorized endpoints, establishing a strict and centralized outbound security posture.

Application rules in Azure Firewall allow administrators to define granular controls over which web resources can be accessed. By specifying allowed FQDNs, organizations can prevent VMs from reaching malicious or unapproved websites. The firewall also provides logging and monitoring capabilities, which help track outbound requests, detect anomalous behavior, and support compliance requirements. These features make Azure Firewall with FQDN filtering an ideal choice for organizations that require a high level of security and visibility for outbound traffic.

In comparison, network security groups (NSGs) provide layer-4 traffic filtering, meaning they operate at the transport layer and control traffic based on source and destination IP addresses, ports, and protocols. NSGs cannot evaluate domain names or perform layer-7 inspection, which limits their ability to accommodate dynamic DNS changes. As a result, NSGs are unable to enforce FQDN-based restrictions and are only suitable for controlling network-level access. While NSGs are effective for basic network segmentation and port-level security, they cannot achieve the same level of outbound domain-specific control provided by Azure Firewall.

Route tables with forced tunneling can redirect outbound traffic to a designated next-hop, such as a network virtual appliance or on-premises firewall. However, route tables themselves do not filter traffic and cannot enforce domain-based restrictions. They merely control the path that outbound traffic takes, meaning an external filtering solution is still required to implement FQDN-based controls. This adds complexity and does not provide the native, integrated layer-7 security offered by Azure Firewall.

Azure Front Door, on the other hand, is designed as a global web application delivery service that manages inbound traffic for web applications. It provides capabilities such as global load balancing, caching, and application acceleration, but it is not intended to control outbound traffic from VMs. Therefore, it cannot meet the requirement for restricting VM outbound access to specific domains.

Azure Firewall with FQDN filtering is the only solution among these options that directly addresses the requirement for domain-based outbound restrictions. It provides centralized policy management, layer-7 inspection, and the ability to enforce strict security controls on internet-bound traffic from VMs. By using Azure Firewall, organizations can ensure that outbound traffic is limited to approved domains, improve threat protection, and maintain a secure and compliant network environment.

Question 164:

Your company requires that developers authenticate to Azure using hardware-based FIDO2 keys only. What should you configure?

A) Authentication strength policy
B) Passwordless phone sign-in
C) Conditional Access app control
D) Temporary Access Pass

Answer: A) Authentication strength policy

Explanation:

Authentication strength policies in Azure Active Directory provide organizations with a powerful and flexible way to enforce specific authentication requirements for users and groups. These policies allow administrators to define which authentication methods are acceptable for accessing corporate resources and to require stronger, phishing-resistant mechanisms for high-risk or sensitive roles. For example, an organization can implement a policy that mandates the use of FIDO2 security keys exclusively for developer accounts. By enforcing hardware-based authentication, organizations gain the highest level of protection against common attacks such as credential theft, phishing, replay attacks, and credential stuffing, which are increasingly common in modern threat landscapes.

Authentication strength policies work by defining the precise authentication methods that are acceptable and integrating them with Conditional Access to control access to applications, resources, or workloads. With this integration, organizations can ensure that only users who meet the specified authentication criteria are allowed to sign in. This approach is particularly valuable for roles with elevated privileges, such as developers, system administrators, or security personnel, where unauthorized access could lead to significant organizational risk. By enforcing FIDO2-only sign-ins for developers, for instance, an organization can ensure that these users are protected by a strong, hardware-backed authentication mechanism that is resistant to phishing and other common attack vectors.

Other authentication and access management solutions in Azure do not provide the same level of enforcement for specific authentication methods. Passwordless phone sign-in, which relies on the Microsoft Authenticator app, is a secure and convenient method for reducing reliance on passwords, but it does not fulfill the requirement of hardware-based authentication. While it enhances security and user experience, it cannot be configured to mandate exclusive use of FIDO2 security keys for certain groups.

Conditional Access app control is another security feature that governs session behavior, monitors user activity in real time, and can enforce conditions such as access restrictions based on location or device compliance. However, it does not allow administrators to specify which authentication methods users must use. Conditional Access operates at the level of application access, controlling who can use a resource under specific conditions, but it cannot enforce the underlying authentication method, making it insufficient for scenarios requiring FIDO2-only enforcement.

Temporary Access Pass is a mechanism designed to provide a temporary authentication method when users have lost access to their primary credentials or devices. It is intended as a short-term solution for onboarding or recovery and does not serve as a policy enforcement tool. Using Temporary Access Pass as a primary authentication method would undermine security rather than strengthen it, because it is designed to be temporary and flexible rather than mandatory.

By contrast, authentication strength policies allow administrators to strictly enforce hardware-based FIDO2 authentication for specific groups or roles. This ensures that only users who possess the required authentication device can sign in, effectively mitigating the risk of credential compromise. Organizations gain not only enhanced protection against phishing and credential-based attacks but also precise control over security for high-risk roles. Combined with Conditional Access, authentication strength policies allow for granular, role-specific enforcement, making them the most effective solution for scenarios where FIDO2-only authentication is required. This approach strengthens overall identity security, reduces the attack surface, and ensures compliance with best practices for protecting sensitive resources.

Question 165

You need to ensure that Azure SQL Database automatically identifies vulnerabilities and provides actionable security recommendations. What should you enable?

A) Microsoft Defender for SQL
B) Azure Monitor Metrics
C) SQL Auditing
D) Backup Encryption

Answer: A) Microsoft Defender for SQL

Explanation:

Microsoft Defender for SQL is a comprehensive security solution designed to provide advanced protection for Azure SQL Databases. It plays a critical role in helping organizations maintain a secure, compliant, and resilient database environment. By offering capabilities such as vulnerability assessments, threat detection, attack surface evaluation, and actionable security recommendations, Defender for SQL allows administrators to proactively identify risks and address potential security gaps before they can be exploited. This proactive approach is essential for organizations that manage sensitive data or operate in regulated industries, where database security is a top priority.

When enabled, Microsoft Defender for SQL continuously scans the database environment, assessing a wide range of configurations and behaviors. It evaluates database permissions to ensure that users have only the access necessary to perform their roles, minimizing the risk of privilege escalation. Network exposure is analyzed to detect overly permissive access or misconfigured endpoints that could be exploited by attackers. Encryption status is verified to confirm that data at rest and in transit meets organizational security standards. Additionally, Defender monitors user behaviors and login patterns to detect anomalies that could indicate malicious activity. By combining configuration analysis with behavioral insights, it provides a holistic view of the database security posture.

Defender for SQL also includes automated vulnerability assessments that detect common misconfigurations and security weaknesses. These assessments generate actionable remediation steps, helping administrators quickly address issues without the need for extensive manual investigation. For example, if a database has outdated software or missing security patches, Defender will highlight the problem and provide guidance on how to remediate it. It also identifies potential attack vectors, such as SQL injection vulnerabilities, and monitors for suspicious activity patterns that could indicate ongoing attacks. The ability to detect anomalous logins, unusual query activity, potential privilege misuse, and data exfiltration attempts ensures that security teams are alerted to threats in real time.

In contrast, other Azure services provide valuable functionality but do not offer the same level of database-specific security. Azure Monitor Metrics collects performance data such as CPU usage, storage trends, and DTU utilization. While this information is useful for performance tuning and capacity planning, it does not provide insights into vulnerabilities or potential threats. SQL Auditing logs database events to support compliance and accountability, recording actions taken by users for auditing purposes. However, auditing does not evaluate risk, identify misconfigurations, or provide recommendations for improving security. Backup Encryption protects backup files by encrypting them to prevent unauthorized access, but it does not monitor the database for vulnerabilities, detect threats, or suggest security improvements.

Microsoft Defender for SQL is unique because it combines continuous monitoring, automated vulnerability detection, and actionable guidance in a single solution. It not only identifies security weaknesses but also provides clear steps to remediate them, helping organizations reduce risk and maintain a strong security posture. By detecting both configuration issues and behavioral anomalies, it allows security teams to respond proactively to threats, protecting sensitive data and ensuring compliance with industry standards. This comprehensive approach makes Defender for SQL an essential tool for maintaining secure and resilient Azure SQL Databases.