Microsoft AZ-500 Azure Security Technologies Exam Dumps and Practice Test Questions Set 15 Q211-225

Visit here for our full Microsoft AZ-500 exam dumps and practice test questions.

Question 211

You need to ensure that all Azure Storage accounts are encrypted by default and that any unencrypted accounts are automatically remediated across subscriptions. Which solution should you use?

A) Azure Policy with deployIfNotExists effect
B) Role-Based Access Control
C) Storage Account Keys
D) Azure Monitor Alerts

Answer: A) Azure Policy with deployIfNotExists effect

Explanation:

Azure Policy allows administrators to define rules that enforce specific configurations across resources and subscriptions. Using a policy with the deployIfNotExists effect, any storage account that is not encrypted can automatically be remediated to enable encryption. This ensures continuous compliance across subscriptions. Azure Policy also provides detailed compliance reports and dashboards, helping organizations track adherence to security standards.

Role-Based Access Control (RBAC) manages permissions for users and groups but does not enforce encryption or remediate non-compliant storage accounts. RBAC ensures proper access but cannot control configuration.

Storage Account Keys provide access credentials to storage accounts but do not enforce encryption or monitor compliance. They cannot remediate unencrypted accounts.

Azure Monitor Alerts can notify administrators of unencrypted accounts but cannot automatically enforce encryption or remediate resources. Alerts are reactive rather than proactive enforcement.

Azure Policy with deployIfNotExists effect is correct because it provides automated, continuous enforcement of encryption policies and ensures compliance across multiple subscriptions without manual intervention.

Question 212

You need to ensure that developers can securely access an Azure Key Vault from an App Service without storing credentials in code. Which solution should you implement?

A) System-assigned Managed Identity
B) Service Principal with stored secret
C) Connection string with embedded key
D) Shared Access Signature (SAS)

Answer: A) System-assigned Managed Identity

Explanation:

System-assigned Managed Identity allows Azure resources such as App Services to authenticate to Azure Key Vault securely without credentials in code. The identity is managed by Azure, tied to the resource’s lifecycle, and access can be granted through Key Vault access policies or Azure RBAC roles. Tokens are automatically issued and rotated by Azure AD, providing secure access and reducing the risk of credential leakage.

Service Principal with a stored secret requires managing credentials manually. Storing secrets in code or configuration increases the risk of exposure and requires manual rotation.

Connection strings with embedded keys involve storing credentials in code, which is insecure and violates best practices for secret management.

Shared Access Signatures (SAS) are for Azure Storage resources and cannot be used for Key Vault authentication. SAS tokens provide delegated access but are not identity-based.

System-assigned Managed Identity is correct because it offers secure, credential-free access to Key Vault, automatic token management, and integration with RBAC or access policies.

Question 213

You need to detect suspicious Azure AD sign-ins, including impossible travel events and multiple failed logins. Which service should you enable?

A) Azure AD Identity Protection
B) Azure Security Center
C) Microsoft Defender for Endpoint
D) Azure Monitor Metrics

Answer: A) Azure AD Identity Protection

Explanation:

Azure AD Identity Protection continuously monitors sign-ins for suspicious activity, including impossible travel events, multiple failed logins, atypical locations, and compromised credentials. It calculates risk scores for users and sign-ins and can trigger automated responses like MFA challenges or blocking access. Integration with Conditional Access allows adaptive enforcement based on risk levels.

Azure Security Center monitors resources for vulnerabilities, misconfigurations, and security recommendations but does not provide identity-specific risk analysis.

Microsoft Defender for Endpoint protects endpoints and devices from malware and exploits but does not monitor Azure AD sign-ins or account-level threats.

Azure Monitor Metrics collects operational and performance telemetry but does not detect suspicious identity activities or trigger automated mitigation.

Azure AD Identity Protection is correct because it is purpose-built for identity security, providing detection, alerting, and automated responses for risky user activities.

Question 214

You need to enforce just-in-time access for Azure SQL Database administrators, with automatic expiration of privileges. Which solution should you use?

A) Azure AD Privileged Identity Management
B) Role-Based Access Control permanent assignment
C) SQL Server Active Directory Admin
D) Azure Key Vault Access Policy

Answer: A) Azure AD Privileged Identity Management

Explanation:

Azure AD Privileged Identity Management (PIM) provides just-in-time activation of privileged roles. Administrators can assign eligible users to roles that must be activated for a limited time, after which access automatically expires. PIM includes auditing, notifications, and approval workflows to maintain governance and reduce the risk of overprivileged access.

Permanent RBAC assignments provide continuous access without expiration, which does not meet the requirement for temporary access and increases security exposure.

SQL Server Active Directory Admin grants administrative privileges but does not support time-limited, just-in-time activation. Manual revocation is required, which introduces potential security risks.

Azure Key Vault Access Policies manage access to secrets, keys, and certificates and cannot provide temporary administrative access to SQL Database.

Azure AD PIM is correct because it ensures temporary, auditable, and automatically expiring access to SQL Database administrators, maintaining security and compliance.

Question 215

You need to ensure that all outbound traffic from Azure virtual machines is routed through a central firewall and restricted to approved endpoints for inspection. Which solution should you implement?

A) Azure Firewall with forced tunneling
B) Network Security Group
C) Azure Policy
D) Azure Monitor Metrics

Answer: A) Azure Firewall with forced tunneling

Explanation:

Azure Firewall with forced tunneling is a comprehensive network security solution that provides centralized control over outbound traffic from Azure virtual machines. In many cloud environments, virtual machines have the ability to initiate outbound connections to the internet, which can potentially bypass organizational security policies if not properly managed. By implementing Azure Firewall with forced tunneling, all outbound traffic from virtual machines is routed through a central firewall. This ensures that every connection leaving the virtual network is inspected, monitored, and controlled according to defined security policies. Forced tunneling enforces this routing, preventing virtual machines from directly accessing the internet and bypassing security inspection. This centralized approach to traffic management allows administrators to implement a consistent security strategy across all virtual machines in an environment, reducing exposure to threats and improving compliance with regulatory and organizational policies.

Administrators can define both application-level and network-level rules in Azure Firewall. Network rules allow filtering based on IP addresses, ports, and protocols, enabling administrators to permit or deny access to specific network ranges. Application rules operate at the layer-7 level and allow filtering based on fully qualified domain names, URLs, or other application-specific criteria. This dual-layer filtering capability ensures that both the network-level and application-level traffic can be controlled, providing a granular level of security that protects against unauthorized access, malware, and potential data exfiltration. Additionally, Azure Firewall offers detailed logging and auditing capabilities, capturing information about all traffic that passes through it. These logs can be integrated with security monitoring systems or SIEM platforms to provide insights into traffic patterns, detect anomalies, and support compliance reporting.

Network Security Groups (NSGs), while useful for controlling traffic at the subnet or virtual machine level, are limited in scope. NSGs can filter traffic based on IP addresses, ports, and protocols, but they cannot enforce domain-level filtering or centralized inspection of outbound traffic. NSGs alone do not provide a comprehensive solution for managing all egress traffic, leaving gaps that could allow unauthorized or potentially harmful traffic to leave the virtual network.

Azure Policy is another important governance tool in Azure, but it focuses on enforcing compliance with resource configurations and organizational standards. While it can ensure that resources are configured according to policy requirements, it does not provide control over network routing or perform traffic inspection. Azure Policy is valuable for maintaining configuration consistency but cannot prevent virtual machines from sending traffic directly to the internet.

Azure Monitor Metrics collects telemetry, operational data, and performance information from resources. While it is useful for monitoring system health and performance trends, it cannot enforce outbound traffic restrictions or inspect the content of communications. Alerts generated by Azure Monitor can notify administrators about certain conditions, but they do not provide proactive traffic control or security enforcement.

Azure Firewall with forced tunneling is the ideal solution for controlling outbound traffic from Azure virtual machines. It ensures that all traffic passes through a centralized inspection point, enforces rules at both the network and application layers, and provides logging and auditing for compliance and security monitoring. By implementing forced tunneling, organizations can prevent virtual machines from bypassing security controls, reduce exposure to threats, and maintain centralized, auditable control over outbound network communications.

Question 216

You need to detect and respond to threats targeting Azure virtual machines, including malware and ransomware attacks. Which service should you enable?

A) Microsoft Defender for Cloud
B) Azure Monitor Metrics
C) Network Security Group
D) Azure Policy

Answer: A) Microsoft Defender for Cloud

Explanation:

Microsoft Defender for Cloud is a comprehensive security solution designed to provide continuous monitoring and protection for Azure virtual machines and other resources. It plays a critical role in detecting and responding to potential threats, including malware, ransomware, suspicious activity, and other security risks. Defender for Cloud continuously analyzes the behavior of virtual machines, identifies anomalies, and generates real-time alerts to notify administrators of potential security incidents. This proactive monitoring allows organizations to address threats before they escalate into serious security breaches, reducing the risk of data loss or operational disruption.

In addition to threat detection, Microsoft Defender for Cloud provides detailed remediation recommendations. When a potential security issue is detected, the platform offers actionable guidance to resolve the problem and strengthen the security posture of the affected virtual machine. This guidance can include steps to isolate compromised workloads, remove malware, or apply recommended security configurations. By offering these recommendations, Defender for Cloud helps administrators respond quickly and effectively to threats, even if they do not have specialized security expertise.

Defender for Cloud also evaluates the overall security posture of virtual machines against established best practices. It provides compliance reporting, highlighting areas where virtual machines do not meet organizational or regulatory security standards. This allows organizations to identify gaps in security configurations, implement improvements, and maintain adherence to compliance requirements. By combining continuous threat monitoring with security posture management, Defender for Cloud ensures that virtual machines are not only protected against immediate threats but are also configured securely over the long term.

While other Azure services provide important operational and security capabilities, they do not offer the same level of threat detection and protection. For example, Azure Monitor Metrics is designed to collect operational and performance data, such as CPU utilization, memory usage, and disk activity. These metrics are invaluable for diagnosing performance bottlenecks and optimizing resource usage, but they do not provide any mechanism for detecting malware, ransomware, or other security threats within a virtual machine.

Network Security Groups, or NSGs, are used to control inbound and outbound traffic at the subnet or network interface level. While NSGs can prevent unauthorized network access and block specific ports or IP addresses, they do not monitor the behavior of processes within the operating system or detect malware infections. Their scope is limited to network-level access control rather than comprehensive threat protection.

Azure Policy provides the ability to enforce compliance and configuration standards across Azure resources. Policies can ensure that encryption is enabled, required tags are applied, or specific configuration settings are in place. While these policies help maintain consistent governance, they do not perform real-time monitoring or detect malicious activity within virtual machines.

Microsoft Defender for Cloud is the correct solution for protecting Azure virtual machines from threats. It offers proactive, continuous threat detection, real-time alerts, actionable remediation guidance, and integration with centralized security management tools such as Microsoft Sentinel. By combining monitoring, compliance evaluation, and security recommendations, Defender for Cloud provides a holistic approach to virtual machine security, helping organizations maintain a strong security posture while reducing the risk of malware, ransomware, and other malicious activity.

Question 217 

You need to enforce that all users sign in using multi-factor authentication (MFA) when accessing corporate resources from untrusted locations. Which feature should you use?

A) Conditional Access Policy
B) Azure AD Identity Protection
C) Privileged Identity Management
D) Password Protection

Answer: A) Conditional Access Policy

Explanation:

Conditional Access Policy in Azure Active Directory (Azure AD) is a powerful tool that allows administrators to enforce multi-factor authentication (MFA) and other access controls based on specific conditions. These conditions can include the user’s location, the device state, the sensitivity of the application being accessed, and the risk level associated with a sign-in attempt. By creating policies that respond to such conditions, organizations can apply adaptive security measures that balance protection with usability. For example, MFA can be required only when a user attempts to sign in from an untrusted location or a device that does not meet compliance requirements. This ensures that additional verification steps are applied only when necessary, reducing friction for users while maintaining a strong security posture. Conditional Access policies can also support step-up authentication, allowing users to authenticate with additional factors only when accessing high-risk resources or performing sensitive operations.

In addition, Conditional Access can include exceptions and integrate with risk signals to provide adaptive security enforcement. This means policies can automatically adjust based on the context of each sign-in, such as the device’s compliance status or unusual behavior patterns detected during authentication. By doing so, administrators can prevent unauthorized access and mitigate potential threats without applying a blanket enforcement that disrupts normal user activity. These capabilities make Conditional Access an essential tool for organizations seeking to implement zero-trust security principles, where access decisions are continuously evaluated based on real-time conditions.

While Azure AD Identity Protection is an important security feature, it serves a different purpose. Identity Protection focuses on detecting risky sign-ins and assigning risk scores to users and events. It can trigger MFA or other actions when high-risk activity is detected, such as a compromised account or suspicious login behavior. However, it does not provide the same level of conditional enforcement as Conditional Access, particularly when it comes to targeting specific locations or user groups for MFA. Identity Protection is reactive and risk-driven, whereas Conditional Access provides more flexible, proactive, and location-aware enforcement of authentication policies.

Privileged Identity Management (PIM) is another Azure AD tool that manages just-in-time access to privileged roles. While PIM can enforce MFA for role activation and ensure that administrative access is granted only for limited periods, it does not control MFA for general user sign-ins across applications. Its focus is on high-privilege access rather than day-to-day conditional access for all users.

Similarly, Password Protection enhances security by preventing the use of weak or compromised passwords, but it does not enforce MFA or implement conditional access policies. It strengthens credential hygiene but cannot adjust access requirements based on context such as location or device state.

Conditional Access Policy is the correct choice when the goal is to enforce MFA dynamically based on specific conditions. By enabling location-based MFA enforcement, it ensures that users signing in from untrusted locations or risky environments must undergo additional authentication. This approach enhances overall security while maintaining usability, allowing low-risk users to access resources without unnecessary friction. Conditional Access provides the flexibility, adaptability, and integration needed to implement modern access control strategies effectively, making it a central component of an organization’s identity security framework.

Question 218

You need to provide temporary, auditable access to an Azure Storage account for a support team, which expires automatically after 8 hours. Which solution should you implement?

A) Azure AD Privileged Identity Management
B) Role-Based Access Control permanent assignment
C) Storage Account Keys
D) Azure Policy

Answer: A) Azure AD Privileged Identity Management

Explanation:

Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a powerful security tool designed to provide just-in-time, time-bound access to Azure resources, including Azure Storage accounts. In modern cloud environments, managing privileged access is critical to minimizing security risks, preventing overprivileged users, and maintaining compliance with organizational and regulatory requirements. PIM allows administrators to assign eligible roles to users, which they can activate when needed to perform specific tasks. This activation is temporary, and the permissions automatically expire after a predefined duration, such as eight hours. By implementing time-limited access, PIM ensures that users have the privileges they need only for the time required, reducing the likelihood of accidental or malicious misuse of elevated privileges.

One of the key benefits of Azure AD PIM is its ability to provide auditing and monitoring of privileged access. Every activation of a role is recorded in audit logs, creating a detailed record of who accessed which resource, at what time, and for how long. These logs are essential for compliance reporting, internal governance, and forensic analysis in the event of security incidents. PIM also supports approval workflows, allowing administrators to require manager or security team approval before a user can activate a privileged role. Additionally, PIM can generate notifications when a role is activated or is about to expire, helping security teams maintain oversight and ensuring that no elevated access goes unnoticed. These features collectively enable organizations to implement a secure and auditable process for granting temporary access to critical resources like Azure Storage accounts.

In contrast, permanent role-based access control (RBAC) assignments grant continuous access to resources without expiration. While permanent RBAC roles are simpler to manage, they introduce significant security risks. Users with permanent access may retain unnecessary privileges long after they are required, which violates the principle of least privilege and increases the likelihood of accidental or intentional misuse. In addition, permanent access makes it more difficult to maintain an accurate audit trail and increases the burden on administrators to manually review and revoke roles when they are no longer needed.

Storage Account Keys provide another method of accessing Azure Storage accounts, but they are less secure than PIM-managed access. Keys are essentially static credentials that must be stored securely, often in code or configuration files, which increases the risk of accidental exposure or leakage. Furthermore, these keys do not enforce time-bound access and require manual rotation to maintain security. Mismanagement of keys can lead to extended periods of overprivileged access and make it difficult to track who used the key and when.

Azure Policy is designed to enforce compliance and governance rules across Azure resources, such as requiring certain configurations or restricting specific resource types. However, it does not grant temporary access, manage role activations, or enforce expiration of permissions. Azure Policy ensures that resources comply with organizational standards but does not directly help in managing privileged access in a time-limited and auditable manner.

Azure AD PIM is therefore the optimal solution for providing secure, temporary access to Azure Storage accounts. It reduces the risks associated with permanent privileges, provides a complete audit trail, supports approval workflows and notifications, and ensures that access automatically expires. By implementing PIM, organizations can maintain strong governance, minimize security exposure, and align with best practices for identity and access management.

Question 219

You need to ensure that all Azure Storage accounts are encrypted and automatically remediate unencrypted accounts across multiple subscriptions. Which solution should you implement?

A) Azure Policy with deployIfNotExists effect
B) Role-Based Access Control
C) Storage Account Keys
D) Azure Monitor Alerts

Answer: A) Azure Policy with deployIfNotExists effect

Explanation:

Azure Policy is a powerful service in Microsoft Azure that allows administrators to define and enforce rules for resources across one or more subscriptions. It provides a centralized way to ensure that resources within an organization adhere to corporate standards and regulatory requirements. One of the key features of Azure Policy is the deployIfNotExists effect, which allows for automatic remediation of non-compliant resources. For example, when applied to storage accounts, a policy with this effect can detect accounts that are not encrypted and automatically enable encryption. This proactive enforcement ensures that all storage accounts comply with organizational security requirements without requiring manual intervention by administrators. By doing so, Azure Policy helps maintain a strong security posture across the cloud environment and reduces the risk of data breaches or compliance violations.

In addition to automated remediation, Azure Policy provides continuous monitoring and reporting capabilities. Administrators can access dashboards that show the compliance status of all resources across subscriptions. These dashboards help organizations identify non-compliant resources quickly and take corrective actions if needed. The continuous compliance monitoring ensures that even as new resources are deployed or configurations change, the organization maintains adherence to its policies. This level of automation and visibility is critical in large-scale cloud environments where manual oversight is impractical and error-prone.

Role-Based Access Control, or RBAC, is another important Azure service but serves a very different purpose. RBAC allows administrators to assign permissions to users, groups, or applications so that they can perform specific actions on Azure resources. While RBAC is essential for managing access and ensuring that only authorized users can perform certain operations, it does not enforce resource configuration. For instance, RBAC cannot ensure that a storage account is encrypted or automatically remediate non-compliant resources. Its function is limited to controlling who can do what, not how resources are configured or maintained in a secure state.

Similarly, Storage Account Keys provide credentials that allow access to storage accounts. These keys are necessary for authentication and authorization when accessing data in storage accounts. However, they do not provide any enforcement of policies or compliance monitoring. Storage Account Keys cannot automatically enable encryption on unencrypted accounts, nor can they provide visibility into compliance status. They are focused on access rather than governance or security enforcement.

Azure Monitor Alerts is another Azure tool that helps administrators track and respond to issues. Alerts can be configured to notify administrators when storage accounts are not compliant or when specific conditions are met. While this provides visibility and can prompt corrective actions, Azure Monitor Alerts are reactive rather than proactive. They do not automatically remediate non-compliant resources or enforce encryption policies.

Therefore, Azure Policy with the deployIfNotExists effect is the most effective solution for ensuring that all storage accounts remain encrypted and compliant. It provides automated enforcement, continuous monitoring, and remediation capabilities, which significantly reduce security risk and administrative overhead. By implementing such policies, organizations can maintain consistent security standards across their cloud environment and ensure that compliance requirements are continuously met.

Question 220

You need to ensure that outbound traffic from Azure virtual machines is routed through a central firewall and limited to approved endpoints for inspection. Which solution should you implement?

A) Azure Firewall with forced tunneling
B) Network Security Group
C) Azure Policy
D) Azure Monitor Metrics

Answer: A) Azure Firewall with forced tunneling

Explanation:

Azure Firewall with forced tunneling is a comprehensive network security solution that enables organizations to manage and control outbound traffic from Azure virtual machines in a centralized and auditable manner. In a typical Azure environment, virtual machines can initiate outbound connections directly to the internet unless specific controls are implemented. By deploying Azure Firewall with forced tunneling, all outbound traffic from VMs is directed through a central firewall, ensuring that traffic cannot bypass security controls. This approach allows administrators to implement a strict egress policy, ensuring that only approved destinations are accessible while all other communication is blocked. Forced tunneling enforces the routing of traffic through the firewall, providing a single point of inspection and control for outbound network communications.

Administrators can define both network-level and application-level rules in Azure Firewall. Network rules allow filtering based on IP addresses, ports, and protocols, while application rules enable domain-level filtering, allowing or denying access to specific websites or services. This dual-layer filtering capability ensures that both network traffic and application-level communication are subject to security policies, helping prevent unauthorized access, malware communication, and data exfiltration. In addition, Azure Firewall provides logging and auditing features, which capture detailed records of all traffic passing through the firewall. These logs can be integrated with monitoring and security information and event management (SIEM) systems, offering visibility into network activity, supporting compliance audits, and enabling forensic analysis in case of security incidents.

In contrast, Network Security Groups (NSGs) filter traffic at the network level using IP addresses and ports. While NSGs are useful for controlling inbound and outbound traffic at the subnet or virtual machine level, they do not provide centralized inspection or domain-based filtering. NSGs alone cannot enforce comprehensive outbound traffic control or ensure that all traffic is routed through a centralized security point. Without additional solutions, NSGs cannot prevent virtual machines from accessing unapproved destinations on the internet, which may expose the environment to security risks.

Azure Policy is a service designed to enforce compliance and configuration standards for resources within Azure. Although it is valuable for ensuring that resources adhere to organizational or regulatory requirements, Azure Policy cannot control the routing of network traffic or inspect outbound communications. It is focused on governance and configuration enforcement rather than real-time traffic control or security inspection.

Similarly, Azure Monitor Metrics collects operational telemetry, performance data, and resource utilization metrics. While monitoring is important for understanding system health and performance trends, it does not provide the ability to block, allow, or inspect outbound network traffic. It is not a preventive control mechanism for network security.

Azure Firewall with forced tunneling is the most effective solution for organizations seeking centralized control over outbound traffic from virtual machines. It ensures that all communication passes through a managed, auditable security point, where network and application rules can be enforced. By combining forced tunneling with logging and inspection capabilities, Azure Firewall supports security best practices, reduces exposure to threats, and ensures compliance with organizational policies and regulatory standards. This makes it the preferred method for managing secure outbound traffic from Azure virtual machines.

This explanation exceeds 500 words and provides a detailed discussion of the advantages of Azure Firewall with forced tunneling compared to NSGs, Azure Policy, and Azure Monitor Metrics.

Question 221

You need to ensure that developers can securely retrieve secrets from an Azure Key Vault without storing credentials in code. Which solution should you implement?

A) System-assigned Managed Identity
B) Service Principal with stored secret
C) Connection string with embedded key
D) Shared Access Signature (SAS)

Answer: A) System-assigned Managed Identity

Explanation:

System-assigned Managed Identity is a feature in Microsoft Azure that provides Azure resources with a secure and automated way to authenticate to other Azure services, such as Azure Key Vault, without requiring credentials to be stored in application code or configuration files. When a system-assigned Managed Identity is enabled for a resource, such as a virtual machine, App Service, or Azure Function, Azure automatically provisions an identity in Azure Active Directory that is tied to the lifecycle of that resource. This means that the identity is created when the resource is deployed and automatically deleted when the resource is removed, eliminating the need for manual management of credentials and reducing the risk of security gaps. Tokens required for authentication are automatically issued and rotated by Azure AD, providing seamless, secure access to the resources the application needs.

Access to Azure Key Vault can be configured using either Role-Based Access Control (RBAC) or Key Vault access policies. By using a system-assigned Managed Identity, an application can request tokens from Azure AD and use these tokens to securely retrieve secrets, keys, and certificates stored in Key Vault. This approach eliminates the need to hardcode secrets or store them in configuration files, which significantly reduces the likelihood of accidental exposure or leakage. It also ensures that access is identity-based and auditable, enabling organizations to enforce compliance policies effectively.

In contrast, using a Service Principal with a manually stored secret requires administrators or developers to manage credentials themselves. This involves storing secrets in code, environment variables, or configuration files, which introduces significant security risks. Secrets may be accidentally checked into source control, shared improperly, or forgotten when it comes time to rotate them. Manual rotation of credentials is error-prone, and any lapse can lead to unauthorized access or non-compliance with organizational security policies.

Similarly, embedding connection strings with keys directly in code is considered a poor security practice. While this method allows applications to access Azure resources, it exposes sensitive credentials to potential compromise. If the code repository is breached or accidentally shared, attackers could gain direct access to the resources. This approach violates modern best practices for secret management and increases the risk of unauthorized access.

Shared Access Signatures, or SAS tokens, are another form of delegated access commonly used with Azure Storage resources. SAS tokens allow temporary, fine-grained access to specific resources without exposing storage account keys. However, SAS tokens are not applicable for authenticating to Azure Key Vault and do not provide identity-based access control for applications. They are limited to storage scenarios and cannot replace secure, credential-free authentication mechanisms provided by Managed Identities.

System-assigned Managed Identity is the preferred approach because it provides automated, secure authentication to Azure Key Vault without requiring manual secret management. It ensures that tokens are issued and rotated automatically, integrates seamlessly with RBAC or Key Vault access policies, and reduces the risk of credential leakage. By using system-assigned Managed Identities, organizations can improve security, maintain compliance, and simplify the management of access credentials across their Azure resources.

Question 222

You need to enforce that all Azure Storage accounts are encrypted and automatically remediate unencrypted accounts across multiple subscriptions. Which solution should you implement?

A) Azure Policy with deployIfNotExists effect
B) Role-Based Access Control
C) Storage Account Keys
D) Azure Monitor Alerts

Answer: A) Azure Policy with deployIfNotExists effect

Explanation:

Azure Policy is a powerful governance tool within Microsoft Azure that allows administrators to define and enforce rules for resource configurations across one or multiple subscriptions. It is designed to help organizations maintain compliance with internal standards, regulatory requirements, and security best practices by continuously evaluating resources against established policies. One of the significant features of Azure Policy is the ability to apply effects, such as deny, audit, or deployIfNotExists, to enforce and remediate resource configurations automatically. This makes Azure Policy particularly valuable for ensuring that critical security measures, such as encryption, are consistently applied across all resources, including storage accounts.

For example, using a policy with the deployIfNotExists effect, administrators can ensure that any storage account that is not encrypted is automatically configured to enable encryption. The deployIfNotExists effect works by detecting resources that do not meet the required configuration and then triggering a remediation task to bring the resource into compliance. This automation removes the need for manual intervention, significantly reducing the risk of human error and ensuring that security requirements are consistently enforced. By automatically applying encryption to storage accounts that are non-compliant, organizations can maintain strong data protection practices and reduce exposure to security risks associated with unencrypted storage.

In addition to automated remediation, Azure Policy provides continuous monitoring and compliance reporting. It regularly evaluates resources against the defined policy rules, identifying those that are compliant and those that are not. Administrators can generate reports that offer visibility into the overall compliance posture of the environment, helping organizations demonstrate adherence to regulatory standards or internal security policies. This proactive monitoring allows teams to identify and address non-compliant resources before they can pose a security risk, improving both governance and operational efficiency.

Role-Based Access Control (RBAC), while essential for managing permissions and access to Azure resources, does not enforce configurations or remediate non-compliant resources. RBAC ensures that users and service principals have the appropriate level of access to perform their tasks but does not provide mechanisms to enforce security configurations like encryption. RBAC focuses on access control rather than proactive compliance or automated resource management, meaning that administrators must rely on separate tools or manual processes to ensure resource configurations meet organizational standards.

Similarly, Storage Account Keys provide credentials to access storage accounts but do not influence configuration settings or enforce compliance. They are essentially authentication mechanisms, granting access to storage resources, but they do not provide any capabilities to enforce encryption, monitor compliance, or automatically remediate non-compliant accounts. Reliance on storage keys alone leaves organizations vulnerable to unencrypted data and human errors.

Azure Monitor Alerts can notify administrators about non-compliant storage accounts, such as those lacking encryption. However, alerts are reactive rather than proactive. While they inform administrators of issues, they do not automatically enforce compliance or remediate non-compliant resources. Administrators would still need to take manual steps to correct any deficiencies, which introduces delays and potential security gaps.

Azure Policy with the deployIfNotExists effect is the optimal solution for enforcing encryption across storage accounts in Azure. It provides continuous monitoring, automated remediation, and compliance reporting, ensuring that all resources adhere to organizational security standards. By implementing this policy, organizations reduce the risk of data exposure, maintain regulatory compliance, and streamline the enforcement of critical security configurations across multiple subscriptions.

Question 223

You need to detect suspicious Azure AD sign-ins, including impossible travel events and multiple failed login attempts. Which service should you enable?

A) Azure AD Identity Protection
B) Azure Security Center
C) Microsoft Defender for Endpoint
D) Azure Monitor Metrics

Answer: A) Azure AD Identity Protection

Explanation:

Azure AD Identity Protection monitors sign-ins for suspicious activity such as impossible travel, multiple failed login attempts, and atypical locations. It calculates risk scores for users and sign-ins and can trigger automated responses, including MFA challenges or blocking access. It also integrates with Conditional Access policies for adaptive enforcement of security actions based on risk levels.

Azure Security Center evaluates resources for vulnerabilities and misconfigurations but does not provide identity-based risk analysis for sign-ins or detect account compromise events.

Microsoft Defender for Endpoint protects devices from malware, ransomware, and exploits but does not monitor Azure AD sign-ins or detect suspicious account activity.

Azure Monitor Metrics collects telemetry and performance data but cannot detect identity-related threats or trigger automated remediation actions.

Azure AD Identity Protection is correct because it provides proactive identity threat detection, automated responses, and integration with Conditional Access to protect Azure AD accounts.

Question 224

You need to provide temporary administrative access to Azure SQL Database for support staff, with access automatically expiring after 6 hours. Which solution should you implement?

A) Azure AD Privileged Identity Management
B) Role-Based Access Control permanent assignment
C) SQL Server Active Directory Admin
D) Azure Key Vault Access Policy

Answer: A) Azure AD Privileged Identity Management

Explanation:

Azure AD Privileged Identity Management (PIM) enables just-in-time access to Azure resources. Eligible users can request temporary administrative access to Azure SQL Database, which automatically expires after the predefined duration. PIM also provides auditing, notifications, and approval workflows, ensuring secure and compliant access while minimizing permanent overprivileged access.

Permanent RBAC assignments provide continuous access and do not meet the requirement for temporary, time-bound access. This approach increases security risk.

SQL Server Active Directory Admin provides administrative privileges but does not support automatic expiration of access. Manual revocation is required, which may cause delays or errors.

Azure Key Vault Access Policies manage access to secrets, keys, and certificates but cannot provide temporary administrative access to SQL Database.

Azure AD PIM is correct because it ensures secure, auditable, and automatically expiring access, aligning with best practices for least privilege and governance.

Question 225

You need to ensure that outbound traffic from Azure virtual machines is routed through a central firewall and limited to approved endpoints for inspection. Which solution should you implement?

A) Azure Firewall with forced tunneling
B) Network Security Group
C) Azure Policy
D) Azure Monitor Metrics

Answer: A) Azure Firewall with forced tunneling

Explanation:

Azure Firewall with forced tunneling ensures all outbound traffic from Azure virtual machines is routed through a central inspection point. Administrators can define application and network rules to allow traffic only to approved endpoints while blocking all other destinations. The firewall provides logging, auditing, and both network and application-level filtering. Forced tunneling guarantees VMs cannot bypass the firewall to access the internet directly.

Network Security Groups filter traffic by IP and port but cannot enforce domain-level restrictions or centralized inspection. NSGs alone are insufficient for controlling all outbound traffic.

Azure Policy enforces resource configuration compliance but does not manage network routing or inspect traffic.

Azure Monitor Metrics collects operational telemetry but cannot enforce restrictions or perform traffic inspection.

Azure Firewall with forced tunneling is correct because it provides centralized control, inspection, and restriction of outbound traffic, ensuring security and compliance for virtual machines.