Microsoft AZ-500 Azure Security Technologies Exam Dumps and Practice Test Questions Set 10 Q136-150

Visit here for our full Microsoft AZ-500 exam dumps and practice test questions.

Question 136

You need to enforce that only devices meeting compliance policies can access corporate resources and require multi-factor authentication for risky sign-ins. Which solution should you implement?

A) Conditional Access with Intune compliance policies and risk-based MFA
B) Azure Key Vault
C) Network Security Group
D) Azure Policy

Answer: A) Conditional Access with Intune compliance policies and risk-based MFA

Explanation:

Conditional Access allows organizations to define policies based on user identity, device compliance, location, and risk signals. By integrating Microsoft Intune, administrators can enforce that only devices meeting compliance requirements—such as encryption, OS patching, and antivirus—can access corporate applications. Risk-based policies trigger multi-factor authentication (MFA) for high-risk sign-ins, such as logins from unfamiliar locations or anomalous devices.

Azure Key Vault secures cryptographic keys and secrets but does not enforce access policies or device compliance.

Network Security Groups filter network traffic but cannot evaluate user risk or enforce authentication requirements.

Azure Policy enforces resource compliance but does not manage user or device access or authentication policies.

Conditional Access with Intune compliance and risk-based MFA is the correct solution because it implements zero-trust security principles. Only authorized users on compliant devices can access applications, while high-risk sign-ins are mitigated with MFA. Logging and audit trails provide visibility and support regulatory reporting. This approach strengthens security posture by preventing unauthorized access, reducing the risk of compromised credentials, and ensuring secure operations according to organizational and regulatory requirements.

Question 137

You need to ensure that all Azure Storage accounts are encrypted and monitor compliance across multiple subscriptions. Which solution should you implement?

A) Azure Policy with encryption requirements
B) Microsoft Defender for Cloud
C) Network Security Group
D) Azure Key Vault

Answer: A) Azure Policy with encryption requirements

Explanation:

Azure Policy allows administrators to enforce rules for resources. Policies requiring encryption for Azure Storage accounts ensure that non-compliant accounts are either blocked or automatically remediated. Initiatives allow grouping multiple policies for centralized governance, and compliance dashboards provide visibility across subscriptions to monitor encryption status.

Microsoft Defender for Cloud provides security recommendations and monitoring but does not enforce encryption policies during deployment.

Network Security Groups filter traffic but cannot enforce encryption or monitor compliance.

Azure Key Vault stores encryption keys but does not enforce encryption across multiple storage accounts.

Azure Policy with encryption requirements is the correct solution because it ensures consistent application of encryption standards, reduces the risk of unencrypted data exposure, and supports regulatory compliance. Automated remediation ensures that non-compliant accounts are corrected without manual intervention, while dashboards provide centralized visibility. This strengthens organizational security posture by ensuring data protection and operational governance.

Question 138

You need to detect risky sign-ins in Azure AD, including impossible travel and unfamiliar devices, and automatically enforce mitigation actions. Which solution should you implement?

A) Azure AD Identity Protection
B) Azure Policy
C) Network Security Group
D) Microsoft Defender for Cloud

Answer: A) Azure AD Identity Protection

Explanation:

Azure AD Identity Protection is a critical component of Microsoft’s security ecosystem, specifically designed to safeguard user identities and detect potential threats before they can cause significant damage. It leverages advanced behavioral analytics and machine learning to identify risky sign-ins and compromised accounts, enabling organizations to adopt a proactive approach to identity security. Unlike traditional security mechanisms that rely on static rules, Azure AD Identity Protection continuously evaluates sign-in activity, detecting anomalies that may indicate account compromise or malicious behavior.

Some of the key scenarios Azure AD Identity Protection addresses include impossible travel events, where a user signs in from geographically distant locations within a timeframe that would be physically impossible; unfamiliar sign-in locations that differ from a user’s normal patterns; atypical sign-in behaviors, such as accessing resources at unusual times or from unfamiliar devices; and exposure of credentials in known data breaches. By monitoring these signals, the system generates a risk score for each sign-in attempt and for each user, providing administrators with actionable insights to prevent potential compromises before they escalate.

Once risky sign-ins or high-risk accounts are detected, Azure AD Identity Protection can automatically trigger remediation actions based on predefined policies. For example, if a sign-in is flagged as high risk, the system can require the user to complete multi-factor authentication, reset their password, or even temporarily block access until the account can be verified. These automated responses minimize human intervention, reduce response times, and help organizations address threats in real-time. By integrating with Conditional Access policies, administrators can dynamically enforce security measures based on the calculated risk level, ensuring that only verified and compliant users are allowed to access sensitive applications and data.

While other Azure services contribute to security, they do not address identity-specific threats in the same way. Azure Policy is a governance tool designed to enforce configuration compliance across resources, such as requiring encryption, tagging, or specific VM configurations, but it does not monitor user sign-ins or detect identity-based risks. Network Security Groups (NSGs) are effective at filtering inbound and outbound traffic based on IP addresses, ports, and protocols, yet they operate purely at the network level and cannot evaluate the legitimacy or risk level of user sign-ins. Microsoft Defender for Cloud provides monitoring, threat detection, and recommendations for Azure resources, but it does not analyze Azure AD sign-in activity or assess the risk associated with user credentials.

Azure AD Identity Protection fills this gap by combining detection, evaluation, and automated mitigation for identity-related threats. It enables organizations to implement zero-trust security principles by continuously verifying that users attempting to access resources are legitimate, devices are compliant, and sign-in behaviors align with expected patterns. Audit logs and detailed reporting provide visibility into risky activities, support compliance requirements, and allow security teams to investigate incidents with comprehensive context. By proactively addressing identity risks, organizations can significantly reduce the likelihood of unauthorized access, credential compromise, and downstream security incidents.

Overall, Azure AD Identity Protection is the correct solution for organizations seeking to secure their environment against identity-based threats. It combines advanced analytics, automated risk response, and integration with Conditional Access to provide a robust, adaptive security posture. This approach strengthens zero-trust practices, ensures that only legitimate users access sensitive resources, and allows administrators to respond promptly and effectively to high-risk sign-ins, ultimately safeguarding the organization’s critical assets and maintaining regulatory compliance.

Question 139

You need to provide temporary administrative access for Azure virtual machines to reduce exposure to attacks. Which solution should you implement?

A) Microsoft Defender for Cloud JIT VM Access
B) Network Security Group
C) Azure Policy
D) Azure Key Vault

Answer: A) Microsoft Defender for Cloud JIT VM Access

Explanation:

Just-in-Time (JIT) VM Access in Microsoft Defender for Cloud reduces exposure by keeping management ports closed until access is requested. Administrators request temporary, time-bound access, which is logged and approved. This minimizes the window for brute-force or unauthorized login attempts, enhancing VM security.

Network Security Groups filter traffic but cannot enforce temporary or time-limited administrative access.

Azure Policy enforces configuration compliance but does not manage administrative access.

Azure Key Vault stores secrets and keys but does not control VM access.

Microsoft Defender for Cloud JIT VM Access is the correct solution because it enforces least-privilege access, reduces attack surface, provides audit trails, and integrates with alerts to detect suspicious activity. This approach supports regulatory compliance, strengthens operational security, and ensures that administrative privileges are granted only when necessary, maintaining a robust security posture.

Question 140

You need to implement centralized monitoring, threat detection, and automated response for security incidents across multiple Azure subscriptions. Which solution should you implement?

A) Microsoft Sentinel
B) Azure Key Vault
C) Network Security Group
D) Azure Policy

Answer: A) Microsoft Sentinel

Explanation:

Microsoft Sentinel is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution. It collects security logs from Azure subscriptions, on-premises environments, and third-party services. Sentinel uses AI-driven analytics to detect anomalies, correlate events, and generate actionable alerts. Automated playbooks enable immediate responses, such as isolating compromised resources, disabling accounts, or notifying security teams.

Azure Key Vault secures secrets and keys but does not provide monitoring or automated response.

Network Security Groups filter network traffic but cannot detect, analyze, or respond to threats.

Azure Policy enforces compliance but does not monitor security events or provide incident response.

Microsoft Sentinel is the correct solution because it centralizes monitoring, threat detection, and automated response across hybrid environments. Integration with Microsoft Defender enhances detection capabilities. Analysts can investigate alerts, trigger automated remediation, and maintain audit trails for compliance. Event correlation reduces alert fatigue and enables proactive threat protection, strengthening overall security posture and ensuring timely response to incidents across the organization.

Question 141

You need to enforce encryption on all Azure virtual machines and ensure non-compliant VMs are automatically remediated. Which solution should you implement?

A) Azure Policy with encryption initiatives
B) Microsoft Defender for Cloud
C) Network Security Group
D) Azure Key Vault

Answer: A) Azure Policy with encryption initiatives

Explanation:

Azure Policy is a foundational governance tool within the Azure ecosystem that allows administrators to define, implement, and enforce rules that govern the configuration and behavior of cloud resources. One of its most valuable capabilities is the ability to mandate encryption requirements for virtual machines and associated disks. By defining policies that require encryption at rest, organizations can ensure that every VM deployed within their environment adheres to established security standards. These policies can be assigned at different scopes—management groups, subscriptions, or resource groups—allowing flexible yet centralized control across large and distributed environments.

When policies are applied, Azure Policy evaluates resources continuously to determine whether they meet the defined requirements. If a VM does not comply with the encryption policy, Azure Policy can automatically remediate the issue by enabling the correct encryption settings or blocking the deployment of non-compliant resources. This automatic remediation reduces reliance on manual processes, which are often prone to oversight or misconfiguration. It also ensures that the environment remains consistently protected, even as new workloads are deployed or existing ones undergo changes. Because encryption is a critical component of safeguarding sensitive data, automated enforcement helps prevent accidental exposure and maintains strong security hygiene throughout the deployment lifecycle.

Policy initiatives play an important role in simplifying governance. An initiative bundles multiple related policies—such as disk encryption, secure configuration baselines, or tagging requirements—into a single package. This enables administrators to apply comprehensive governance standards with minimal effort. Instead of assigning individual policies one by one, initiatives allow organizations to enforce multiple rules simultaneously, improving consistency and reducing administrative overhead. As environments grow larger and more complex, policy initiatives help maintain organizational coherence by ensuring uniform adherence to security and operational standards.

Azure Policy also provides a robust compliance dashboard that offers visibility into policy adherence across multiple subscriptions and environments. Administrators can view compliance scores, drill into specific non-compliant resources, and generate reports for audits or executive oversight. This centralized visibility is essential for organizations operating under regulatory frameworks such as GDPR, HIPAA, PCI DSS, or ISO 27001. By demonstrating that encryption is enforced automatically and consistently, organizations can meet regulatory requirements more easily and prepare audit-ready documentation with minimal manual effort.

Other Azure services contribute to security but do not replace Azure Policy’s enforcement capabilities. Microsoft Defender for Cloud provides continuous monitoring, security posture management, and recommendations, but it does not enforce encryption or automatically remediate non-compliant VMs. Network Security Groups help control network traffic but have no influence over encryption or compliance configuration. Azure Key Vault securely stores encryption keys, certificates, and secrets, yet it does not enforce the encryption of virtual machines or disks at the resource level.

Azure Policy with encryption initiatives therefore represents the most effective solution for ensuring that organizational encryption requirements are applied uniformly. It eliminates gaps caused by manual configuration, reduces the risk of unencrypted data exposure, and provides a clear governance framework supported by extensive compliance reporting. This approach strengthens overall security posture, supports regulatory alignment, and provides consistent protection for sensitive workloads across the cloud environment.

Question 142

You need to provide secure remote access to Azure virtual machines without exposing RDP or SSH ports to the internet. Which solution should you implement?

A) Azure Bastion
B) Network Security Group
C) Azure Policy
D) Microsoft Defender for Cloud

Answer: A) Azure Bastion

Explanation:

Azure Bastion is a managed Platform as a Service (PaaS) solution designed to provide secure, seamless, and reliable remote access to virtual machines in Azure. It eliminates the need for traditional public-facing remote access methods by allowing administrators to connect to virtual machines through the Azure portal using RDP or SSH without exposing those machines to the public internet. All connectivity occurs over TLS and is fully contained within the Azure backbone network, ensuring that traffic remains encrypted, private, and protected from external threats. This design reduces the attack surface dramatically, as virtual machines no longer require public IP addresses or open inbound ports such as 22 or 3389, which are common targets for brute-force attacks.

One of the most significant advantages of Azure Bastion is its seamless integration with Azure Active Directory (Azure AD). By leveraging RBAC, organizations can control who is allowed to connect to which virtual machines, ensuring that only authorized users with appropriate permissions have access. This creates a centralized, identity-based access management approach, strengthening governance and improving security. Additionally, Azure AD multi-factor authentication (MFA) can be enforced to ensure that even if credentials are compromised, unauthorized access is prevented. This integration directly supports zero-trust security principles by validating identity and requiring continuous verification of users and devices before access is granted.

Azure Bastion also enhances operational oversight through detailed audit logs that track every connection made through the service. These logs provide visibility into user activity, connection attempts, and administrative actions performed during remote sessions. Such logging is essential for compliance with regulatory standards and internal security policies. It allows organizations to maintain complete records of administrative access, support security investigations, and meet audit requirements from frameworks such as ISO 27001, HIPAA, and SOC. Because all access occurs through a controlled gateway, auditing becomes much easier compared to environments where administrators connect directly to VMs using various network paths.

When compared with other Azure services, Bastion clearly addresses a need that the alternatives cannot fulfill. Network Security Groups play an important role in filtering inbound and outbound traffic, but they still require certain ports to be open if remote access is performed traditionally. This leaves virtual machines exposed to potential scanning or attack attempts from the public internet. Azure Policy provides governance and ensures that resources follow defined configurations, but it does not provide or facilitate secure remote access. Microsoft Defender for Cloud offers powerful monitoring, recommendations, and threat detection but does not create a secure connectivity layer for administrators to access virtual machines. None of these tools remove the inherent risks associated with exposing remote management ports.

Azure Bastion stands out because it directly solves the problem of secure administrative access without requiring public IP addresses, VPNs, jump servers, or complex firewall rules. It provides a streamlined, browser-based connection that reduces operational friction while ensuring the highest levels of security. By integrating with identity controls, enforcing secure communication channels, and generating complete auditing records, Azure Bastion becomes a crucial component of a zero-trust environment. It enables organizations to perform administrative tasks safely and efficiently while maintaining compliance and protecting their virtual machines from external threats.

Question 143

You need to detect risky Azure AD sign-ins, including impossible travel and unfamiliar devices, and automatically enforce mitigation actions. Which solution should you implement?

A) Azure AD Identity Protection
B) Azure Policy
C) Network Security Group
D) Microsoft Defender for Cloud

Answer: A) Azure AD Identity Protection

Explanation:

Azure AD Identity Protection detects risky sign-ins using AI and behavioral analytics. It identifies anomalies like impossible travel, unfamiliar sign-in locations, atypical behavior, and compromised credentials. Automated response policies can enforce multi-factor authentication (MFA) or require password resets for high-risk accounts.

Azure Policy enforces resource compliance but does not monitor sign-ins or detect identity risks.

Network Security Groups filter traffic but cannot evaluate sign-in risks.

Microsoft Defender for Cloud monitors resources for threats but does not analyze Azure AD sign-in activity.

Azure AD Identity Protection is the correct solution because it proactively identifies identity-based threats and automates mitigation. Integration with Conditional Access allows dynamic policy enforcement based on risk levels. Audit logs provide visibility and reporting for compliance, while administrators can promptly respond to high-risk sign-ins. This ensures that only legitimate users access resources while minimizing the impact of compromised credentials.

Question 144

You need to provide temporary administrative access to Azure virtual machines to reduce exposure to attacks. Which solution should you implement?

A) Microsoft Defender for Cloud JIT VM Access
B) Network Security Group
C) Azure Policy
D) Azure Key Vault

Answer: A) Microsoft Defender for Cloud JIT VM Access

Explanation:

Just-in-Time (JIT) VM Access in Microsoft Defender for Cloud is a security control designed to reduce unnecessary exposure of virtual machines by keeping management ports closed unless they are specifically needed. In traditional environments, administrators often leave ports such as SSH or RDP open for convenience, but these ports become frequent targets for automated scanning, brute-force attacks, and credential-guessing attempts. JIT solves this problem by ensuring that those high-risk ports remain closed at all times until an authorized user explicitly submits a request for access. Once the request is approved, the ports open only for the duration specified by the administrator, after which they automatically close again without requiring any manual intervention.

When an administrator requests access, several parameters must be defined, such as the port number, the time window for access, and the source IP address from which the connection will originate. Having these details logged creates a clear trail of accountability. Each request is recorded, which helps security teams review who accessed what resources, when the access occurred, and whether the activity aligns with expected administrative behavior. This type of monitoring is essential for detecting anomalies, investigating incidents, and meeting compliance requirements that demand consistent oversight of privileged operations. Because the system automatically denies requests that fall outside established policies, organizations maintain greater control over who can access sensitive systems.

By limiting administrative privileges to predefined time frames, JIT strongly supports the principle of least privilege. In a least-privilege model, privileges are granted only when needed and only for the minimum time required to accomplish a task. This reduces the risk of credential abuse, whether intentional or accidental, and prevents attackers from exploiting open ports that would otherwise remain available around the clock. The temporary nature of access drastically reduces the attack window, leaving adversaries with little opportunity to launch brute-force attempts or gain unauthorized entry. Additionally, alerts from Microsoft Defender for Cloud can notify administrators of unusual requests or suspicious activity, allowing a rapid response to potential threats.

While other Azure services contribute to security in different ways, none of them offer the full functionality required for temporary administrative access management. Network Security Groups, for example, are excellent for filtering traffic based on static rules but cannot enforce time-limited access. They operate continuously once configured, and if an administrator forgets to close a port, the VM remains exposed. Azure Policy focuses on ensuring that resources follow organizational or regulatory configurations, such as enforcing encryption or restricting resource types. However, it does not manage real-time access controls or determine when administrative ports should open or close. Azure Key Vault is essential for secure storage of keys, secrets, and certificates, but it plays no role in granting or restricting access to VMs.

For organizations seeking to strengthen their operational security while maintaining flexibility for administrators, Microsoft Defender for Cloud JIT VM Access provides the most comprehensive solution. It minimizes risk by ensuring ports remain closed by default, grants access only when necessary, and produces detailed logs for auditing and compliance. This approach improves the overall security posture by reducing attack surfaces, enhancing visibility, and ensuring that administrative privileges are tightly controlled and consistently monitored.

Question 145

You need to implement centralized monitoring, threat detection, and automated response for security incidents across multiple Azure subscriptions. Which solution should you implement?

A) Microsoft Sentinel
B) Azure Key Vault
C) Network Security Group
D) Azure Policy

Answer: A) Microsoft Sentinel

Explanation:

Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution designed to provide comprehensive visibility and advanced threat detection across modern enterprise environments. As organizations increasingly operate within hybrid infrastructures, combining Azure resources, on-premises systems, and third-party cloud platforms, Sentinel offers the ability to aggregate and analyze vast streams of security logs from these diverse sources. By centralizing data in a single platform, security teams gain a unified view of their environment, making it easier to identify threats, investigate incidents, and maintain consistent oversight across all operational areas.

One of the defining strengths of Microsoft Sentinel is its use of artificial intelligence and machine learning to detect anomalies and correlate events. Traditional security monitoring often relies on static rule-based detections that can produce excessive false positives or fail to identify evolving threats. Sentinel moves beyond this limitation by analyzing patterns of behavior across systems and users, learning what constitutes normal activity, and highlighting deviations that may indicate malicious intent. These AI-driven analytics enable the detection of subtle or emerging attack techniques that may otherwise go unnoticed. By correlating signals from multiple sources, Sentinel reduces noise and enhances the accuracy of alerts, ensuring that analysts can focus on the most critical incidents rather than being overwhelmed by unnecessary notifications.

Another essential component of Sentinel is its powerful automation capabilities through playbooks built with Azure Logic Apps. These automated workflows enable rapid and consistent responses to detected threats. For example, if Sentinel identifies indicators of compromise on a virtual machine or user account, a playbook can automatically isolate the resource, disable the account, trigger MFA reset procedures, or alert the security team through communication channels. Automation significantly reduces response times, minimizes human error, and supports continuous protection even outside regular business hours. It also helps streamline routine tasks such as ticket creation, threat intelligence lookups, and data enrichment for investigations.

Compared with other Azure services, Sentinel is uniquely positioned to address monitoring, detection, and incident response needs. Azure Key Vault is essential for storing keys, secrets, and certificates securely, but it does not include monitoring, alerting, or automated incident response functions. Network Security Groups provide important network-level access control but cannot detect threats, correlate security events, or initiate remediation actions. Azure Policy helps enforce governance and configuration standards, but it is not designed to identify malicious activity, investigate incidents, or orchestrate responses. None of these services offer the comprehensive SIEM and SOAR capabilities that Sentinel provides.

Microsoft Sentinel also integrates deeply with Microsoft Defender solutions, enhancing overall security. Defender products offer endpoint detection, identity protection, and cloud workload security, while Sentinel correlates their alerts with data from other sources to create richer, more actionable insights. Security analysts can use Sentinel to conduct full investigations, review incident timelines, analyze suspicious activity, and document actions taken for compliance purposes. Audit trails generated within Sentinel support regulatory standards, making it easier to demonstrate due diligence during internal or external audits.

By reducing alert fatigue through intelligent event correlation, enabling proactive threat hunting, and providing automated response workflows, Microsoft Sentinel significantly strengthens an organization’s security posture. It ensures timely detection of threats, streamlines incident resolution, and supports continuous monitoring across hybrid and multi-cloud environments. Through centralized visibility and orchestration, Sentinel enhances resilience and helps organizations stay ahead of evolving cyber threats.

Question 146

You need to enforce that only devices meeting compliance policies can access corporate applications and require multi-factor authentication for risky sign-ins. Which solution should you implement?

A) Conditional Access with Intune compliance policies and risk-based MFA
B) Azure Key Vault
C) Network Security Group
D) Azure Policy

Answer: A) Conditional Access with Intune compliance policies and risk-based MFA

Explanation:

Conditional Access is one of the core components of Microsoft’s identity-driven security framework, providing organizations with a flexible and intelligent way to control access to applications and corporate resources. It works by evaluating multiple signals—such as user identity, device compliance, location, user behavior, and detected risk levels—to determine whether access should be granted, challenged, or blocked. This enables organizations to move away from static, perimeter-based security models and toward a fully realized zero-trust architecture, where access decisions are dynamic and continuously evaluated.

A critical part of Conditional Access is its integration with Microsoft Intune. Intune allows administrators to define compliance policies for devices, ensuring that only endpoints meeting organizational security standards are permitted to connect to corporate applications. These compliance requirements may include device encryption, up-to-date operating systems, active antivirus protection, secure boot configurations, or restrictions on jailbroken or rooted devices. When users attempt to access applications, Conditional Access checks whether their device is marked as compliant in Intune. If the device does not meet the defined criteria, access is denied or redirected until remediation occurs. This ensures that sensitive data is only accessible from trusted and secure devices.

Risk-based Conditional Access further enhances security by leveraging signals from Microsoft Entra ID Protection. The system continuously monitors user activity and login patterns, generating risk scores based on factors like sign-ins from unfamiliar locations, impossible travel events, atypical device characteristics, or known compromised credentials. If a sign-in is deemed high risk, Conditional Access can automatically enforce additional protections, such as requiring multi-factor authentication (MFA) or blocking access entirely. This dynamic response ensures that potentially harmful login attempts are scrutinized more thoroughly than routine, low-risk access requests.

In contrast, Azure Key Vault—while vital for storing secrets securely—does not evaluate access conditions or enforce compliance controls. Its role is focused on safe storage and controlled retrieval of cryptographic keys, certificates, application secrets, and other sensitive credentials. It enhances security in its domain but does not participate directly in user authentication workflows or Conditional Access decisions.

Network Security Groups offer network-level filtering for Azure resources, allowing administrators to permit or deny traffic based on rules such as IP addresses and ports. While valuable for segmenting networks and controlling traffic flows, NSGs lack the capability to evaluate user identity, assess device posture, detect sign-in anomalies, or trigger MFA. They function at the network layer and cannot provide the identity-centric protections needed for modern access governance.

Azure Policy ensures that cloud resources follow organizational standards and compliance requirements, such as using approved VM configurations or enforcing tagging rules. However, Azure Policy does not regulate user access to applications or enforce authentication requirements. It governs resource deployment and configuration rather than identity-based access control.

Conditional Access with Intune compliance and risk-based MFA is therefore the most effective strategy for securing access to applications in modern cloud environments. It ensures that only authorized users operating compliant devices can authenticate, while risky sign-ins are automatically mitigated. Combined with robust auditing and detailed logging, this approach strengthens organizational security posture, protects against credential theft, and supports regulatory compliance by enabling consistent, traceable enforcement of security policies.

Question 147

You need to ensure that all Azure Storage accounts are encrypted and monitor compliance across multiple subscriptions. Which solution should you implement?

A) Azure Policy with encryption requirements
B) Microsoft Defender for Cloud
C) Network Security Group
D) Azure Key Vault

Answer: A) Azure Policy with encryption requirements

Explanation:

Azure Policy is a powerful governance tool designed to help organizations enforce and maintain compliance across their Azure environments. It allows administrators to define rules, known as policies, that regulate how resources are deployed and configured. One of the most important uses of Azure Policy is enforcing encryption standards for storage accounts. By creating or assigning a built-in policy that requires encryption, organizations can ensure that any new storage account must follow encryption requirements before it is successfully deployed. If an attempt is made to create a non-compliant account, Azure Policy can block the deployment outright or automatically apply remediation steps to bring the resource into compliance. This ensures that all storage accounts follow organizational guidelines regardless of who provisions them or how they are created.

Azure Policy also supports the use of initiatives, which are collections of multiple policies grouped under a single standard. This enables large organizations to implement complex governance structures efficiently. For example, an initiative might include policies requiring encryption at rest, the use of private endpoints, mandatory tagging, or restrictions on resource locations. By assigning an initiative to one or more subscriptions, administrators maintain centralized control and ensure consistent enforcement across different teams, departments, or projects. The combination of policies within an initiative simplifies management and strengthens compliance by giving organizations a unified method of enforcing standards.

One of the most valuable components of Azure Policy is its compliance dashboard. This dashboard provides real-time visibility into the compliance status of resources across one or many subscriptions. It displays which storage accounts are compliant, which are non-compliant, and which require remediation. This detailed reporting helps security and governance teams quickly identify gaps, assess organizational risk, and address misconfigurations promptly. Such visibility is essential for meeting regulatory obligations under frameworks like GDPR, HIPAA, and PCI DSS, which require ongoing monitoring and assurance of data protection measures. Azure Policy’s reporting capabilities make it easier to demonstrate compliance during audits or internal reviews.

When compared with other Azure services, the advantages of Azure Policy for enforcing encryption become even clearer. Microsoft Defender for Cloud provides valuable security insights, continuous monitoring, and recommendations, but it does not enforce encryption settings during the resource deployment process. It can alert administrators to problems but cannot prevent non-compliant resources from being created. Network Security Groups play a critical role in controlling network traffic but have no capability to enforce encryption or monitor compliance with data protection requirements. Azure Key Vault securely stores encryption keys and certificates, but it does not guarantee that encryption is enabled on storage accounts across an organization’s environment.

Azure Policy with encryption requirements is therefore the most effective solution for ensuring consistent enforcement of organizational security standards. Its ability to prevent non-compliant deployments, automatically remediate issues, and provide granular compliance reporting significantly reduces the risk of unencrypted data exposure. By maintaining strong governance and providing continuous oversight, Azure Policy enhances an organization’s security posture, protects sensitive information, and supports adherence to regulatory and industry standards across all managed environments.

Question 148

You need to detect risky sign-ins in Azure AD, including impossible travel and unfamiliar devices, and automatically enforce mitigation actions. Which solution should you implement?

A) Azure AD Identity Protection
B) Azure Policy
C) Network Security Group
D) Microsoft Defender for Cloud

Answer: A) Azure AD Identity Protection

Explanation

Azure AD Identity Protection detects risky sign-ins using machine learning and behavioral analytics. It identifies anomalies such as impossible travel, unfamiliar locations, atypical behavior, and leaked credentials. Automated response policies can enforce MFA or require password resets for high-risk accounts, mitigating the risk of account compromise.

Azure Policy enforces resource compliance but cannot monitor sign-ins or detect identity threats.

Network Security Groups filter traffic but cannot evaluate sign-in risk or detect compromised accounts.

Microsoft Defender for Cloud monitors resource security but does not analyze Azure AD sign-in activity.

Azure AD Identity Protection is the correct solution because it proactively detects identity-based threats and automates mitigation. Integration with Conditional Access enables dynamic policy enforcement based on risk levels. Audit logs provide visibility and reporting for compliance, and administrators can respond promptly to high-risk sign-ins. This ensures that only legitimate users access resources while minimizing the risk of unauthorized access from compromised credentials.

Question 149

You need to provide temporary administrative access to Azure virtual machines to reduce exposure to attacks. Which solution should you implement?

A) Microsoft Defender for Cloud JIT VM Access
B) Network Security Group
C) Azure Policy
D) Azure Key Vault

Answer: A) Microsoft Defender for Cloud JIT VM Access

Explanation:

Just-in-Time (JIT) VM Access in Microsoft Defender for Cloud is a security capability designed to significantly reduce the exposure of virtual machines to potential attacks. By default, management ports such as SSH (22), RDP (3389), or other administrative endpoints present an attractive target for cybercriminals who rely on continuous scanning and brute-force attempts. JIT mitigates this risk by keeping these ports closed at all times, only opening them for authorized users when access is explicitly requested. This reduces the attack surface while still enabling administrators to perform necessary maintenance or troubleshooting tasks.

When administrators need to access a VM, they submit a request for temporary, time-bound access. This request includes parameters such as the specific port, time window, and source IP address. Once approved (automatically or through a defined workflow), the system opens the required ports for the specified duration. At the end of the window, the ports close again, ensuring that access is tightly controlled and not accidentally left open. Every access request is logged, providing detailed audit trails that support security investigations, compliance reporting, and operational transparency.

This mechanism directly enhances security by minimizing the opportunities for brute-force attacks and unauthorized logins. Without JIT, organizations often leave management ports open continuously for convenience, creating persistent vulnerabilities. JIT enforces the principle of least privilege by ensuring that users only have access when absolutely necessary. In highly regulated environments, this level of control helps maintain compliance with security frameworks that require strict access governance and traceability.

While other Azure features contribute to overall security, they do not provide the same level of dynamic access management. Network Security Groups (NSGs), for example, are effective for filtering inbound and outbound traffic based on defined rules. However, they do not have built-in capabilities to automatically open and close ports on a temporary basis. NSGs enforce static rules, which means that if an administrator requires access, the port must be opened manually and can easily be forgotten or misconfigured.

Azure Policy provides governance and compliance enforcement by ensuring that resources adhere to organizational or regulatory standards. It can be used to verify configurations, prevent deployment of non-compliant resources, or enforce tagging, but it does not manage real-time administrative access or temporary port openings. It complements JIT but does not replace its functionality.

Azure Key Vault serves as a secure repository for secrets, encryption keys, passwords, certificates, and other sensitive information. While critical for safeguarding credentials, it does not control VM access or manage exposure of network ports. Instead, it works alongside JIT by securely storing the credentials that administrators may need when connecting to a VM.

Microsoft Defender for Cloud’s JIT VM Access is therefore the most appropriate and effective solution for scenarios requiring temporary administrative access. It strengthens operational security by ensuring privileges are granted only when necessary, automatically revoked when no longer in use, and thoroughly documented. This combination of least-privilege enforcement, minimized exposure, and comprehensive auditing significantly reduces risk and contributes to a robust, secure cloud environment.

Question 150

You need to implement centralized monitoring, threat detection, and automated response for security incidents across multiple Azure subscriptions. Which solution should you implement?

A) Microsoft Sentinel
B) Azure Key Vault
C) Network Security Group
D) Azure Policy

Answer: A) Microsoft Sentinel

Explanation:

Microsoft Sentinel is a comprehensive, cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platform designed to provide organizations with centralized visibility and advanced threat detection capabilities across diverse environments. As modern infrastructures increasingly span Azure subscriptions, hybrid deployments, and multi-cloud or on-premises systems, Sentinel offers a unified solution that collects, analyzes, and correlates security data at scale. By aggregating logs and telemetry from Azure resources, on-premises servers, network devices, third-party security tools, and SaaS platforms, Sentinel creates a single pane of glass through which security teams can assess their organization’s overall security posture.

A key advantage of Microsoft Sentinel lies in its use of artificial intelligence and machine learning. These capabilities allow the platform to detect behavioral anomalies, identify suspicious patterns, and correlate multiple low-level events into meaningful, high-confidence alerts. Instead of relying solely on static rule-based detections, Sentinel’s analytics adapt to emerging threats and evolving attack techniques. By drawing on Microsoft’s global threat intelligence, it enhances the ability to spot indicators of compromise early, even when attackers attempt to hide within normal traffic or use subtle lateral-movement techniques.

Another major strength of Sentinel is its automation framework. Through automated playbooks built on Azure Logic Apps, organizations can streamline or fully automate incident response actions. These workflows can isolate potentially compromised virtual machines, disable user accounts suspected of being breached, block malicious IP addresses, or notify security teams through email, Teams, or ticketing systems. Automation not only accelerates response times but also reduces the manual workload on analysts, allowing them to focus on more complex investigations. It contributes significantly to reducing dwell time—the period attackers remain undetected within an environment—which is critical for minimizing damage and maintaining resilience.

When evaluating Sentinel against other Azure tools, the distinctions become clear. Azure Key Vault, for example, provides secure storage for keys, secrets, and certificates, but it does not offer any monitoring, threat detection, or automated response functions. It is not designed to identify anomalies, correlate events, or trigger remediation. Network Security Groups provide essential network-level traffic filtering but lack the ability to detect malicious behavior or launch automated countermeasures. Azure Policy ensures compliance with governance standards across resources, yet it does not perform real-time security monitoring or incident handling. None of these tools replace the advanced SIEM and SOAR capabilities Sentinel delivers.

Microsoft Sentinel ultimately stands out because it centralizes monitoring, enriches data with threat intelligence, and offers both proactive detection and automated response. Its integration with Microsoft Defender products further enhances accuracy and context, enabling more effective identification of threats. Security analysts can review detailed incident timelines, trace attack paths, conduct forensic investigations, and maintain comprehensive audit logs for regulatory compliance. By correlating events from multiple sources, Sentinel reduces noise and alert fatigue, allowing teams to prioritize the most critical issues. Overall, Microsoft Sentinel strengthens an organization’s security posture by ensuring timely detection, coordinated response, and continuous visibility across cloud and hybrid environments.