Microsoft AZ-500 Azure Security Technologies Exam Dumps and Practice Test Questions Set 6 Q101-120

Visit here for our full Microsoft AZ-500 exam dumps and practice test questions.

Question 101:

You need to ensure that only compliant devices can access Azure resources and that access is blocked for non-compliant devices. Which solution should you implement?

A) Conditional Access policies with device compliance
B) Network Security Groups
C) Azure Key Vault
D) Azure Policy only

Answer:

A) Conditional Access policies with device compliance

Explanation:

Conditional Access policies in Azure Active Directory enforce access based on device compliance. This allows organizations to define rules requiring devices to meet specific security criteria before accessing Azure resources. Compliance criteria can include endpoint protection status, disk encryption, up-to-date operating systems, and configuration settings.

When a device attempts access, Conditional Access evaluates its compliance status. Non-compliant devices can be blocked or restricted from accessing resources until they meet the required standards. This ensures that only secure, verified devices interact with sensitive workloads, reducing the risk of malware, unauthorized access, or data exfiltration.

Option B, Network Security Groups, filter network traffic but do not enforce device compliance or evaluate security posture.

Option C, Azure Key Vault, secures secrets but does not control access based on device compliance.

Option D, Azure Policy, audits configuration but cannot dynamically block access based on real-time compliance evaluation.

By implementing Conditional Access policies with device compliance, organizations strengthen security and enforce zero-trust principles. It ensures that only secure devices access critical resources, minimizes the risk of compromise, and supports regulatory compliance. Integration with logging and alerting allows administrators to monitor access attempts and non-compliant devices, providing visibility and enabling rapid remediation. This approach combines identity verification, device compliance, and access management to maintain a secure and operationally efficient environment.

Question 102:

You need to ensure that Azure Storage accounts prevent public access and that only specific networks can connect. Which solution should you implement?

A) Storage account firewall with virtual network integration
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Storage account firewall with virtual network integration

Explanation:

Azure Storage accounts provide network-level access controls to restrict which virtual networks and IP addresses can access resources. By enabling the firewall and integrating with specific virtual networks, organizations can prevent public access while allowing only trusted connections.

Virtual network integration can include service endpoints or private endpoints, ensuring traffic does not traverse public internet paths. This mitigates the risk of unauthorized access or exposure of sensitive data. Firewall rules provide granular control, including restrictions by subnet or individual IP addresses. Audit logs track all connection attempts, allowing administrators to detect anomalies and maintain compliance with organizational or regulatory requirements.

Option B, Network Security Groups, control traffic at the subnet or VM level but do not provide storage account-level restrictions or enforce firewall rules.

Option C, Azure Policy, can audit storage account configurations but cannot enforce runtime access control.

Option D, Azure Key Vault, secures keys and secrets but does not manage storage account network access.

By implementing storage account firewall with virtual network integration, organizations ensure that storage resources are only accessible by trusted networks, reducing exposure to threats. Audit logs provide visibility into access patterns and support compliance and forensic investigations. This approach combines network isolation with security governance to protect critical data while maintaining operational efficiency.

Question 103:

You need to ensure that all Azure SQL Database connections are encrypted and that login attempts are auditable. Which solution should you implement?

A) Enforce TLS connections with auditing enabled
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Enforce TLS connections with auditing enabled

Explanation:

Enforcing TLS connections ensures that all communication between clients and Azure SQL Databases is encrypted. This prevents eavesdropping, man-in-the-middle attacks, and interception of sensitive data during transmission. Combined with auditing, organizations can monitor login attempts, database operations, and schema changes.

Auditing captures detailed information about each action, including the identity performing the operation, timestamps, success or failure, and the resource involved. Logs can be exported to Log Analytics, Event Hubs, or storage accounts for long-term retention, supporting compliance reporting and forensic analysis. Auditing allows security teams to detect anomalies, such as repeated failed logins, unauthorized queries, or privilege escalations.

Option B, Network Security Groups, filter traffic but cannot enforce encryption or log database operations.

Option C, Azure Policy, audits configurations but does not enforce TLS connections or runtime auditing.

Option D, Azure Key Vault, secures keys and secrets but does not enforce encryption for SQL connections or provide auditing.

By implementing TLS enforcement with auditing enabled, organizations ensure confidentiality, integrity, and accountability for all database connections. This supports regulatory compliance, protects sensitive data, and provides actionable insights for security monitoring. Continuous review of audit logs helps detect anomalous activities and strengthens the overall security posture of Azure SQL Database deployments.

Question 104:

You need to protect Azure virtual machines from malware and ransomware, and ensure any detected threats generate alerts. Which solution should you implement?

A) Azure Defender for Servers with endpoint protection
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Azure Defender for Servers with endpoint protection

Explanation:

Azure Defender for Servers provides integrated endpoint protection for virtual machines, detecting and preventing malware, ransomware, and other malicious activity. The solution continuously monitors files, processes, and system configurations, generating alerts when threats are detected.

Defender integrates with Microsoft Antimalware for Windows and provides equivalent protection for Linux VMs. Security alerts are centralized in Azure Security Center, enabling consistent monitoring across subscriptions. Alerts can be forwarded to SIEM systems like Azure Sentinel for automated analysis and response.

Option B, Network Security Groups, filter traffic but cannot detect malware or monitor VM processes.

Option C, Azure Policy, enforces configuration standards but does not provide runtime protection against malware.

Option D, Azure Key Vault, secures secrets but does not provide malware detection or alerts.

By implementing Azure Defender for Servers with endpoint protection, organizations maintain a proactive security posture, detecting and responding to threats before they can compromise virtual machines. Centralized alerting, integration with monitoring tools, and reporting capabilities enable rapid investigation and remediation, supporting compliance and operational security. This approach ensures continuous protection of workloads while minimizing risk to critical systems.

Question 105:

You need to ensure that Azure virtual machines comply with security baselines, and that non-compliant VMs are automatically remediated. Which solution should you implement?

A) Azure Policy with remediation tasks
B) Network Security Groups
C) Azure Key Vault
D) Azure Monitor

Answer:

A) Azure Policy with remediation tasks

Explanation:

Azure Policy enables organizations to define and enforce security baselines for virtual machines, including required configurations for disk encryption, endpoint protection, secure boot, and logging. Policies can be applied to subscriptions, resource groups, or individual VMs to ensure consistent compliance across the environment.

Remediation tasks automatically correct non-compliant resources, either by applying the required configurations or by notifying administrators for further action. This reduces operational overhead, ensures uniform security standards, and minimizes exposure to threats. Centralized reporting and dashboards provide visibility into compliance status, remediation progress, and security posture trends.

Option B, Network Security Groups, filter network traffic but do not enforce baseline configurations or remediate non-compliance.

Option C, Azure Key Vault, secures secrets but does not enforce VM configurations.

Option D, Azure Monitor, provides logging and monitoring but cannot remediate non-compliant VMs or enforce baseline standards.

By implementing Azure Policy with remediation tasks, organizations maintain continuous compliance for virtual machines. Automated remediation ensures non-compliant resources are quickly corrected, enhancing security, operational efficiency, and regulatory adherence. Integration with monitoring and reporting tools enables administrators to track compliance trends, prioritize actions, and demonstrate adherence to organizational and regulatory requirements.

Question 106:

You need to ensure that all Azure Storage blobs are encrypted using your organization’s keys and that all key operations are auditable. Which solution should you implement?

A) Storage account encryption with customer-managed keys in Key Vault
B) Network Security Groups
C) Azure Policy only
D) Transparent Data Encryption

Answer:

A) Storage account encryption with customer-managed keys in Key Vault

Explanation:

Azure Storage accounts support encryption at rest using either Microsoft-managed keys or customer-managed keys (CMK). By configuring CMK stored in Azure Key Vault, organizations maintain control over key lifecycle, including creation, rotation, revocation, and auditing.

Customer-managed keys provide strong control and accountability, ensuring that only authorized users can encrypt or decrypt storage data. Key Vault logs every operation, capturing the identity performing the action, the operation type, timestamp, and success or failure. This enables auditing for compliance and forensic investigation. Integration with Azure Monitor or Security Center allows administrators to detect unauthorized access attempts and respond proactively.

Option B, Network Security Groups, filter traffic but cannot enforce encryption or manage keys.

Option C, Azure Policy, can audit storage encryption but does not enforce runtime encryption or provide detailed operational logging.

Option D, Transparent Data Encryption applies to databases, not storage accounts, and cannot manage storage encryption keys.

By implementing storage account encryption with customer-managed keys, organizations ensure sensitive data is encrypted under their control while maintaining full visibility and auditability. This supports regulatory compliance, operational governance, and secure management of cryptographic material. Integration with monitoring systems ensures any suspicious or unauthorized access is promptly detected and remediated, minimizing risks and maintaining data confidentiality.

Question 107:

You need to ensure that Azure virtual machines are protected from malware and ransomware, and that detected threats generate alerts for the security team. Which solution should you implement?

A) Azure Defender for Servers with endpoint protection
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Azure Defender for Servers with endpoint protection

Explanation:

Azure Defender for Servers provides continuous endpoint protection for virtual machines. It monitors processes, file systems, and system configurations to detect malware, ransomware, and suspicious activity. Detected threats generate alerts for the security team, enabling proactive investigation and remediation.

The solution integrates with Microsoft Antimalware for Windows and offers equivalent protection for Linux VMs. Alerts are centralized in Security Center, providing a unified view of threats across subscriptions. Integration with Azure Sentinel or other SIEM solutions allows automated alert handling, correlation with other events, and automated remediation workflows.

Option B, Network Security Groups, filter traffic but do not detect malware or suspicious processes.

Option C, Azure Policy, enforces configuration compliance but cannot provide runtime malware protection or alerting.

Option D, Azure Key Vault, secures secrets but does not provide malware detection or VM protection.

By implementing Azure Defender for Servers with endpoint protection, organizations maintain proactive security and operational control. Continuous monitoring and alerting enable detection of threats before they can compromise workloads, reduce risk exposure, and support compliance requirements. Integration with security and monitoring tools improves operational efficiency and ensures a strong security posture across all virtual machines.

Question 108:

You need to ensure that Azure SQL Databases enforce encrypted connections and that all login and query operations are auditable. Which solution should you implement?

A) Enforce TLS connections with auditing enabled
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Enforce TLS connections with auditing enabled

Explanation:

Enforcing TLS connections ensures that all client-server communications with Azure SQL Databases are encrypted. This prevents data interception, man-in-the-middle attacks, and unauthorized access during transmission. Combined with auditing, this allows organizations to track login attempts, query executions, schema modifications, and permission changes.

Auditing logs contain details about the identity performing the action, timestamps, operation types, and success or failure. Logs can be exported to Log Analytics, Event Hubs, or storage accounts for compliance reporting, forensic analysis, and operational monitoring. This helps detect unusual access patterns, repeated failed logins, or unauthorized attempts to modify database structures.

Option B, Network Security Groups, filter traffic but cannot enforce encryption or log database operations.

Option C, Azure Policy, can audit compliance with TLS settings but cannot enforce encryption at runtime or provide operational auditing.

Option D, Azure Key Vault, secures keys but does not enforce SQL connection encryption or auditing.

By implementing TLS enforcement with auditing enabled, organizations ensure confidentiality, integrity, and accountability for database operations. This supports regulatory compliance, mitigates risks associated with data interception, and allows security teams to respond to anomalies or unauthorized access attempts. Continuous monitoring and auditing strengthen the security posture of all SQL Databases in Azure.

Question 109:

You need to ensure that Azure virtual machines are accessible only to authorized users for limited time periods and that exposed management ports are protected from attacks. Which solution should you implement?

A) Azure Defender for Servers with Just-in-Time VM Access
B) Network Security Groups only
C) Azure Policy
D) Azure Key Vault

Answer:

A) Azure Defender for Servers with Just-in-Time VM Access

Explanation:

Just-in-Time (JIT) VM Access is a security feature that temporarily opens management ports such as RDP and SSH only when explicitly requested. This approach reduces exposure to brute-force attacks and unauthorized access.

When a user requests access, they specify the allowed IP address and the duration of the session. Once the session expires, ports are automatically closed, reducing the attack surface. Audit logs capture all JIT requests, enabling compliance, monitoring, and forensic investigation. Integration with Azure Security Center and Sentinel allows centralized management, alerting, and reporting of access requests.

Option B, Network Security Groups, filter traffic but cannot dynamically open or close ports or enforce temporary access policies.

Option C, Azure Policy, enforces configuration standards but cannot control real-time access to VMs.

Option D, Azure Key Vault, secures secrets but does not manage VM access or port exposure.

By implementing Azure Defender for Servers with JIT VM Access, organizations ensure that administrative access is granted only to verified users for the required duration. Automated port closure, logging, and monitoring reduce the risk of compromise, maintain operational efficiency, and support zero-trust security principles. This approach safeguards critical workloads while providing traceability for auditing and compliance.

Question 110:

You need to detect and respond to suspicious sign-in activity in Azure Active Directory, including multiple failed attempts and logins from unusual locations. Which solution should you implement?

A) Azure AD Identity Protection with automated risk remediation
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Azure AD Identity Protection with automated risk remediation

Explanation:

Azure AD Identity Protection provides risk-based monitoring of user sign-ins. It detects anomalous activities such as multiple failed sign-ins, impossible travel, and atypical device usage. Each risk is assigned a severity level, allowing organizations to prioritize responses based on the potential threat.

Automated risk remediation enables predefined actions based on risk levels. For example, high-risk sign-ins can trigger multi-factor authentication, block access, or enforce password resets. Alerts provide visibility into potential threats, and integration with Azure Sentinel or monitoring tools allows automated investigation and response workflows.

Option B, Network Security Groups, filter network traffic but cannot monitor user sign-ins or respond to identity anomalies.

Option C, Azure Policy, enforces configuration compliance but does not detect or remediate risky sign-ins.

Option D, Azure Key Vault, secures secrets but does not monitor or respond to user authentication risks.

By implementing Azure AD Identity Protection with automated risk remediation, organizations enhance identity security and enforce a zero-trust model. Detailed logging supports compliance audits, forensic analysis, and operational monitoring. Automated remediation reduces operational overhead and mitigates the risk of account compromise. This approach strengthens security, protects sensitive resources, and ensures only verified users can access Azure resources safely.

Question 111:

You need to ensure that Azure virtual machines are monitored for configuration drift and non-compliance with corporate security baselines, and that any deviations are automatically remediated. Which solution should you implement?

A) Azure Policy with remediation tasks
B) Network Security Groups
C) Azure Key Vault
D) Azure Monitor

Answer:

A) Azure Policy with remediation tasks

Explanation:

Azure Policy allows organizations to enforce security baselines and configuration standards across virtual machines. Security baselines may include requirements for disk encryption, endpoint protection, secure boot, logging, and other security configurations. Azure Policy continuously evaluates resource compliance, detecting any configuration drift or deviation from the defined standards.

Remediation tasks can automatically correct non-compliant virtual machines by applying required configurations or notifying administrators for further action. This reduces the operational burden of manually tracking and correcting security misconfigurations. Azure Policy integrates with Azure Security Center and other monitoring solutions, providing centralized dashboards that show compliance status, non-compliant resources, and remediation actions taken.

Option B, Network Security Groups, control network traffic but cannot enforce baseline configurations or remediate non-compliance.

Option C, Azure Key Vault, secures keys and secrets but does not manage VM configurations.

Option D, Azure Monitor, provides logging and monitoring but does not enforce configuration compliance or remediation.

By implementing Azure Policy with remediation tasks, organizations ensure continuous compliance with corporate security standards. Automated remediation reduces the risk of vulnerabilities due to misconfigurations, strengthens the security posture, and supports regulatory and internal audit requirements. Integration with monitoring and reporting tools enables administrators to track trends, prioritize actions, and maintain visibility into overall compliance across all virtual machines. This proactive approach ensures operational efficiency and reduces the potential for security incidents caused by configuration drift.

Question 112:

You need to ensure that Azure SQL Databases are encrypted at rest using keys controlled by your organization and that all key operations are auditable. Which solution should you implement?

A) Transparent Data Encryption with customer-managed keys
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Transparent Data Encryption with customer-managed keys

Explanation:

Transparent Data Encryption (TDE) ensures that Azure SQL Database data is encrypted at rest. By configuring TDE with customer-managed keys (CMK), organizations maintain control over key creation, rotation, and revocation. This ensures that sensitive data is encrypted under organizational control rather than relying solely on Microsoft-managed keys.

Key usage is fully auditable through Azure Key Vault logs, which track all encryption and decryption operations, key retrievals, and modifications. Auditing provides transparency, supports regulatory compliance, and enables forensic investigations if unauthorized access is suspected. TDE with CMK also ensures that backups, snapshots, and replicas are encrypted using the managed keys, providing consistent protection across all database copies.

Option B, Network Security Groups, filter network traffic but do not encrypt databases or manage keys.

Option C, Azure Policy, can audit whether CMK is in use but cannot enforce encryption or track key operations in real time.

Option D, Azure Key Vault, secures keys but does not directly encrypt SQL Database data without integration with TDE.

By implementing Transparent Data Encryption with customer-managed keys, organizations achieve strong encryption with full control and visibility over cryptographic material. Continuous auditing of key operations ensures accountability, compliance, and operational governance. This approach enhances security by protecting sensitive data from unauthorized access while maintaining a verifiable and auditable trail of key usage, strengthening overall database security posture.

Question 113:

You need to detect and respond to suspicious user sign-ins in Azure Active Directory, including impossible travel and multiple failed login attempts. Which solution should you implement?

A) Azure AD Identity Protection with automated risk remediation
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Azure AD Identity Protection with automated risk remediation

Explanation:

Azure AD Identity Protection provides risk-based detection of suspicious sign-in activity. It identifies unusual patterns such as impossible travel between locations, multiple failed login attempts, or atypical device usage. Each detected risk is assigned a severity level, allowing security teams to prioritize response based on potential impact.

Automated risk remediation can enforce conditional access policies based on detected risk levels. For instance, high-risk sign-ins may require multi-factor authentication, block access, or enforce password resets. Security alerts provide visibility into these events, while integration with Azure Sentinel allows automated monitoring, incident response, and correlation with other security events.

Option B, Network Security Groups, filter network traffic but cannot detect user anomalies or respond to identity risks.

Option C, Azure Policy, enforces resource compliance but does not monitor sign-ins or implement risk-based remediation.

Option D, Azure Key Vault, secures secrets but does not monitor user authentication or enforce responses to risky sign-ins.

By implementing Azure AD Identity Protection with automated risk remediation, organizations enhance identity security and reduce the risk of compromised accounts. Automated responses reduce operational overhead and ensure that only verified users can access sensitive resources. Detailed logging supports compliance audits, forensic investigations, and operational monitoring, strengthening overall security posture in alignment with zero-trust principles.

Question 114:

You need to ensure that Azure virtual machines are compliant with corporate security baselines and that non-compliant machines are automatically corrected. Which solution should you implement?

A) Azure Policy with remediation tasks
B) Network Security Groups
C) Azure Key Vault
D) Azure Monitor

Answer:

A) Azure Policy with remediation tasks

Explanation:

Azure Policy allows organizations to define and enforce security baselines for virtual machines. These baselines may include encryption, endpoint protection, secure boot, monitoring agents, and logging requirements. Azure Policy continuously evaluates virtual machines for compliance against these baselines.

Remediation tasks automatically correct non-compliant machines by applying the necessary configuration or alerting administrators for manual action. This ensures that VMs maintain a consistent security posture and reduces the risk of vulnerabilities caused by misconfigurations. Integration with Azure Security Center and monitoring tools provides visibility into compliance trends, remediation success, and remaining non-compliant resources.

Option B, Network Security Groups, filter network traffic but do not enforce configuration compliance or perform remediation.

Option C, Azure Key Vault, secures secrets but does not manage VM configuration compliance.

Option D, Azure Monitor, provides logging and monitoring but cannot enforce compliance or remediate non-compliant resources.

By implementing Azure Policy with remediation tasks, organizations maintain operational consistency, reduce administrative overhead, and strengthen security posture. Automated remediation ensures timely correction of non-compliant machines, while reporting tools allow tracking of trends and compliance progress. This approach supports regulatory requirements, operational governance, and overall risk reduction in managing Azure virtual machines.

Question 115:

You need to ensure that Azure Storage accounts are accessible only from specific virtual networks and that all access attempts are logged for auditing purposes. Which solution should you implement?

A) Storage account firewall with virtual network integration and logging enabled
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Storage account firewall with virtual network integration and logging enabled

Explanation:

Azure Storage accounts can be secured using firewalls and virtual network integration, restricting access to only trusted subnets and IP ranges. This ensures that public internet access is blocked and storage traffic is routed securely through the Azure backbone network.

Enabling logging captures detailed information about every access attempt, including the identity performing the operation, IP address, resource accessed, operation type, and timestamp. Logs can be stored in Log Analytics, Event Hubs, or storage accounts for auditing, monitoring, and compliance purposes. These logs enable detection of unauthorized access, analysis of unusual patterns, and support for regulatory reporting and forensic investigation.

Option B, Network Security Groups, control traffic at the VM or subnet level but cannot enforce storage account-level access restrictions or detailed logging.

Option C, Azure Policy, can audit storage configurations but does not enforce runtime access restrictions or capture access logs.

Option D, Azure Key Vault, secures keys and secrets but does not manage storage access or logging.

By implementing storage account firewall with virtual network integration and logging, organizations achieve strong network isolation while maintaining comprehensive visibility into access activity. This ensures only trusted networks can access storage resources, reduces exposure to threats, and provides an auditable trail for compliance and security operations. Integration with monitoring and alerting solutions enhances operational security, supports proactive threat detection, and enforces governance over sensitive storage resources.

Question 116:

You need to ensure that Azure virtual machines are protected from brute-force attacks on management ports and that access is only granted to verified users temporarily. Which solution should you implement?

A) Azure Defender for Servers with Just-in-Time VM Access
B) Network Security Groups only
C) Azure Policy
D) Azure Key Vault

Answer:

A) Azure Defender for Servers with Just-in-Time VM Access

Explanation:

Just-in-Time (JIT) VM Access provides dynamic control over management ports such as RDP and SSH. By allowing ports to be opened only upon request and for a limited time, it significantly reduces the attack surface for brute-force attacks.

When an administrator or authorized user requests access, they specify the allowed IP address range and the session duration. Once the session expires, ports automatically close, preventing continuous exposure. JIT access is fully auditable, with logs capturing who requested access, when, from where, and for how long. These logs support regulatory compliance, forensic investigations, and operational monitoring.

Option B, Network Security Groups, can restrict traffic but cannot dynamically open or close ports or enforce temporary access windows.

Option C, Azure Policy, enforces configuration standards but does not provide real-time access control for management ports.

Option D, Azure Key Vault, secures secrets and cryptographic keys but does not manage VM access.

Implementing Azure Defender for Servers with JIT VM Access ensures that only verified users can access critical virtual machines during designated periods. This proactive approach strengthens operational security, reduces the risk of unauthorized access, and aligns with zero-trust principles. Integration with monitoring tools allows organizations to track access trends, detect anomalies, and respond quickly to potential security incidents. By limiting exposure and maintaining detailed logs, organizations can protect critical workloads while maintaining auditability and operational efficiency.

Question 117:

You need to ensure that Azure SQL Databases are encrypted at rest using keys controlled by your organization and that all encryption and decryption operations are auditable. Which solution should you implement?

A) Transparent Data Encryption with customer-managed keys
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Transparent Data Encryption with customer-managed keys

Explanation:

Transparent Data Encryption (TDE) with customer-managed keys (CMK) allows organizations to retain control over encryption keys used to protect Azure SQL Database data at rest. CMK provides the ability to create, rotate, revoke, and monitor keys stored in Azure Key Vault.

Auditing key usage ensures that every encryption or decryption operation is recorded. Logs capture which user accessed the key, the operation type, timestamp, and outcome, providing full visibility for compliance, forensic analysis, and operational governance. TDE with CMK ensures that backups, snapshots, and replicas are encrypted using the same keys, maintaining consistent protection across all database copies.

Option B, Network Security Groups, control network traffic but cannot encrypt data or audit key usage.

Option C, Azure Policy, can audit whether CMK is used but does not enforce encryption or track runtime key operations.

Option D, Azure Key Vault, secures keys but does not automatically apply encryption to databases without TDE integration.

By implementing Transparent Data Encryption with customer-managed keys, organizations ensure data confidentiality while maintaining full operational control over cryptographic keys. Continuous auditing supports regulatory requirements, strengthens security posture, and provides accountability for key usage. This approach enables organizations to meet compliance standards, detect unauthorized access attempts, and maintain a verifiable audit trail, ensuring sensitive database information is always protected.

Question 118:

You need to detect and respond to risky sign-in behavior in Azure Active Directory, including impossible travel and suspicious login attempts. Which solution should you implement?

A) Azure AD Identity Protection with automated risk remediation
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Azure AD Identity Protection with automated risk remediation

Explanation:

Azure AD Identity Protection provides real-time risk detection for user sign-ins. It identifies suspicious patterns such as impossible travel between geographic locations, repeated failed login attempts, or access from unfamiliar devices. Each event is assigned a risk level to prioritize remediation based on potential impact.

Automated risk remediation allows predefined responses, such as enforcing multi-factor authentication, blocking access, or requiring password resets for high-risk sign-ins. Integration with Azure Sentinel or monitoring tools enables centralized tracking, alerting, and automated workflows for response. Alerts and detailed logs provide full visibility into suspicious activities for compliance reporting, forensic investigations, and operational monitoring.

Option B, Network Security Groups, filter network traffic but do not detect user behavior anomalies or enforce remediation.

Option C, Azure Policy, audits resources but does not monitor or respond to user authentication risks.

Option D, Azure Key Vault, secures keys and secrets but does not monitor sign-ins or apply risk-based policies.

By implementing Azure AD Identity Protection with automated risk remediation, organizations strengthen identity security and enforce zero-trust principles. Automated responses reduce administrative overhead, ensure only verified users can access sensitive resources, and provide detailed logs for auditing. This approach minimizes the risk of compromised accounts, supports compliance, and improves overall security posture for identity-based threats.

Question 119:

You need to ensure that Azure Storage accounts are accessible only from specific virtual networks and that all access attempts are auditable. Which solution should you implement?

A) Storage account firewall with virtual network integration and logging enabled
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Storage account firewall with virtual network integration and logging enabled

Explanation:

Azure Storage accounts provide network-level access controls to restrict access to specific subnets or IP addresses. By configuring firewalls and virtual network integration, organizations prevent public internet access and ensure secure connections through the Azure backbone.

Logging enables detailed auditing of every access attempt, capturing information such as the identity, operation type, resource accessed, timestamp, and success or failure. These logs can be sent to Log Analytics, Event Hubs, or storage accounts for monitoring, compliance, and forensic purposes. Integration with security tools allows detection of unauthorized access, alerting, and automated response actions.

Option B, Network Security Groups, control traffic at the subnet or VM level but cannot enforce storage account-level access restrictions or detailed logging.

Option C, Azure Policy, can audit storage configurations but does not enforce runtime access restrictions or logging.

Option D, Azure Key Vault, secures secrets but does not manage storage access or capture access logs.

By implementing storage account firewall with virtual network integration and logging, organizations maintain strong network isolation while providing auditable visibility into access activity. This ensures that storage resources are accessible only to trusted networks, reduces exposure to unauthorized access, and supports compliance requirements. Logging provides a verifiable trail of activity, which can be used for threat detection, operational monitoring, and forensic investigation.

Question 120:

You need to ensure that Azure virtual machines are continuously monitored for malware and ransomware, and that any detected threats generate alerts for the security team. Which solution should you implement?

A) Azure Defender for Servers with endpoint protection
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Azure Defender for Servers with endpoint protection

Explanation:

Azure Defender for Servers provides continuous endpoint protection for virtual machines, monitoring processes, files, and system configurations to detect malware, ransomware, and other threats. When a threat is detected, alerts are generated for the security team to investigate and remediate.

Defender integrates with Microsoft Antimalware for Windows and equivalent solutions for Linux VMs. Alerts are centralized in Azure Security Center, allowing for unified monitoring across subscriptions. Integration with SIEM systems such as Azure Sentinel enables automated workflows for investigation, correlation, and remediation.

Option B, Network Security Groups, filter traffic but cannot detect malware or monitor VM processes.

Option C, Azure Policy, enforces compliance but does not provide runtime malware detection or alerting.

Option D, Azure Key Vault, secures keys and secrets but does not provide VM malware protection.

By implementing Azure Defender for Servers with endpoint protection, organizations maintain a proactive security posture. Continuous monitoring ensures early detection of threats, reduces risk exposure, and supports compliance requirements. Centralized alerting, integration with monitoring and security systems, and actionable intelligence enable efficient threat response and strengthen operational security across all virtual machines.