Microsoft AZ-500 Azure Security Technologies Exam Dumps and Practice Test Questions Set 7 Q121-140

Visit here for our full Microsoft AZ-500 exam dumps and practice test questions.

Question 121:

You need to ensure that Azure virtual machines are compliant with corporate security baselines and that non-compliant VMs are automatically remediated. Which solution should you implement?

A) Azure Policy with remediation tasks
B) Network Security Groups
C) Azure Key Vault
D) Azure Monitor

Answer:

A) Azure Policy with remediation tasks

Explanation:

Azure Policy provides continuous compliance enforcement for Azure virtual machines by ensuring that they meet predefined security baselines. These baselines can include disk encryption, endpoint protection, secure boot, logging, monitoring agents, and network security configurations. Azure Policy continuously evaluates resources against these baselines to detect non-compliance.

Remediation tasks allow automatic correction of non-compliant VMs, either by applying the required configuration or by generating alerts for administrative action. This reduces the operational burden on administrators and ensures a consistent security posture across all resources. Compliance dashboards in Azure provide visibility into which resources are compliant, which are non-compliant, and the remediation actions that have been applied.

Option B, Network Security Groups, control traffic but cannot enforce configuration baselines or perform automated remediation.

Option C, Azure Key Vault, secures secrets and keys but does not manage VM compliance or configurations.

Option D, Azure Monitor, provides monitoring and alerting but does not enforce compliance or perform remediation.

By implementing Azure Policy with remediation tasks, organizations ensure that virtual machines continuously adhere to security standards. Automated remediation reduces the risk of vulnerabilities due to misconfiguration, improves operational efficiency, and supports regulatory compliance. The solution provides centralized reporting for auditors and administrators, enabling proactive management of security compliance. Overall, this approach ensures that virtual machines remain secure, auditable, and aligned with organizational policies, reducing exposure to threats and improving operational governance.

Question 122:

You need to ensure that Azure SQL Databases are encrypted at rest with keys managed by your organization and that all key operations are fully auditable. Which solution should you implement?

A) Transparent Data Encryption with customer-managed keys
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Transparent Data Encryption with customer-managed keys

Explanation:

Transparent Data Encryption (TDE) with customer-managed keys (CMK) ensures that all data at rest in Azure SQL Databases is encrypted under organizational control. By using CMK stored in Azure Key Vault, organizations can create, rotate, revoke, and audit encryption keys according to their internal security policies.

Auditing key operations allows tracking of all encryption and decryption activities. Logs include the user performing the action, operation type, timestamp, and outcome, providing a full audit trail for compliance and forensic analysis. TDE with CMK also ensures that backups, snapshots, and replicas are encrypted consistently, maintaining protection across all copies of the database.

Option B, Network Security Groups, filter network traffic but cannot encrypt data or provide key usage audit logs.

Option C, Azure Policy, can audit CMK usage but does not enforce encryption or track key operations in real time.

Option D, Azure Key Vault, secures keys but does not automatically encrypt database data without TDE.

By implementing Transparent Data Encryption with customer-managed keys, organizations maintain control over encryption while achieving strong security and compliance. Auditing ensures accountability, and integration with monitoring tools provides visibility into any unauthorized access attempts. This approach enhances overall database security, ensures regulatory compliance, and maintains the integrity and confidentiality of sensitive data. It provides a structured mechanism for managing cryptographic keys, minimizing operational risks, and strengthening security posture.

Question 123:

You need to detect and respond to suspicious user sign-ins in Azure Active Directory, including impossible travel and repeated failed login attempts. Which solution should you implement?

A) Azure AD Identity Protection with automated risk remediation
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Azure AD Identity Protection with automated risk remediation

Explanation:

Azure AD Identity Protection provides advanced detection of risky sign-ins by monitoring user behavior and evaluating sign-in patterns against known risk factors. Suspicious activities such as impossible travel, multiple failed attempts, or access from unfamiliar devices are assigned risk levels, enabling organizations to prioritize remediation.

Automated risk remediation allows predefined actions based on risk severity. High-risk sign-ins can trigger conditional access policies that enforce multi-factor authentication, block access, or require password resets. Security alerts provide visibility into anomalous behavior, and integration with monitoring solutions like Azure Sentinel allows automated workflows for investigation and response.

Option B, Network Security Groups, filter network traffic but cannot monitor user activity or detect identity anomalies.

Option C, Azure Policy, enforces configuration compliance but does not monitor sign-ins or implement risk-based remediation.

Option D, Azure Key Vault, secures secrets but does not monitor sign-ins or respond to suspicious login activity.

By implementing Azure AD Identity Protection with automated risk remediation, organizations protect sensitive resources against account compromise. Automated remediation reduces operational overhead, ensures zero-trust principles are enforced, and maintains visibility into security events. Detailed logging supports compliance audits, forensic investigations, and proactive threat detection. This solution enhances the overall security posture, mitigates identity-based risks, and strengthens operational governance.

Question 124:

You need to ensure that Azure Storage accounts prevent public access and are only accessible from specific virtual networks. Which solution should you implement?

A) Storage account firewall with virtual network integration
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Storage account firewall with virtual network integration

Explanation:

Azure Storage accounts support network-level access control through firewalls and virtual network integration. By configuring these settings, organizations can restrict access to only authorized virtual networks and subnets, ensuring that public internet traffic is blocked. This prevents unauthorized access and reduces the risk of data exposure.

Virtual network integration can include service endpoints or private endpoints, which route storage traffic securely through the Azure backbone instead of the public internet. This approach enhances security by isolating storage traffic from untrusted networks. Logs can capture all access attempts, providing visibility for monitoring, auditing, and forensic analysis.

Option B, Network Security Groups, control network traffic at the subnet or VM level but cannot enforce storage account-specific access rules.

Option C, Azure Policy, can audit storage configurations but does not enforce runtime access restrictions.

Option D, Azure Key Vault, secures keys and secrets but does not manage storage access.

By implementing storage account firewall with virtual network integration, organizations ensure strong network isolation for sensitive storage resources. Audit logs provide visibility into access activity, enabling detection of unauthorized attempts and supporting regulatory compliance. This approach reduces risk, strengthens operational governance, and ensures that storage data is accessible only by trusted networks, maintaining confidentiality and integrity.

Question 125:

You need to protect Azure virtual machines from malware and ransomware and generate alerts when threats are detected. Which solution should you implement?

A) Azure Defender for Servers with endpoint protection
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Azure Defender for Servers with endpoint protection

Explanation:

Azure Defender for Servers provides continuous malware and ransomware protection for virtual machines by monitoring processes, files, and system configurations. Detected threats trigger alerts that notify security teams for timely investigation and remediation.

Defender integrates with Microsoft Antimalware for Windows and equivalent solutions for Linux VMs, providing cross-platform protection. Alerts are centralized in Azure Security Center, giving administrators a unified view of threat activity. Integration with SIEM systems like Azure Sentinel enables automated investigation, correlation with other security events, and response workflows.

Option B, Network Security Groups, control network traffic but cannot detect malware or provide endpoint protection.

Option C, Azure Policy, enforces configuration compliance but does not monitor or detect malware.

Option D, Azure Key Vault, secures secrets but does not provide runtime protection for virtual machines.

By implementing Azure Defender for Servers with endpoint protection, organizations maintain a proactive security posture. Continuous monitoring detects threats early, reducing risk exposure and enabling rapid response. Centralized alerts and integration with security systems enhance operational efficiency, strengthen compliance, and protect critical workloads. This approach ensures that virtual machines are resilient against malware attacks while maintaining auditability and operational governance.

Question 126:

You need to ensure that only compliant devices can access Azure resources and that non-compliant devices are blocked automatically. Which solution should you implement?

A) Conditional Access policies with device compliance
B) Network Security Groups
C) Azure Key Vault
D) Azure Policy only

Answer:

A) Conditional Access policies with device compliance

Explanation:

Conditional Access policies in Azure Active Directory enforce access based on device compliance status, allowing organizations to control which devices can access Azure resources. Compliance can include criteria such as operating system version, endpoint protection, disk encryption, and configuration settings defined by Intune or other device management solutions.

When a user attempts access, Conditional Access evaluates whether the device meets compliance requirements. Non-compliant devices can be blocked or restricted from accessing resources until they meet the standards. This ensures only secure, verified devices interact with sensitive workloads, mitigating the risk of malware, unauthorized access, or data exfiltration.

Option B, Network Security Groups, control network traffic but cannot enforce device compliance or evaluate security posture.

Option C, Azure Key Vault, secures secrets and keys but does not control access based on device compliance.

Option D, Azure Policy, can audit configurations but cannot dynamically block access based on real-time compliance evaluation.

By implementing Conditional Access policies with device compliance, organizations strengthen their security posture, ensuring that only trusted devices access critical resources. Integration with logging and alerting enables administrators to monitor non-compliant devices and take remediation actions. This solution supports zero-trust principles, reduces operational risk, and ensures regulatory compliance by enforcing strict device security requirements across the enterprise. Continuous evaluation and enforcement provide a proactive approach to endpoint security, preventing potential threats from accessing corporate data.

Question 127:

You need to detect and respond to suspicious user sign-ins in Azure Active Directory, including sign-ins from unusual locations and multiple failed attempts. Which solution should you implement?

A) Azure AD Identity Protection with automated risk remediation
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Azure AD Identity Protection with automated risk remediation

Explanation:

Azure AD Identity Protection provides risk-based monitoring of sign-ins, detecting anomalous activities such as impossible travel, multiple failed login attempts, or access from unfamiliar devices. Each detected event is assigned a risk score, allowing security teams to prioritize actions based on severity.

Automated risk remediation allows predefined actions based on risk levels. High-risk sign-ins can trigger conditional access policies to enforce multi-factor authentication, block access, or require password resets. Security alerts and logs provide detailed information on each event, including the user identity, timestamp, device used, and location of the sign-in attempt. Integration with Azure Sentinel or other SIEM solutions allows automated workflows for investigation, correlation, and response.

Option B, Network Security Groups, filter traffic but cannot detect or respond to identity risks.

Option C, Azure Policy, enforces configuration compliance but does not monitor user sign-ins or enforce risk-based remediation.

Option D, Azure Key Vault, secures keys and secrets but does not monitor authentication activity.

By implementing Azure AD Identity Protection with automated risk remediation, organizations enhance identity security, reduce the likelihood of account compromise, and enforce zero-trust principles. Automated responses reduce administrative overhead and ensure only verified users can access critical resources. Detailed logging and alerts provide visibility for compliance audits, forensic investigation, and operational monitoring, strengthening overall security posture for identity-based threats.

Question 128:

You need to ensure that Azure Storage accounts are protected from unauthorized access and accessible only from specific virtual networks while logging all access attempts. Which solution should you implement?

A) Storage account firewall with virtual network integration and logging enabled
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Storage account firewall with virtual network integration and logging enabled

Explanation:

Azure Storage accounts support network-level restrictions through firewalls and virtual network integration. By specifying allowed subnets and IP ranges, organizations can prevent public access while ensuring that only authorized networks can connect. This mitigates the risk of unauthorized access, data leakage, or exposure to attacks.

Enabling logging captures detailed information about every access attempt, including the identity, operation performed, resource accessed, IP address, and timestamp. Logs can be exported to Log Analytics, Event Hubs, or storage accounts for auditing, monitoring, and compliance purposes. Integration with monitoring tools allows administrators to detect unauthorized access attempts and respond proactively.

Option B, Network Security Groups, filter network traffic at the subnet or VM level but cannot enforce storage account-level access or logging.

Option C, Azure Policy, can audit storage configurations but does not enforce runtime access restrictions or provide detailed access logs.

Option D, Azure Key Vault, secures keys and secrets but does not control storage account access.

By implementing storage account firewall with virtual network integration and logging, organizations achieve strong isolation for sensitive storage resources while maintaining full visibility into access activity. This approach ensures that storage data is only accessible by trusted networks, supports compliance, and reduces operational risk. Continuous monitoring and logging enable proactive detection of anomalies and unauthorized access, strengthening the security posture of storage accounts.

Question 129:

You need to ensure that Azure virtual machines are continuously protected from malware and ransomware, and that any detected threats generate alerts for the security team. Which solution should you implement?

A) Azure Defender for Servers with endpoint protection
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Azure Defender for Servers with endpoint protection

Explanation:

Azure Defender for Servers provides continuous endpoint protection for virtual machines by monitoring processes, files, and system configurations. It detects malware, ransomware, and suspicious activity in real time, generating alerts for the security team to investigate and remediate.

The solution integrates with Microsoft Antimalware for Windows and equivalent solutions for Linux VMs, offering comprehensive cross-platform protection. Alerts are centralized in Azure Security Center, providing administrators with a unified view of threats across all subscriptions. Integration with SIEM solutions, such as Azure Sentinel, enables automated investigation, correlation with other security events, and response workflows.

Option B, Network Security Groups, filter traffic but cannot detect malware or monitor VM processes.

Option C, Azure Policy, enforces configuration compliance but does not provide runtime malware protection or alerting.

Option D, Azure Key Vault, secures secrets and keys but does not provide endpoint protection for virtual machines.

By implementing Azure Defender for Servers with endpoint protection, organizations maintain a proactive security posture. Continuous monitoring detects threats early, reducing risk exposure and enabling rapid response. Centralized alerts and integration with monitoring systems improve operational efficiency, support compliance, and protect critical workloads from malware attacks. This approach ensures that virtual machines are resilient against attacks while maintaining auditability and operational governance.

Question 130:

You need to ensure that Azure SQL Databases enforce encrypted connections and that all login attempts and queries are auditable. Which solution should you implement?

A) Enforce TLS connections with auditing enabled
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Enforce TLS connections with auditing enabled

Explanation:

Enforcing TLS connections ensures that all client-server communication with Azure SQL Databases is encrypted, preventing eavesdropping, man-in-the-middle attacks, and unauthorized data interception. Combining this with auditing allows organizations to track login attempts, query executions, and schema modifications, providing accountability for all database activity.

Auditing captures details such as the user performing the action, timestamp, operation type, and success or failure. Logs can be exported to Log Analytics, Event Hubs, or storage accounts for long-term retention, compliance reporting, and forensic analysis. This provides visibility into unusual access patterns, repeated failed logins, or unauthorized changes.

Option B, Network Security Groups, filter traffic but cannot enforce encryption or audit database operations.

Option C, Azure Policy, can audit compliance but does not enforce TLS or runtime auditing.

Option D, Azure Key Vault, secures keys but does not enforce SQL connection encryption or auditing.

By implementing TLS enforcement with auditing enabled, organizations ensure confidentiality, integrity, and accountability for all database operations. This approach supports regulatory compliance, mitigates the risk of data interception, and allows security teams to detect anomalous behavior or unauthorized access. Continuous monitoring and auditing strengthen the overall security posture of Azure SQL Databases and ensure operational and regulatory governance.

Question 131:

You need to ensure that Azure virtual machines are protected from unauthorized remote access and that administrative ports are only open when required. Which solution should you implement?

A) Azure Defender for Servers with Just-in-Time VM Access
B) Network Security Groups only
C) Azure Policy
D) Azure Key Vault

Answer:

A) Azure Defender for Servers with Just-in-Time VM Access

Explanation:

Just-in-Time (JIT) VM Access is a security feature in Azure Defender for Servers that reduces the exposure of management ports like RDP and SSH. By default, these ports are closed to prevent unauthorized access, and they are only opened when a verified user requests access. The request specifies the IP address and duration of access, ensuring that ports remain open only for the minimum required time.

This approach significantly reduces the attack surface, preventing brute-force attacks and unauthorized login attempts. Each JIT access request is logged, capturing details such as the requesting user, the source IP address, timestamp, and duration. These logs provide valuable data for audit compliance, forensic investigation, and security monitoring. Organizations can integrate JIT access logs with Azure Monitor or Azure Sentinel to create alerts and automated workflows for security incidents.

Network Security Groups alone cannot provide this dynamic access control. They can restrict traffic but do not allow temporary, auditable access windows. Azure Policy enforces compliance standards but cannot open or close ports dynamically. Azure Key Vault secures cryptographic keys and secrets but does not manage VM access.

Implementing Azure Defender for Servers with JIT VM Access ensures that administrative access is granted securely and temporarily, following the principle of least privilege. This approach strengthens the overall security posture, supports zero-trust architecture, and minimizes operational risk by reducing the time critical ports are exposed to potential threats. Continuous logging and integration with monitoring tools provide actionable insights for threat detection and compliance reporting, improving operational governance and audit readiness.

Question 132:

You need to ensure that Azure SQL Databases are encrypted at rest using keys under organizational control and that key operations are auditable. Which solution should you implement?

A) Transparent Data Encryption with customer-managed keys
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Transparent Data Encryption with customer-managed keys

Explanation:

Transparent Data Encryption (TDE) with customer-managed keys (CMK) ensures that all data stored in Azure SQL Databases is encrypted using keys controlled by the organization. This allows administrators to manage the full lifecycle of keys, including creation, rotation, revocation, and auditing, providing strong security governance and regulatory compliance.

Auditing key operations is crucial to maintain visibility into all encryption and decryption activities. Logs track the identity performing the operation, the time, the operation type, and the result. This provides a comprehensive audit trail for compliance reporting, forensic investigation, and security monitoring. TDE with CMK also ensures that all database backups and replicas are encrypted using the same keys, maintaining consistent protection across all copies of data.

Network Security Groups do not encrypt data or provide auditing for encryption operations. Azure Policy can audit configurations but does not enforce encryption or log key usage in real-time. Azure Key Vault secures keys but cannot apply encryption to SQL databases without TDE integration.

By implementing Transparent Data Encryption with customer-managed keys, organizations achieve both encryption and auditability, maintaining control over sensitive data and ensuring that only authorized users can perform key operations. This approach strengthens data confidentiality, integrity, and compliance, reduces risk of unauthorized access, and provides verifiable audit trails for regulators and internal governance. Continuous monitoring, integration with Azure Security Center, and centralized logging allow administrators to quickly detect anomalies or unauthorized attempts to access or modify encryption keys, maintaining operational security and compliance across the enterprise.

Question 133:

You need to detect and respond to suspicious user sign-ins in Azure Active Directory, including impossible travel and multiple failed login attempts. Which solution should you implement?

A) Azure AD Identity Protection with automated risk remediation
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Azure AD Identity Protection with automated risk remediation

Explanation:

Azure AD Identity Protection provides advanced detection of identity risks by continuously analyzing sign-in patterns and user behavior. It can detect impossible travel between geographic locations, multiple failed login attempts, access from unusual devices, and other suspicious activities. Each detected risk is assigned a severity level to help administrators prioritize remediation.

Automated risk remediation allows organizations to respond to detected risks in real time. High-risk sign-ins can trigger conditional access policies requiring multi-factor authentication, blocking access, or enforcing a password reset. This ensures that potentially compromised accounts cannot access sensitive resources. Logs capture detailed information about each event, including user identity, sign-in location, device information, and timestamp. Integration with Azure Sentinel enables automated alerting, correlation with other security incidents, and workflow orchestration for investigation and response.

Network Security Groups cannot monitor user sign-ins or enforce risk-based responses. Azure Policy enforces compliance but does not evaluate real-time authentication behavior. Azure Key Vault secures secrets but does not provide identity threat detection.

By implementing Azure AD Identity Protection with automated risk remediation, organizations strengthen identity security, reduce the likelihood of account compromise, and enforce zero-trust principles. Automated remediation reduces administrative overhead, ensures only verified users can access resources, and provides detailed logging for auditing and forensic purposes. This proactive approach enhances operational security and compliance while improving overall protection against identity-based attacks.

Question 134:

You need to ensure that Azure Storage accounts are only accessible from specific virtual networks and that all access attempts are logged for auditing purposes. Which solution should you implement?

A) Storage account firewall with virtual network integration and logging enabled
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Storage account firewall with virtual network integration and logging enabled

Explanation:

Azure Storage accounts provide network-level access control through firewalls and virtual network integration, allowing organizations to restrict access to only authorized subnets and IP ranges. Public internet access can be completely blocked, reducing the risk of unauthorized access and data exposure.

Logging captures all access attempts, including the identity of the user, operation type, resource accessed, IP address, and timestamp. These logs can be exported to Log Analytics, Event Hubs, or storage accounts for auditing, compliance, and forensic purposes. Integration with monitoring tools allows security teams to detect unauthorized access attempts, suspicious patterns, and potential threats in real time.

Network Security Groups control traffic at the subnet or VM level but cannot enforce storage account-level restrictions or detailed logging. Azure Policy can audit storage configuration but does not enforce runtime access restrictions. Azure Key Vault secures secrets and keys but does not manage storage account access.

Implementing storage account firewall with virtual network integration and logging ensures strong isolation for sensitive storage resources while providing complete visibility into access activity. This approach enforces the principle of least privilege, reduces exposure to external threats, and supports regulatory compliance. Detailed logs allow security teams to perform forensic analysis, detect anomalies, and respond to potential security incidents. Continuous monitoring strengthens operational governance and protects critical storage workloads from unauthorized access.

Question 135:

You need to protect Azure virtual machines from malware and ransomware, ensuring that detected threats generate alerts for the security team. Which solution should you implement?

A) Azure Defender for Servers with endpoint protection
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Azure Defender for Servers with endpoint protection

Explanation:

Azure Defender for Servers provides continuous endpoint protection for virtual machines by monitoring system processes, files, and configurations for malware, ransomware, and suspicious activity. Threats are detected in real time, and alerts are generated for the security team to investigate and respond.

The solution integrates with Microsoft Antimalware for Windows and Linux, providing comprehensive cross-platform protection. Alerts are centralized in Azure Security Center, providing administrators with a unified view of threats. Integration with SIEM tools like Azure Sentinel allows automated investigation, correlation with other security events, and workflow-driven response.

Network Security Groups filter network traffic but cannot detect malware or suspicious activity on virtual machines. Azure Policy enforces configuration compliance but does not provide runtime malware detection or alerting. Azure Key Vault secures cryptographic keys and secrets but does not protect virtual machines against malware or ransomware.

By implementing Azure Defender for Servers with endpoint protection, organizations maintain a proactive security posture, ensuring early detection and response to threats. Centralized alerts, detailed logging, and integration with monitoring systems improve operational efficiency, strengthen compliance, and protect critical workloads. This approach reduces operational risk, supports zero-trust principles, and ensures that virtual machines are resilient against malicious activity while maintaining full auditability and governance over security operations.

Question 136:

You need to ensure that Azure virtual machines are only accessible by verified users temporarily and protected from brute-force attacks on management ports. Which solution should you implement?

A) Azure Defender for Servers with Just-in-Time VM Access
B) Network Security Groups only
C) Azure Policy
D) Azure Key Vault

Answer:

A) Azure Defender for Servers with Just-in-Time VM Access

Explanation:

Just-in-Time (JIT) VM Access is a security feature within Azure Defender for Servers that reduces exposure to management ports such as SSH and RDP. These ports are typically targeted in brute-force attacks and can serve as entry points for attackers. By default, the ports remain closed and are only opened for specific users for a limited duration upon request.

When a user requests access, they specify the source IP address and duration for which the port should be open. Once the duration expires, the ports automatically close, minimizing the risk window. Every access request is logged, including user identity, source IP, time of access, and duration, providing a complete audit trail for compliance and security monitoring. These logs can be integrated with Azure Monitor or Azure Sentinel for centralized alerting, incident response, and forensic analysis.

Network Security Groups alone cannot dynamically open or close ports based on requests or enforce temporary access windows. Azure Policy enforces compliance and configuration standards but cannot manage dynamic access. Azure Key Vault secures cryptographic keys but does not control VM access.

Implementing Azure Defender for Servers with JIT VM Access ensures a proactive security posture by limiting exposure to administrative ports, aligning with the principle of least privilege. The combination of dynamic access control, auditability, and integration with monitoring tools strengthens operational security, supports zero-trust architecture, and provides robust protection against brute-force attacks. By maintaining detailed logs of every access request, organizations can demonstrate compliance with regulatory standards and operational governance policies.

Question 137:

You need to ensure that Azure SQL Databases are encrypted at rest using keys controlled by your organization and that all key operations are fully auditable. Which solution should you implement?

A) Transparent Data Encryption with customer-managed keys
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Transparent Data Encryption with customer-managed keys

Explanation:

Transparent Data Encryption (TDE) with customer-managed keys (CMK) ensures that all data at rest in Azure SQL Databases is encrypted under the organization’s control. CMK allows administrators to create, rotate, revoke, and audit encryption keys stored in Azure Key Vault. This approach provides strong governance over cryptographic operations and ensures compliance with regulatory requirements such as GDPR and HIPAA.

Auditing key operations is essential to maintain visibility into encryption and decryption processes. Logs capture the identity performing the operation, operation type, timestamp, and outcome. This data supports compliance reporting, forensic investigation, and operational monitoring. TDE with CMK ensures consistent encryption across databases, backups, and replicas, maintaining protection even in disaster recovery scenarios.

Network Security Groups filter network traffic but do not encrypt data or provide audit trails for key usage. Azure Policy can audit whether CMK is being used but cannot enforce encryption or log runtime operations. Azure Key Vault alone secures keys but does not encrypt database data without TDE integration.

By implementing Transparent Data Encryption with customer-managed keys, organizations achieve full control over sensitive data, maintain compliance, and ensure accountability. Detailed logging and monitoring provide visibility into unauthorized access attempts or suspicious activities. Integration with Azure Security Center allows administrators to track key usage trends, detect anomalies, and enforce security policies. This solution enhances data confidentiality, strengthens governance, and reduces operational risk, ensuring that databases remain secure and auditable.

Question 138:

You need to detect and respond to risky sign-in activity in Azure Active Directory, including impossible travel and multiple failed login attempts. Which solution should you implement?

A) Azure AD Identity Protection with automated risk remediation
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Azure AD Identity Protection with automated risk remediation

Explanation:

Azure AD Identity Protection provides real-time monitoring and risk detection for Azure Active Directory sign-ins. It identifies suspicious activities such as impossible travel between geographic locations, multiple failed login attempts, and access from unfamiliar devices. Each event is assigned a risk level, helping organizations prioritize which incidents to remediate first.

Automated risk remediation allows predefined actions based on risk severity. High-risk sign-ins can trigger conditional access policies that enforce multi-factor authentication, block access, or require password resets. This ensures that potentially compromised accounts cannot access sensitive resources. Detailed logging captures user identity, device information, sign-in location, timestamp, and risk level, enabling forensic analysis, auditing, and operational monitoring. Integration with Azure Sentinel or other SIEM solutions allows centralized incident response and automated workflows.

Network Security Groups cannot monitor user authentication behavior or enforce risk-based responses. Azure Policy audits resource configurations but does not monitor sign-ins. Azure Key Vault secures secrets but does not evaluate user risk or apply remediation.

Implementing Azure AD Identity Protection with automated risk remediation strengthens identity security, reduces account compromise risk, and enforces zero-trust principles. Automated remediation minimizes administrative overhead, ensures only verified users can access resources, and provides full visibility for auditing and compliance. This approach also allows organizations to respond rapidly to identity threats, detect anomalous behavior, and maintain operational security across the enterprise.

Question 139:

You need to ensure that Azure Storage accounts are protected from unauthorized access, accessible only from specific virtual networks, and that all access is auditable. Which solution should you implement?

A) Storage account firewall with virtual network integration and logging enabled
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Storage account firewall with virtual network integration and logging enabled

Explanation:

Azure Storage accounts support network-level access control through firewalls and virtual network integration. This allows administrators to restrict access to specific subnets and IP addresses while blocking all public internet traffic. This mitigates the risk of unauthorized access, data leaks, and exposure to attacks from untrusted networks.

Logging provides visibility into every access attempt, capturing the user identity, operation type, resource accessed, source IP address, and timestamp. These logs can be exported to Log Analytics, Event Hubs, or storage accounts for auditing, compliance, and forensic purposes. Security teams can analyze logs to detect suspicious patterns, investigate anomalies, and respond proactively to threats. Integration with monitoring and alerting tools ensures continuous oversight and operational governance.

Network Security Groups control traffic at the subnet or VM level but cannot enforce storage account-specific access or detailed logging. Azure Policy can audit configurations but cannot enforce runtime access restrictions. Azure Key Vault secures secrets but does not control storage access.

Implementing storage account firewall with virtual network integration and logging ensures strong isolation of sensitive storage resources while providing full visibility into access activity. This reduces operational risk, enforces least privilege access, and supports regulatory compliance. Continuous monitoring and logging provide actionable insights, enabling security teams to detect unauthorized attempts, respond quickly, and maintain accountability across storage accounts.

Question 140:

You need to ensure that Azure virtual machines are continuously protected from malware and ransomware, and that any detected threats generate alerts for the security team. Which solution should you implement?

A) Azure Defender for Servers with endpoint protection
B) Network Security Groups
C) Azure Policy only
D) Azure Key Vault

Answer:

A) Azure Defender for Servers with endpoint protection

Explanation:

Azure Defender for Servers provides continuous endpoint protection for virtual machines, monitoring system processes, files, and configurations to detect malware, ransomware, and other threats in real time. Alerts are generated when suspicious activity is detected, enabling security teams to investigate and respond promptly.

The solution integrates with Microsoft Antimalware for Windows and equivalent solutions for Linux VMs, providing comprehensive cross-platform protection. Alerts are centralized in Azure Security Center, offering a unified view of threat activity across subscriptions. Integration with SIEM tools such as Azure Sentinel enables automated correlation, incident investigation, and workflow-driven response, improving operational efficiency.

Network Security Groups filter traffic but cannot detect malware or monitor VM processes. Azure Policy enforces compliance but does not provide runtime malware detection. Azure Key Vault secures keys and secrets but does not protect virtual machines from malicious activity.

By implementing Azure Defender for Servers with endpoint protection, organizations maintain a proactive security posture. Continuous monitoring ensures early detection of threats, reducing the risk of compromise. Centralized alerts, detailed logs, and integration with monitoring systems support compliance, incident response, and operational governance. This approach minimizes operational risk, enforces security best practices, and ensures virtual machines remain resilient against malware and ransomware while maintaining full auditability.