You are designing the security standards for a new Azure environment.
You need to design a privileged identity strategy based on the Zero Trust model.
Which framework should you follow to create the design? Microsoft Security Development Lifecycle (SDL) Enhanced Security Admin Environment (ESAE) Rapid Modernization Plan (RaMP) Microsoft Operational Security Assurance (OSA).
Your company is developing a serverless application in Azure that will have the architecture shown in the following exhibit.
You need to recommend a solution to isolate the compute components on an Azure virtual network.
What should you include in the recommendation? Azure Active Directory (Azure AD) enterprise applications an Azure App Service Environment (ASE) Azure service endpoints an Azure Active Directory (Azure AD) application proxy.
Your company plans to apply the Zero Trust Rapid Modernization Plan (RaMP) to its IT environment.
You need to recommend the top three modernization areas to prioritize as part of the plan.
Which three areas should you recommend based on RaMP? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point. data, compliance, and governance infrastructure and development user access and productivity Operational technology (OT) and IoT Modern security operations.
For an Azure deployment, you are designing a security architecture based on the Microsoft Cloud Security Benchmark.
You need to recommend a best practice for implementing service accounts for Azure API management.
What should you include in the recommendation? Application registrations in Azure AD Managed identities in Azure Azure service principals with usernames and passwords Device registrations in Azure AD Azure service principals with certificate credentials.
You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain. Client computers run Windows and are hybrid-joined to Azure AD.
You are designing a strategy to protect endpoints against ransomware. The strategy follows Microsoft Security Best Practices.
You plan to remove all the domain accounts from the Administrators groups on the Windows computers.
You need to recommend a solution that will provide users with administrative access to the Windows computers only when access is required. The solution must minimize the lateral movement of ransomware attacks if an administrator account on a computer is compromised.
What should you include in the recommendation? Local Administrator Password Solution (LAPS) Azure AD Identity Protection Azure AD Privileged Identity Management (PIM) Privileged Access Workstations (PAWs).
You have legacy operational technology (OT) devices and IoT devices.
You need to recommend best practices for applying Zero Trust principles to the OT and IoT devices based on the Microsoft Cybersecurity Reference Architectures (MCRA). The solution must minimize the risk of disrupting business operations.
Which two security methodologies should you include in the recommendation? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point. active scanning threat monitoring software patching passive traffic monitoring.
You are designing a ransomware response plan that follows Microsoft Security Best Practices.
You need to recommend a solution to minimize the risk of a ransomware attack encrypting local user files.
What should you include in the recommendation? Windows Defender Device Guard Microsoft Defender for Endpoint Azure Files BitLocker Drive Encryption (BitLocker) Protected folders.
You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain.
You are designing an Azure DevOps solution to deploy applications to an Azure subscription by using continuous integration and continuous deployment (CI/CD) pipelines.
You need to recommend which types of identities to use for the deployment credentials of the service connection. The solution must follow DevSecOps best practices from the Microsoft Cloud Adoption Framework for Azure.
What should you recommend?
A managed identity in Azure An Azure AD user account that has role assignments in Azure AD Privileged Identity Management (PIM) A group managed service account (gMSA) An Azure AD user account that has a password stored in Azure Key Vault.
You have an Azure Kubernetes Service (AKS) cluster that hosts Linux nodes.
You need to recommend a solution to ensure that deployed worker nodes have the latest kernel updates. The solution must minimize administrative effort.
What should you recommend? The nodes must restart after the updates are applied. The updates must first be applied to the image used to provision the nodes. The AKS cluster version must be upgraded.
You are designing a security operations strategy based on the Zero Trust framework.
You need to minimize the operational load on Tier 1 Microsoft Security Operations Center (SOC) analysts.
What should you do? Enable built-in compliance policies in Azure Policy. Enable self-healing in Microsoft 365 Defender. Automate data classification. Create hunting queries in Microsoft 365 Defender.
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have an Amazon Web Services (AWS) implementation.
You plan to extend the Azure security strategy to the AWS implementation. The solution will NOT use Azure Arc.
Which three services can you use to provide security for the AWS resources? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point. Microsoft Defender for Containers Microsoft Defender for servers Azure Active Directory (Azure AD) Conditional Access Azure Active Directory (Azure AD) Privileged Identity Management (PIM) Azure Policy.
Your company has on-premises network in Seattle and an Azure subscription. The on-premises network contains a Remote Desktop server.
The company contracts a third-party development firm from France to develop and deploy resources to the virtual machines hosted in the Azure subscription.
Currently, the firm establishes an RDP connection to the Remote Desktop server. From the Remote Desktop connection, the firm can access the virtual machines hosted in Azure by using custom administrative tools installed on the Remote Desktop server. All the traffic to the Remote Desktop server is captured by a firewall, and the firewall only allows specific connections from France to the server.
You need to recommend a modern security solution based on the Zero Trust model. The solution must minimize latency for developers.
Which three actions should you recommend? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point. Configure network security groups (NSGs) to allow access from only specific logical groupings of IP address ranges. Deploy a Remote Desktop server to an Azure region located in France. Migrate from the Remote Desktop server to Azure Virtual Desktop. Implement Azure Firewall to restrict host pool outbound access. Configure Azure Active Directory (Azure AD) Conditional Access with multi-factor authentication (MFA) and named locations.
You are designing security for an Azure landing zone.
Your company identifies the following compliance and privacy requirements:
✑ Encrypt cardholder data by using encryption keys managed by the company.
✑ Encrypt insurance claim files by using encryption keys hosted on-premises.
Which two configurations meet the compliance and privacy requirements? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point. Store the cardholder data in an Azure SQL database that is encrypted by using Microsoft-managed keys. Store the insurance claim data in Azure Blob storage encrypted by using customer-provided keys. Store the cardholder data in an Azure SQL database that is encrypted by using keys stored in Azure Key Vault Managed HSM. Store the insurance claim data in Azure Files encrypted by using Azure Key Vault Managed HSM.
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You need to enforce ISO 27001:2013 standards for the subscription. The solution must ensure that noncompliant resources are remediated automatically.
What should you use? Azure Policy Azure Blueprints The regulatory compliance dashboard in Defender for Cloud Azure role-based access control (Azure RBAC).
You have a customer that has a Microsoft 365 subscription and an Azure subscription.
The customer has devices that run either Windows, iOS, Android, or macOS. The Windows devices are deployed on-premises and in Azure.
You need to design a security solution to assess whether all the devices meet the customer's compliance rules.
What should you include in the solution? Microsoft Defender for Endpoint Microsoft Endpoint Manager Microsoft Information Protection Microsoft Sentinel.
Your company has devices that run either Windows 10, Windows 11, or Windows Server.
You are in the process of improving the security posture of the devices.
You plan to use security baselines from the Microsoft Security Compliance Toolkit.
What should you recommend using to compare the baselines to the current device configurations? Microsoft Intune Local Group Policy Object (LGPO) Windows Autopilot Policy Analyzer.
Your company has an Azure subscription that has enhanced security enabled for Microsoft Defender for Cloud.
The company signs a contract with the United States government.
You need to review the current subscription for NIST 800-53 compliance.
What should you do first? From Azure Policy, assign a built-in initiative that has a scope of the subscription. From Azure Policy, assign a built-in policy definition that has a scope of the subscription. From Defender for Cloud, review the Azure security baseline for audit report. From Microsoft Defender for Cloud Apps, create an access policy for cloud applications.
Your company has a hybrid cloud infrastructure.
Data and applications are moved regularly between cloud environments.
The company's on-premises network is managed as shown in the following exhibit.
You are designing security operations to support the hybrid cloud infrastructure. The solution must meet the following requirements:
✑ Govern virtual machines and servers across multiple environments.
✑ Enforce standards for all the resources across all the environments by using Azure Policy.
Which two components should you recommend for the on-premises network? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point. on-premises data gateway guest configuration in Azure Policy Azure Arc Azure Bastion Azure VPN Gateway.
Your company plans to follow DevSecOps best practices of the Microsoft Cloud Adoption Framework for Azure to integrate DevSecOps processes into continuous integration and continuous deployment (CI/CD) DevOps pipelines.
You need to recommend which security-related tasks to integrate into each stage of the DevOps pipelines.
What should recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point. Infrastructure scanning Static application security testing.
For a Microsoft cloud environment, you are designing a security architecture based on the Microsoft Cloud Security Benchmark.
What are three best practices for identity management based on the Azure Security Benchmark? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point. Manage application identities securely and automatically. Manage the lifecycle of identities and entitlements. Protect identity and authentication systems. Enable threat detection for identity and access management. Use a centralized identity and authentication system.
You are updating the deployment process to align with DevSecOps controls guidance in the Microsoft Cloud Adoption Framework for Azure.
You need to recommend a solution to ensure that all code changes are submitted by using pull requests before being deployed by the CI/CD workflow.
What should you include in the recommendation? custom roles in Azure Pipelines branch policies in Azure Repos Azure policies custom Azure roles.
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend? app registrations in Azure Active Directory (Azure AD) OAuth app policies in Microsoft Defender for Cloud Apps Azure Security Benchmark compliance controls in Defender for Cloud application control policies in Microsoft Defender for Endpoint
.
Your company plans to provision blob storage by using an Azure Storage account. The blob storage will be accessible from 20 application servers on the internet.
You need to recommend a solution to ensure that only the application servers can access the storage account.
What should you recommend using to secure the blob storage? managed rule sets in Azure Web Application Firewall (WAF) policies inbound rules in network security groups (NSGs) firewall rules for the storage account inbound rules in Azure Firewall service tags in network security groups (NSGs).
Your company has an on-premises network and an Azure subscription.
The company does NOT have a Site-to-Site VPN or an ExpressRoute connection to Azure.
You are designing the security standards for Azure App Service web apps. The web apps will access Microsoft SQL Server databases on the network.
You need to recommend security standards that will allow the web apps to access the databases. The solution must minimize the number of open internet- accessible endpoints to the on-premises network.
What should you include in the recommendation? virtual network NAT gateway integration hybrid connections Virtual network integration a private endpoint.
Your company is developing a new Azure App Service web app.
You are providing design assistance to verify the security of the web app.
You need to recommend a solution to test the web app for vulnerabilities such as insecure server configurations, cross-site scripting (XSS), and SQL injection.
What should you include in the recommendation? dynamic application security testing (DAST) Static application security testing (SAST) interactive application security testing (IAST) runtime application self-protection (RASP).
Your company develops several applications that are accessed as custom enterprise applications in Azure Active Directory (Azure AD).
You need to recommend a solution to prevent users on a specific list of countries from connecting to the applications.
What should you include in the recommendation? activity policies in Microsoft Defender for Cloud Apps sign-in risk policies in Azure AD Identity Protection Azure AD Conditional Access policies device compliance policies in Microsoft Endpoint Manager User risk policies in Azure AD Identity Protection.
Your company is developing an invoicing application that will use Azure Active Directory (Azure AD) B2C. The application will be deployed as an App Service web app.
You need to recommend a solution to the application development team to secure the application from identity-related attacks.
Which two configurations should you recommend? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point. Azure AD workbooks to monitor risk detections Azure AD Conditional Access integration with user flows and custom policies smart account lockout in Azure AD B2C access packages in Identity Governance custom resource owner password credentials (ROPC) flows in Azure AD B2C.
Your company has a Microsoft 365 E5 subscription.
The company wants to identify and classify data in Microsoft Teams, SharePoint Online, and Exchange Online.
You need to recommend a solution to identify documents that contain sensitive information.
What should you include in the recommendation? data classification content explorer data loss prevention (DLP) eDiscovery Information Governance.
our company wants to optimize ransomware incident investigations.
You need to recommend a plan to investigate ransomware incidents based on the Microsoft Detection and Response Team (DART) approach.
Which three actions should you recommend performing in sequence in the plan? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Identify which line-of-business apps are unavailable due to ransomware incident Identify the compromise recovery process. Implement a comprehensive strategy to reduce the risk of privileged access compromise: Assess the current situation and identify the scope. Update ORG Process.
You have a Microsoft 365 subscription that syncs with Active Directory Domain Services (AD DS).
You need to define the recovery steps for a ransomware attack that encrypted data in the subscription. The solution must follow Microsoft Security Best Practices.
What is the first step in the recovery plan? From Microsoft Defender for Endpoint, perform a security scan. Recover files to a cleaned computer or device. Contact law enforcement. Disable Microsoft OneDrive sync and Exchange ActiveSync.
You have a Microsoft 365 subscription.
You need to design a solution to block file downloads from Microsoft SharePoint Online by authenticated users on unmanaged devices.
Which two services should you include in the solution? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point. Azure AD Conditional Access Azure Data Catalog Microsoft Purview Information Protection Azure AD Application Proxy Microsoft Defender for Cloud Apps.
You have a Microsoft 365 tenant. Your company uses a third-party software as a service (SaaS) app named App1. App1 supports authenticating users by using Azure AD credentials.
You need to recommend a solution to enable users to authenticate to App1 by using their Azure AD credentials.
What should you include in the recommendation? Azure AD Application Proxy Azure AD B2C an Azure AD enterprise application a relying party trust in Active Directory Federation Services (AD FS)
.
You have a Microsoft 365 tenant.
Your company uses a third-party software as a service (SaaS) app named App1 that is integrated with an Azure AD tenant.
You need to design a security strategy to meet the following requirements:
• Users must be able to request access to App1 by using a self-service request.
• When users request access to App1, they must be prompted to provide additional information about their request.
• Every three months, managers must verify that the users still require access to App1.
What should you include in the design? Microsoft Entra Identity Governance connected apps in Microsoft Defender for Cloud Apps access policies in Microsoft Defender for Cloud Apps Azure AD Application Proxy.
You have an Azure subscription.
You have a DNS domain named contoso.com that is hosted by a third-party DNS registrar.
Developers use Azure DevOps to deploy web apps to App Service Environments. When a new app is deployed, a CNAME record for the app is registered in contoso.com.
You need to recommend a solution to secure the DNS record for each web app. The solution must meet the following requirements:
• Ensure that when an app is deleted, the CNAME record for the app is removed also.
• Minimize administrative effort.
What should you include in the recommendation? Microsoft Defender for Cloud Apps Microsoft Defender for DevOps Microsoft Defender for App Service Microsoft Defender for DNS.
You are designing a ransomware response plan that follows Microsoft Security Best Practices.
You need to recommend a solution to limit the scope of damage of ransomware attacks without being locked out.
What should you include in the recommendation?
device compliance policies Privileged Access Workstations (PAWs) Customer Lockbox for Microsoft Azure emergency access accounts.
You need to recommend a security methodology for a DevOps development process based on the Microsoft Cloud Adoption Framework for Azure.
During which stage of a continuous integration and continuous deployment (CI/CD) DevOps process should each security-related task be performed? To answer, select the appropriate options in the answer area. Threat Modeling Actionable Intelligence Dynamic Application Security Testing (DAST).
You use Azure Pipelines with Azure Repos to implement continuous integration and continuous deployment (CI/CD) workflows for the deployment of applications to Azure.
You need to recommend what to include in dynamic application security testing (DAST) based on the principles of the Microsoft Cloud Adoption Framework for Azure.
What should you recommend?
unit testing penetration testing dependency checks threat modeling.
You have a Microsoft 365 subscription.
You are designing a user access solution that follows the Zero Trust principles of the Microsoft Cybersecurity Reference Architectures (MCRA).
You need to recommend a solution that automatically restricts access to Microsoft Exchange Online, SharePoint Online, and Teams in near-real-time (NRT) in response to the following Azure AD events:
• A user account is disabled or deleted.
• The password of a user is changed or reset.
• All the refresh tokens for a user are revoked.
• Multi-factor authentication (MFA) is enabled for a user.
Which two features should you include in the recommendation? Each correct answer presents part of the solution.
continuous access evaluation Azure AD Application Proxy a sign-in risk policy Azure AD Privileged Identity Management (PIM) Conditional Access.
You need to recommend a solution to meet the security requirements for the InfraSec group.
What should you use to delegate the access? a subscription a custom role-based access control (RBAC) role a resource group a management group.
You need to recommend a strategy for routing internet-bound traffic from the landing zones. The solution must meet the landing zone requirements.
What should you recommend as part of the landing zone deployment? local network gateways forced tunneling service chaining.
You need to recommend a solution to scan the application code. The solution must meet the application development requirements.
What should you include in the recommendation? GitHub Advanced Security Azure Key Vault Azure DevTest Labs Application Insights in Azure Monitor.
|
