| Recommend a logging solution |
- Questions present a mixed VM environment running both Windows and Linux, and ask which Azure Monitor Logs table to query for security-related events from each operating system. You need to know which table stores Windows event log data and which stores Linux system logging data, and how these differ from tables that store Azure platform-level activity and resource diagnostic data.
- Questions present an Azure resource that already has a diagnostic setting sending a specific log category to multiple destinations, and ask whether an additional diagnostic setting can be created to send the same log category to a new destination. You need to understand the constraints on how many diagnostic settings a single resource can have and how multiple settings interact with each other.
- Questions present a requirement to generate a monthly report of all new ARM resource deployments across a subscription, and ask which Azure service should be included in the recommendation. You need to identify which service captures and allows querying of ARM-level deployment activity across a subscription.
- Questions present a fleet of VMs with the Azure Monitor Agent installed that must forward custom-format logs to a Log Analytics workspace and transform them before storage. The scenario asks separately about the forwarding mechanism and the transformation mechanism. You need to know which component in a data collection rule pipeline handles ingestion routing from the agent to the workspace, and which query language is used within that pipeline to reshape log data before it reaches the destination table.
- Questions present a scenario where VMs across multiple subscriptions linked to separate Entra tenants must send security events to a single shared Log Analytics workspace. The scenario asks separately about enabling cross-tenant log collection and about which agent generation supports per-event filtering via data collection rules. You need to know which Azure governance service allows a managing tenant to operate across delegated customer subscriptions, and which agent generation natively supports DCR-based event filtering.
- Questions present a scenario with Azure Policy definitions assigned to storage accounts, where the requirement is to trigger on-demand compliance scans and raise non-compliance alerts via Azure Monitor. The scenario asks separately about how to initiate scans programmatically and about which resource's diagnostic settings must be configured to feed the alert query. You need to know which tooling mechanism triggers a policy evaluation scan without deploying new resources, and which log source captures policy compliance state change events.
- Questions present an Azure SQL Database diagnostic settings configuration shown in an exhibit, and ask what the resulting data retention will be for each destination. You need to read the configured retention values from the exhibit and match them to the correct duration for blob storage and for Log Analytics respectively, understanding how each destination type handles retention independently.
- Questions present a scenario where VMs across multiple VNets must route logs to a Log Analytics workspace entirely over the Microsoft backbone network. The scenario asks separately about the minimum number of Azure Monitor Private Link Scope objects and the minimum number of private endpoints required. You need to understand how AMPLS groups Azure Monitor resources and links to VNets, and how private endpoints connect VNets to the AMPLS.
- Questions present a fleet of VMs across multiple regions that must send different combinations of log types to a single Log Analytics workspace, with a requirement to minimize the volume of data collected. The scenario asks separately for the minimum number of data collection rules and the minimum number of data collection endpoints required. You need to reason through how DCRs are scoped by log type combination, and whether a DCE is required when the destination workspace is reachable via a public endpoint.
|
| Recommend a solution for routing logs |
- Questions present the same SQL database scenario across multiple questions in a series, each proposing a different new diagnostic setting destination for the same log category already configured in Settings1. One question asks about adding a setting that archives to a second storage account, another asks about adding a setting that routes to a second Log Analytics workspace. You need to reason through whether each proposed additional destination is valid given what already exists, and whether any constraint prevents the same log category being sent to an additional destination of that type.
|
| Recommend a monitoring solution |
- Questions present a series where VMs are experiencing network connectivity issues across a hybrid environment connected via ExpressRoute, and propose different monitoring solutions. Each question names a different Azure service and asks whether it meets the goal of identifying whether packets are being allowed or denied. You need to know what each monitoring service actually analyses: which service provides packet-level allow/deny visibility, which maps service dependencies, and which provides optimization recommendations, so you can correctly identify which proposed solution meets or does not meet the stated goal. The series covers multiple tools across multiple tests including Wire Data solution, VM Insights, Traffic Analytics in Log Analytics, Traffic Analytics in Network Watcher, Azure Advisor, and IP flow verify in Network Watcher.
- Questions present a scenario where custom logs must be ingested into a Log Analytics workspace via the Logs Ingestion API, with the requirement that the workspace must not be accessible from the internet. You need to identify which component enables private network access to Azure Monitor services including Log Analytics workspaces.
- Questions present an architecture design requirement to capture Entra ID events such as user creation and role assignments, and route the captured data to Azure Cosmos DB. The question is split across two sub-questions, each asking which Azure service fills a specific position in the pipeline. You need to understand which service routes or reacts to identity events from Microsoft Entra, and which service executes custom processing logic to write that data to Cosmos DB.
- Questions present a case study with monitoring requirements for a containerised application, and ask which monitoring solution to recommend. You need to know which service is purpose-built for monitoring application-level telemetry such as request rates, dependencies, exceptions, and performance counters for web and background applications, versus which services monitor infrastructure, security, or container orchestration.
- Questions present a case study where an IT support distribution group must receive automated notifications based on Azure monitoring events, and ask which component to include in the recommendation. You need to know which Azure Monitor component defines and triggers notification actions such as email delivery to a recipient group when an alert fires.
- Questions present a high-volume log ingestion scenario where an application sends a large daily volume of log data to a custom Log Analytics table, and an Azure Monitor alert is configured against that table. The goal is to reduce Log Analytics costs without stopping ingestion or breaking the alert. The scenario asks separately about which resource to modify and which configuration change to make. You need to know which table-level pricing plan reduces the per-GB cost for logs that do not require interactive querying, and what trade-off that plan introduces for alert rule compatibility.
- Questions present a scenario with multiple Azure subscriptions grouped into projects, where Microsoft Cost Management must surface per-project costs with minimum effort. The question asks which two components enable per-project cost grouping across subscriptions. You need to know which metadata mechanism allows Cost Management to aggregate costs across resources by logical grouping, and which organizational hierarchy feature allows Cost Management to scope views across multiple subscriptions.
- Questions present a tiered containerized application and ask which Azure Monitor solution supports synthetic transaction monitoring between the application's own components. You need to know which service provides synthetic transaction monitoring capability that simulates inter-component requests, and how it differs from services that monitor infrastructure, container orchestration, or network topology.
- Questions present a monitoring stack comprising several Azure Monitor tools managed by a single team, and ask for the minimum number of Azure Monitor workspaces required. You need to know which tools share a single Log Analytics workspace as their backing store and which require a dedicated workspace, so you can calculate the minimum workspace count.
|
| Recommend an authentication solution |
- Questions present a SaaS application design with a front-end web app and a back-end web API that requires OAuth 2 bearer tokens, then present a series of completion statements, asking which component generates the access tokens and which component performs authorization decisions. You need to understand the roles of each component in the OAuth 2 authorization code flow to correctly complete each statement.
- Questions present a case study where a specific group of users must be registered for MFA and must authenticate using MFA when signing in. The question is split into two parts, one asking how to register the users and one asking how to enforce MFA at sign-in. You need to distinguish between the mechanisms used for MFA registration versus those used for MFA enforcement, and know which Entra features govern each.
- Questions present a Conditional Access policy and ask which control setting, either grant or session, achieves a stated authentication enforcement requirement. You need to know the difference between what grant controls and session controls each govern.
- Questions present a web app accessed from the internet by users whose computers are joined to Microsoft Entra ID, then ask two separate questions: which feature enables the users to connect without being prompted for authentication, and which feature restricts access to company-owned computers only. You need to know which Entra feature provides seamless SSO for Entra-joined devices without a credential prompt, and which feature can enforce device compliance as an access condition.
- Questions present an on-premises ASP.NET application that must enforce Entra ID authentication and MFA for internet-based access, then present a drag-and-drop ordering question with a numbered list of features. You must select three features and arrange them in the correct deployment sequence. You need to understand which component handles the reverse proxy from the internet to the on-premises server, which component registers the application for SSO, and which component enforces MFA at sign-in, and in what order these must be configured.
- Questions present a VM management scenario where incoming connections must use MFA before network access is allowed, must use TLS on port 443, and must support RDP and SSH. The question is split into two parts: one asking which service provides the VM access, and another asking which configuration enforces MFA. You need to identify which Azure service brokers browser-based RDP and SSH access over HTTPS, and how Conditional Access is scoped to enforce MFA for that specific sign-in scenario.
- Questions present an application that needs to obtain an access token to authenticate to Azure resources, and ask which type of endpoint the application should use. You need to distinguish between the correct modern token endpoint, the endpoint used by Azure VM managed identities, and legacy or unrelated Azure endpoints.
- Questions present an Azure Functions app that must authenticate to an Azure subscription resource with minimal administrative effort, such as reading activity logs. You need to know which mechanism eliminates credential management entirely for Azure-hosted compute services.
- Questions present a case study with specific identity and authentication requirements, and ask two numerical questions: the minimum number of Microsoft Entra tenants required, and the minimum number of Conditional Access policies required. You need to read the case study requirements to determine whether the scenario can be satisfied by a single tenant or requires isolation, and then count how many distinct Conditional Access conditions must be expressed as separate policies.
- Questions present an application deployed to an Azure VM that must use a system-assigned managed identity to retrieve secrets from Key Vault with minimal development effort. The scenario asks separately about which OAuth 2.0 grant flow to configure and from which endpoint to retrieve the authentication token. You need to know which grant flow a service uses to authenticate as itself without a user context, and which VM-local endpoint serves as the token source for managed identity authentication.
- Questions present a hybrid scenario where remote users currently use a VPN to access an on-premises application that uses AD DS authentication, and the goal is to eliminate the VPN while enforcing MFA with minimal administrative effort. The question asks what to deploy on-premises. You need to know which component establishes an outbound tunnel to the Entra Application Proxy service to enable browser-based access with Entra-integrated MFA, and how it differs from data connectivity gateways and Windows Server federation role services.
- Questions present an internal application that needs SAML SSO configured and must enforce MFA when users access it from unknown locations. The question asks which two features to include. You need to know which feature registers an application and configures SAML-based SSO in Entra, and which feature can enforce MFA based on sign-in location conditions.
|
| Recommend an identity management solution |
- Questions present a hybrid identity scenario where remote users without VPN access need single sign-on to an on-premises web application that uses Integrated Windows Authentication. You need to select two features from a list that includes both correct and plausible-but-incorrect options.
- Questions present a scenario where an application uses LDAP queries against on-premises Active Directory to verify user identities, and must continue to function after the server is migrated to an Azure VM. A security policy prohibits the VM from accessing the on-premises network. You need to identify which service provides managed LDAP and Kerberos/NTLM support in Azure without requiring connectivity back to the on-premises domain, and why the options that require on-premises connectivity are eliminated by the security constraint.
- Questions present a single-tenant web app that authenticates users from one Entra tenant, and ask how to enable users from a partner company's Entra tenant to also authenticate. You need to identify which option is designed specifically to enable cross-tenant user authentication for an existing application, and eliminate options that govern risk, device management, provisioning, or privileged access rather than federated authentication.
- Questions present a case study with two on-premises Active Directory forests and a plan to extend some workloads to Azure VNets. The question asks what to include in the identity management strategy. You need to understand which forest's workloads are being extended to Azure and therefore which forest's domain controllers must be available in the Azure VNet to authenticate those workloads.
- Questions present a Microsoft Entra administrative unit containing users, and ask which roles to assign to two different users to enable different actions scoped only to that unit — one user needs to create accounts, another needs to reset passwords. You need to know which role grants user creation capability versus which grants password reset capability, and why scoping the assignment to the administrative unit is preferred over a tenant-wide assignment.
- Questions present a HR-driven automatic user provisioning scenario where new employees and contractors must have accounts created in an on-premises AD child domain and in the Entra tenant, with separate provisioning logic per user type. The scenario asks separately for the minimum number of Entra app registrations and the minimum number of provisioning agents required. You need to know how Workday inbound provisioning is structured in terms of app registrations per destination, and how many agents are needed to reach a single on-premises AD domain.
|
| Recommend a solution for authorizing access to Azure resources |
- Questions present a case study with defined users, groups, and access requirements for a specific Azure role, and ask for the minimum number of role assignments needed to satisfy all requirements. You need to trace each user's scope requirements and determine whether any single assignment at a higher scope satisfies multiple users' needs or whether separate assignments per user or scope are required.
- Questions present a blob access requirement that is time-limited to a specific calendar period for a defined group of users, then ask which security mechanism to recommend from a list that includes identity-based access controls, storage-native access tokens, account-level keys, and certificate-based options. You need to know which mechanism supports time-bounded access without granting permanent permissions.
- Questions present a scenario where web apps registered in Microsoft Entra need to call web APIs, and ask how to grant the permissions for this access using Microsoft Entra-generated claims with minimal configuration effort. The question is completed by selecting from Microsoft Entra, Azure API Management, or the web APIs themselves. You need to understand where application permissions and OAuth 2 scopes are defined and granted in the Microsoft Entra authorization flow.
- Questions present a requirement to provide specific Entra ID user accounts with read access to Azure Cosmos DB databases using the SQL API. You need to understand how Cosmos DB authorization works for Entra ID users, distinguishing between the Cosmos DB-native token types and the Azure RBAC role assignment mechanism that grants data-plane access to specific user accounts.
- Questions present two applications deployed across many VMs that authenticate users with their Entra ID credentials and need to access Microsoft 365 calendar data on behalf of signed-in users. One app needs read access and the other write access. The question is split into two parts: one asking which authentication solution to recommend, and one asking which authorization solution to use. You need to know which authentication mechanism enables user-delegated identity flows as opposed to service-to-service identity, and which permission type represents access granted on behalf of a signed-in user rather than direct application access.
- Questions present a large set of storage accounts with existing RBAC assignments, and ask how to implement access control based on tags applied to individual resources within those accounts rather than on the accounts themselves. The scenario asks separately which access control mechanism to use and which storage resource type to target. You need to know which mechanism extends Azure RBAC by evaluating attribute conditions at the resource level, and which storage resource type supports tag-based attribute conditions.
- Questions present a complex RBAC inheritance scenario with a management group hierarchy, multiple subscriptions, resource groups, security groups, and users, where several role assignments are performed at different scopes. A series of Yes/No questions then evaluates whether specific users can perform specific actions. You need to trace the inheritance chain from the root management group through subscriptions and resource groups, determine which roles each user inherits through their group memberships, and know what each role permits — particularly the distinction between roles that allow resource creation versus roles that allow writing role assignments.
|
| Recommend a solution for authorizing access to on-premises resources |
- Questions present the same hybrid SSO scenario as the identity management topic, requiring two features from a list. but frame the question specifically around network connectivity and on-premises resource authorization rather than identity. You need to understand both the component that handles the secure tunnel from the cloud to the on-premises app and the component that configures and presents the app to users, and distinguish them from networking-layer alternatives that do not support Kerberos delegation for Windows Authentication.
|
| Recommend a solution to manage secrets, certificates, and keys |
- Questions present an Azure Key Vault backup and restore scenario, and ask to which locations a backup of keys can be restored. You need to know what geographic constraints apply to Key Vault backup restoration and why those constraints exist.
- Questions present a scenario with several Azure App Service web apps that use Key Vault to store encryption keys, and map different department requests to the appropriate Azure service. One department needs the application to access Key Vault without storing credentials in code, another needs privileged just-in-time access to Key Vault for administrative tasks, and another needs risk-based monitoring of sign-in activity. You need to match each department requirement to the service that best addresses it without introducing credential management overhead.
- Questions present a Key Vault instance used by a web app, and ask two separate questions about what happens when the Azure region hosting the vault becomes unavailable. One question asks to which location the vault will failover, from options including the same availability set, fault domain, paired region, or a VM scale set. The other question asks which specific operation type from the app's list of Key Vault requests will be unavailable during the failover period. You need to understand Key Vault's regional failover behaviour and which request types are restricted during a failover to the paired region.
- Questions present a case study where an application needs to access third-party credentials stored in Key Vault without storing its own credentials in code, and ask two separate questions: which identity mechanism to use for authentication, and which Key Vault authorization mechanism to use. You need to know the difference between system-assigned and user-assigned managed identities in terms of lifecycle and shareability, and how each Key Vault authorization model grants data-plane access to secrets.
- Questions present an Azure Databricks workspace that multiple apps deployed to an on-premises network must authenticate to. The requirement is to minimize administrative overhead from staff turnover and credential rotation. You need to understand which option eliminates credential lifecycle management entirely, which requires periodic secret rotation, and which introduces per-user overhead when staff leave the organization.
- Questions present two Entra app registrations where a resource application defines a custom RBAC role and a calling application must receive that role in its access tokens. The scenario asks separately which blade to modify on each registration. You need to know which blade in the resource application's registration defines custom app roles, and which blade in the calling application's registration requests those roles so they appear in issued tokens.
- Questions present an application on Azure VMs that needs to authenticate to a third-party service using an API key stored in Azure Key Vault. The scenario asks separately which Key Vault object type to use for storage and which identity mechanism to use for access. You need to know which Key Vault object type is appropriate for storing arbitrary string values rather than cryptographic keys or PKI certificates, and which identity mechanism allows the VM-hosted application to authenticate to Key Vault without storing credentials in code.
|
| Recommend a governance solution (management groups, subscriptions, compliance, identity governance) |
- Questions present an automated deployment scenario and ask what differentiates Azure Blueprints from ARM templates. You need to know the key behavioral difference between the two tools once resources have been deployed, and which capability claims about each tool are accurate versus common misconceptions.
- Questions present a case study where an Azure Policy must enforce a configuration setting (such as encryption) on both new and existing non-compliant resources. You need to arrange a sequence of actions from a provided list in the correct order. You need to understand which policy effect applies to existing resources requiring remediation versus new resources, and which steps must occur before a remediation task can be invoked.
- Questions present a case study where data in a migrated application's storage must be protected against accidental modification, and ask which enforcement mechanism to apply. You need to know which mechanism prevents data modification at the Azure resource management plane level regardless of user permissions.
- Questions present a requirement to provide developers with the ability to create VMs but restrict them to specific regions and specific VM sizes, and ask which Azure service satisfies both constraints. You need to know which service enforces restrictions on what resources can be created and how they must be configured, versus which services control who can perform actions or how identities authenticate.
- Questions present a large management group hierarchy with many subscriptions and ask how to design Azure Blueprints governance with consistent coverage and the minimum number of definitions and assignments. The scenario is split into two questions: one asking at which level blueprints should be defined, and another asking at which level blueprint assignments should be created. You need to understand how blueprint definitions and assignments relate to each other, and how assignment inheritance through the hierarchy reduces the total number of assignments needed.
- Questions present an access governance scenario where a manager must receive monthly emails listing permissions held by external developers, and any permission not verified by the manager must be automatically revoked with minimal development effort. You need to identify which feature supports scheduled reviewer notifications and automatic access removal without custom code.
- Questions present a security group with assigned membership that includes both internal and guest users, where the evaluation of whether each member still needs group membership must run automatically every three months, members must be able to self-report, and non-reporting or non-qualifying members must be removed automatically. You need to know which feature supports recurring reviewer-based or self-attestation group membership validation with configurable automatic removal outcomes.
- Questions present a multi-requirement Azure Policy design where new resources must inherit tags from their resource group, existing non-compliant resources must be identified, and auto-generated remediation tasks must create the missing tags. The question is split across two sub-questions: one asking which policy effect satisfies all three requirements, and another asking which identity object and RBAC role should be used for the remediation tasks under the principle of least privilege. You need to know which effect supports both tag inheritance for new resources and remediation for existing ones, and which identity type and role combination meets the least-privilege requirement for writing tags.
- Questions present a large subscription environment and ask to which three scopes Azure Policy definitions can be assigned. The list includes a mix of Azure resource hierarchy levels and Entra ID concepts. You need to know which levels of the Azure resource hierarchy are valid policy assignment scopes and which identity-related objects are not valid assignment targets for Azure Policy.
- Questions present a scenario with a defined company division structure and a requirement to deploy a standard application stack. including a resource group, web app, custom role assignments, and Cosmos DB. to each subscription using Azure Blueprints. The question is split across three sub-questions asking separately for the minimum number of management groups required, the minimum number of blueprint definitions required, and the minimum number of blueprint assignments required. You need to reason through how blueprint definitions can be shared across subscriptions and how assignments relate to the number of target subscriptions, to produce the correct minimum count for each.
- Questions present a regulatory requirement to deploy App Service instances only to specific Azure regions with all related resources in the same region, and propose a solution using resource groups and resource locks. You need to evaluate whether the proposed solution meets the stated regulatory goal. knowing what resource locks actually prevent versus what mechanism enforces resource creation constraints such as allowed locations.
- Questions present a case study and ask which Microsoft Entra service and which specific feature within that service to implement to meet stated identity governance requirements. The service question offers options including Identity Governance, Identity Protection, PIM, and Azure Automation. The feature question offers options including access packages, access reviews, approvals, and runbooks. You need to understand the functional difference between the Identity Governance service and its sub-features, and match the correct service-feature combination to the stated requirement.
- Questions present two scenarios where a user in one Entra tenant must be granted a role in another tenant's Azure subscription. One scenario tests which role to assign to an account that needs to change which Entra tenant is linked to a subscription, and another asks which role to assign to an account that must be elevated to regain access when no accounts have existing permissions. You need to know which classic subscription role permits changing the directory linked to a subscription and which permits elevating access when no RBAC-based accounts exist, applying the principle of least privilege to each requirement.
- Questions present a cross-tenant collaboration scenario where developers from a partner organization with their own Entra tenant and Microsoft 365 environment need to be added to a Contributor role in the host organization's subscription, and must use their own existing credentials. You need to know which mechanism enables external users to authenticate with their home-tenant credentials while being assignable to Azure RBAC roles in the host tenant.
- Questions present a governance scenario where Azure resources across a subscription must be identifiable by operational attributes such as environment, owner, department, and cost center, and the data must be available for billing and compliance reports. You need to know which mechanism attaches custom key-value metadata to Azure resources in a way that is queryable for reporting purposes, and which options address a different governance concern.
- Questions present a regulatory requirement to deploy App Service instances only to specific Azure regions, and propose a series of solutions across multiple questions each asking Yes or No. Solutions include the Regulatory compliance dashboard in Microsoft Defender for Cloud and an Azure Policy initiative to enforce the location of resource groups. You need to evaluate whether each proposed solution actually enforces a location restriction at deployment time versus monitoring compliance after the fact.
- Questions present an Azure Policy scenario where an ARM template must be used to enable TDE on all non-compliant SQL databases and then applied automatically via a policy definition. The scenario is split into two questions: one asking which policy effect to set, and another asking what to include in the policy definition. You need to know which effect triggers automated deployment of the ARM template for non-compliant resources, and which element must be declared in the policy definition to authorize the remediation action.
- Questions present a multi-subscription Azure Policy remediation scenario where new resources must be automatically brought into compliance after deployment. The scenario asks separately which policy effect supports automatic remediation and which Azure resource performs the remediation. You need to know which effect triggers post-deployment remediation tasks rather than simply blocking or auditing, and which identity type must be authorized for the policy to make changes within the target scope.
- Questions present a management group and subscription hierarchy where Azure Policy definitions are assigned at different scopes, some modified with resource type selectors and some with subscription exclusions. A series of Yes/No statements then evaluates specific policy evaluation behavior. You need to understand how assignment scope determines what a policy evaluates, how resource selectors narrow evaluation within a scope without changing it, and how exclusions block evaluation at a specific scope regardless of the assignment level above it.
|
Flash sale is here! Get Extra 25% off on ALL COURSES! Use coupon code FLASH25. Ends in 2 days.
This website uses cookies for proper functioning. Learn More