Orange Flashcards
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have an Amazon Web Services (AWS) implementation.
You plan to extend the Azure security strategy to the AWS implementation. The solution will NOT use Azure Arc.
Which three services can you use to provide security for the AWS resources? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Microsoft Defender for Containers
B. Microsoft Defender for Servers
C. Azure Active Directory (Azure AD) Conditional Access
D. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
E. Azure Policy
A. Microsoft Defender for Containers
C. Azure Active Directory (Azure AD) Conditional Access
E. Azure Policy
Your company has on-premises network and an Azure subscription.
The company does NOT have a Site-to-Site VPN or an ExpressRoute connection to Azure. You are designing the security standards for Azure App Service web apps. The web apps will access Microsoft SQL Server databases on the network.
You need to recommend security standards that will allow the web apps to access the databases. The solution must minimize the number of open internet-accessible endpoints to the on-premises network.
What should you include in the recommendation?
A. virtual network NAT gateway integration
B. hybrid connections
C. virtual network integration
D. a private endpoint
B. hybrid connections
Your company has an Azure subscription that uses Azure Storage.
The company plans to share specific blobs with vendors.
You need to recommend a solution to provide the vendors with secure access to specific blobs without exposing the blobs publicly. The access must be time-limited.
What should you include in the recommendation?
A. Configure private link connections.
B. Configure encryption by using customer-managed keys (CMKs).
C. Share the connection string of the access key.
D. Create shared access signatures (SAS).
D. Create shared access signatures (SAS).
Your company plans to provision blob storage by using an Azure Storage account. The blob storage will be accessible from 20 application servers on the internet.
You need to recommend a solution to ensure that only the application servers can access the storage account.
What should you recommend using to secure the blob storage?
A. managed rule sets in Azure Web Application Firewall (WAF) policies
B. inbound rules in network security groups (NSGs)
C. firewall rules for the storage account
D. inbound rules in Azure Firewall
E. service tags in network security groups (NSGs)
Your company is designing an application architecture for Azure App Service Environment (ASE) web apps as shown in the exhibit. (Click the Exhibit tab.)
on-premise app server with public IP<–on-premise firewall
user—public internet–> Azure subscription[Resource group] [X]– subnet01 (–>appAPI01–>appAPI02)
Communication between the on-premises network and Azure uses an ExpressRoute connection.
You need to recommend a solution to ensure that the web apps can communicate with the on-premises application server. The solution must minimize the number of public IP addresses that are allowed to access the on-premises network.
What should you include in the recommendation?
A. Azure Traffic Manager with priority traffic-routing methods
B. Azure Firewall with policy rule sets
C. Azure Front Door with Azure Web Application Firewall (WAF)
D. Azure Application Gateway v2 with user-defined routes (UDRs)
B. Azure Firewall with policy rule sets
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You need to enforce ISO 27001:2013 standards for the subscription. The solution must ensure that noncompliant resources are remediated automatically.
What should you use?
A. Azure Policy
B. Azure Blueprints
C. the regulatory compliance dashboard in Defender for Cloud
D. Azure role-based access control (Azure RBAC)
A. Azure Policy
Your company has a hybrid cloud infrastructure.
Data and applications are moved regularly between cloud environments.
The company’s on-premises network is managed as shown in the following exhibit.
On-premise: Azure
Windows Server Azure Monitor, Azure Policy,
Linux Server Azure Update Management
You are designing security operations to support the hybrid cloud infrastructure. The solution must meet the following requirements:
✑ Govern virtual machines and servers across multiple environments.
✑ Enforce standards for all the resources across all the environments by using Azure Policy.
Which two components should you recommend for the on-premises network? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. on-premises data gateway
B. Azure VPN Gateway
C. guest configuration in Azure Policy
D. Azure Arc
E. Azure Bastion
C. guest configuration in Azure Policy
D. Azure Arc
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend?
A. Azure Active Directory (Azure AD) Conditional Access App Control policies
B. OAuth app policies in Microsoft Defender for Cloud Apps
C. app protection policies in Microsoft Endpoint Manager
D. application control policies in Microsoft Defender for Endpoint
D. application control policies in Microsoft Defender for Endpoint
DRAG DROP -
You have a Microsoft 365 subscription.
You need to recommend a security solution to monitor the following activities:
✑ User accounts that were potentially compromised
✑ Users performing bulk file downloads from Microsoft SharePoint Online
What should you include in the recommendation for each activity? To answer, drag the appropriate components to the correct activities. Each component may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Components:
* A data loss prevention (DLP) policy
* Azure Active Directory (Azure AD) Conditional Access
* Azure Active Directory (Azure AD) Identity protection
* Microsoft Defender for Cloud
* Microsoft Defender for Cloud Apps
Answer Area:
User accounts that were potentially compromised: ??????????
Users performing bulk file downloads from SharePoint Online: ??????????
User accounts that were potentially compromised: - Azure Active Directory (Azure AD) Identity protection
Users performing bulk file downloads from SharePoint Online: - Microsoft Defender for Cloud Apps
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend?
A. adaptive application controls in Defender for Cloud
B. app protection policies in Microsoft Endpoint Manager
C. app discovery anomaly detection policies in Microsoft Defender for Cloud Apps
D. Azure Security Benchmark compliance controls in Defender for Cloud
A. adaptive application controls in Defender for Cloud
Your company is developing an invoicing application that will use Azure Active Directory (Azure AD) B2C. The application will be deployed as an App Service web app.
You need to recommend a solution to the application development team to secure the application from identity-related attacks.
Which two configurations should you recommend? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Azure AD workbooks to monitor risk detections
B. Azure AD Conditional Access integration with user flows and custom policies
C. smart account lockout in Azure AD B2C
D. access packages in Identity Governance
E. custom resource owner password credentials (ROPC) flows in Azure AD B2C
B. Azure AD Conditional Access integration with user flows and custom policies
C. smart account lockout in Azure AD B2C
You have a customer that has a Microsoft 365 subscription and an Azure subscription.
The customer has devices that run either Windows, iOS, Android, or macOS. The Windows devices are deployed on-premises and in Azure.
You need to design a security solution to assess whether all the devices meet the customer’s compliance rules.
What should you include in the solution?
A. Microsoft Defender for Endpoint
B. Microsoft Endpoint Manager
C. Microsoft Information Protection
D. Microsoft Sentinel
B. Microsoft Endpoint Manager
HOTSPOT -
Your company is migrating data to Azure. The data contains Personally Identifiable Information (PII).
The company plans to use Microsoft Information Protection for the PII data store in Azure.
You need to recommend a solution to discover PII data at risk in the Azure resources.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
To connect the Azure data sources to Microsoft Information Protection:
* Azure Purview
* Endpoint data loss prevention
* Microsoft Defender for Cloud Apps
* Microsoft Information Protection
To triage security alerts related to resources that contain PII data:
* Azure Monitor
* Endpoint data loss prevention
* Microsoft Defender for Cloud
* Microsoft Defender for Cloud Apps
To connect the Azure data sources to Microsoft Information Protection: - Azure Purview
To triage security alerts related to resources that contain PII data: - Microsoft Defender for Cloud
HOTSPOT -
You open Microsoft Defender for Cloud as shown in the following exhibit.
Home>Microsoft Defender for Cloud>
Recommendations
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
To increase the score for the Restrict unauthorized network access control, implement ??????????
* Azure Active Directory (Azure AD) Conditional Access policies
* Azure Web Application Firewall (WAF)
* network security groups (NSGs)
To increase the score for the Enable endpoint protection control, implement ??????????
* Microsoft Defender for Resource Manager
* Microsoft Defender for Servers
* private endpoints
To increase the score for the Restrict unauthorized network access control, implement - network security groups (NSGs)
To increase the score for the Enable endpoint protection control, implement - Microsoft Defender for Servers
-CASE 1-
HOTSPOT -
You need to recommend a strategy for securing the litware.com forest. The solution must meet the identity requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer Area
For Azure AD targeted threats:
* Azure AD Identity Protection
* Azure AD Password Protection
* Microsoft Defender for Cloud
For AD DS-targeted threats:
* An account lockout policy in AD DS
* Microsoft Defender for Endpoint
* Microsoft Defender for Identity
For Azure AD targeted threats: - Azure AD Identity Protection
For AD DS-targeted threats: - An account lockout policy in AD DS
