Implementing End-to-End Security Controls for Cloud and AI Workloads v1.0

Page:    1 / 5   
Exam contains 67 questions

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.
You have an Azure subscription that contains two virtual machines named VM1 and VM2. Each virtual machine has system-assigned managed identity enabled.
You have an Azure Storage account named storage1. Public access from all networks is enabled for storage1.
You need to ensure that VM1 and VM2 can access storage1.
Solution: You add each virtual machine to a security group, and then add the security group to a role on storage1.
Does this meet the goal?

  • A. Yes
  • B. No


Answer : A

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.
You have an Azure subscription that contains two virtual machines named VM1 and VM2. Each virtual machine has system-assigned managed identity enabled.
You have an Azure Storage account named storage1. Public access from all networks is enabled for storage1.
You need to ensure that VM1 and VM2 can access storage1.
Solution: You create a private endpoint on storage1.
Does this meet the goal?

  • A. Yes
  • B. No


Answer : B

Overview -
Fabrikam, Inc. is a consulting company. The company has a main office in New York City and branch offices in Amsterdam and Singapore.
Existing Environment. Network environment
The on-premises network contains a datacenter in each office.
Existing Environment. Cloud environment

Fabrikam has two Azure subscriptions named Sub1 and Sub2 and a Microsoft 365 subscription that includes Microsoft 365 E5 licenses.
All the subscriptions are linked to a Microsoft Entra tenant named fabrikam.com that contains the identities shown in the following table.


The tenant contains the groups shown in the following table.

All devices are enrolled in Microsoft Intune.
Existing Environment. Sub1 Resources
Sub1 contains a resource group named RG1 that contains the resources shown in the following table.

SQLServer1 uses Microsoft SQL Server authentication.
Sub1 has an Azure Web Application Firewall (WAF) named WAF1 that has the following types of rule sets:


Bot Manager 1.1 -
Azure-managed Default Rule Set (DRS)
Sub1 has the following compliance standards assigned in Microsoft Defender for Cloud:

NIST SP 800-53 Rev. 4 -
Microsoft cloud security benchmark (MCSB)
System and Organization Controls (SOC) 2 Type 2
Existing Environment. Sub2 Resources
Sub2 contains a resource group named RG2.
Planned Changes and Requirements. Planned Changes
Fabrikam plans to implement the following changes:
Deploy the following key vaults to RG1:
AKV2 in the West Europe Azure region
AKV3 in the Central US Azure region
AKV4 in the East US Azure region
Deploy the following key vaults to RG2:

AKV5 in the East US region -
Configure VM1 to read data from storage1.
Create function apps that have the following hosting plans:
Fa1: Flex Consumption hosting plan

Fa2: Consumption hosting plan -

Fa3: Dedicated hosting plan -

For WAF1, implement rate limiting rules based on the request location.
Enable the NIST SP 800-53 Rev. 5 compliance standard in Defender for Cloud.
Create a new storage account named storage2 that supports Azure Table storage.
Enforce multifactor authentication (MFA) when database administrators access SQLdb1.
Implement ExpressRoute circuits to the on-premises network as shown in the following table.


For RG1, create a new Privileged Identity Management (PIM) eligible role assignment that assigns the Contributor role to supported groups.
Planned Changes and Requirements. Technical Requirements
Fabrikam has the following technical requirements:

If VM1 is deleted, the permissions for VM1 must be removed automatically.
The AKS1 managed identity must only be able to pull images from Registry1.
The ID1 managed identity must be able to push images to and pull images from Registry1.
All the data in the storage accounts must be encrypted by using Fabrikam-managed keys.
All outbound traffic from the function apps to the on-premises network must use ExpressRoute circuits.
ExpressRoute connectivity between the on-premises network and the Azure environment must be encrypted by using Layer 2 or Layer 3 encryption.
You need to implement the function apps to meet the technical requirements.
Which apps should you include in the implementation?

  • A. Fa1 and Fa2 only
  • B. Fa2 and Fa3 only
  • C. Fa1 and Fa3 only
  • D. Fa1, Fa2, and Fa3


Answer : C

Overview -
Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office in Dallas.
Contoso has a hybrid environment that contains on-premises servers connected to Azure, a Microsoft 365 E5 subscription, and an Azure subscription named Sub1.

Existing Environment. Microsoft Entra tenant
Contoso has a Microsoft Entra tenant named contoso.com that contains the users shown in the following table.

Existing Environment. On-premises environment
The on-premises network contains an Active Directory Domain Services (AD DS) forest that syncs with contoso.com. The forest contains a server named Server1 that runs Windows Server.
Existing Environment. Azure subscription

Sub1 contains the storage accounts shown in the following table.

Sub1 contains the virtual networks shown in the following table.

Sub1 contains the virtual machines shown in the following table.

The network interface of VM1 is associated with an application security group named ASG1.
Sub1 contains the resources shown in the following table.

Vault1 stores the objects shown in the following table.

Existing Environment. Privileged Identity Management (PIM) configuration
You manage privileged roles by using Privileged Identity Management (PIM). The PIM role settings are configured as shown in the following table.

Existing Environment. Microsoft Sentinel configuration
Contoso has a Microsoft Sentinel workspace that contains the following tables.


Requirements. Planned changes -

Contoso plans to implement the following changes:
Integrate AKS1 with Vault1.
Enable Microsoft Entra Kerberos authentication for all supported storage.
Configure auditing for sql1 by using the Azure portal and store audit logs in a centralized location.
Requirements. Technical requirements
Contoso identifies the following technical requirements:
Protect Server1 by using file integrity monitoring.
Protect AKS1 by using Microsoft Defender for Cloud.

Configure Microsoft Sentinel to retain data for the maximum supported duration without changing the tier.
Store objects used for authentication and encryption in Vault1 and ensure that Vault1 regenerates the objects every 30 days, whenever possible.
You need to protect the applications hosted on AKS1. The solution must meet the technical requirements.
Which Defender for Cloud plan should you enable?

  • A. Microsoft Defender for Servers
  • B. Microsoft Defender for App Service
  • C. Microsoft Defender for Containers
  • D. Microsoft Defender for Resource Manager
  • E. Microsoft Defender for Storage


Answer : C

HOTSPOT -

Overview -
Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office in Dallas.
Contoso has a hybrid environment that contains on-premises servers connected to Azure, a Microsoft 365 E5 subscription, and an Azure subscription named Sub1.
Existing Environment. Microsoft Entra tenant
Contoso has a Microsoft Entra tenant named contoso.com that contains the users shown in the following table.


Existing Environment. On-premises environment
The on-premises network contains an Active Directory Domain Services (AD DS) forest that syncs with contoso.com. The forest contains a server named Server1 that runs Windows Server.
Existing Environment. Azure subscription

Sub1 contains the storage accounts shown in the following table.

Sub1 contains the virtual networks shown in the following table.

Sub1 contains the virtual machines shown in the following table.

The network interface of VM1 is associated with an application security group named ASG1.
Sub1 contains the resources shown in the following table.

Vault1 stores the objects shown in the following table.

Existing Environment. Privileged Identity Management (PIM) configuration
You manage privileged roles by using Privileged Identity Management (PIM). The PIM role settings are configured as shown in the following table.

Existing Environment. Microsoft Sentinel configuration
Contoso has a Microsoft Sentinel workspace that contains the following tables.


Requirements. Planned changes -

Contoso plans to implement the following changes:
Integrate AKS1 with Vault1.
Enable Microsoft Entra Kerberos authentication for all supported storage.
Configure auditing for sql1 by using the Azure portal and store audit logs in a centralized location.
Requirements. Technical requirements
Contoso identifies the following technical requirements:
Protect Server1 by using file integrity monitoring.
Protect AKS1 by using Microsoft Defender for Cloud.

Configure Microsoft Sentinel to retain data for the maximum supported duration without changing the tier.
Store objects used for authentication and encryption in Vault1 and ensure that Vault1 regenerates the objects every 30 days, whenever possible.
You need to configure Server1 to meet the technical requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.



Answer :

You have an Azure Logic Apps Consumption workflow that uses a Request trigger. All supported authentication methods are enabled on the Request trigger.
You need to ensure that the endpoint accepts only OAuth-based requests. The solution must minimize costs.
What should you do?

  • A. Use OAuth 2.0 authorization.
  • B. Enable Secure Inputs and enable Secure Outputs for the Request trigger.
  • C. Disable shared access signature (SAS) authentication for the Request trigger.
  • D. Deploy Azure API Management.


Answer : C

You have Microsoft Security Copilot agents that authenticate by using Microsoft Entra service principals.
You receive a Microsoft Defender alert triggered by the anomalous OAuth authentication of an agent's Microsoft Entra service principal.
You need to assess the impact of the agent identity and identify which resources are affected if the identity is abused for lateral movement. The solution must minimize administrative effort.
What should you do?

  • A. From Advanced hunting, create a query against the IdentityLogonEvents table to list all the sign-ins performed by the identity.
  • B. From Attack paths, select the identity and view the blast radius.
  • C. From AI Observability in Microsoft Purview Data Security Posture Management (DSPM), review the agent activity.
  • D. From Microsoft Purview Audit, query the audit logs for all the role assignments granted to the identity.
  • E. From Incidents, review incidents related to OAuth events reported by Microsoft Defender for Cloud Apps.


Answer : B

You have an Azure subscription named Sub1 that contains multiple virtual machines.
You have a Microsoft 365 E5 subscription that contains devices onboarded to Microsoft Defender for Endpoint.
You have an on-premises datacenter that contains multiple servers.
You plan to onboard all existing and future on-premises servers to Azure Arc.
You need to ensure that the Azure Arc-enabled servers are protected by using the same security features as the Microsoft 365 devices immediately after the servers are onboarded. The solution must minimize administrative effort.
What should you do?

  • A. Onboard each server to Microsoft Defender for Endpoint by using Group Policy.
  • B. Onboard each server to Microsoft Defender for Endpoint by using a local installation script.
  • C. For Sub1, enable the Microsoft Defender for Servers plan in Microsoft Defender for Cloud.
  • D. Configure an Azure Policy assignment.


Answer : C

You have an Azure subscription that contains a user named User1 and an Azure Container Registry named ContReg1.
You enable content trust for ContReg1.
You need to ensure that User1 can create trusted images in ContReg1. The solution must use the principle of least privilege.
Which two roles should you assign to User1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. AcrQuarantineWriter
  • B. Contributor
  • C. AcrQuarantineReader
  • D. AcrPush
  • E. AcrImageSigner


Answer : DE

You have a hybrid environment that contains the following servers:
50 Azure virtual machines that run Windows Server 2019
20 physical, on-premises servers that run Windows Server 2019
All the servers use a third-party antivirus solution that must remain active during a phased security rollout.
You need to onboard all the servers to Microsoft Defender for Endpoint by using a centralized deployment method. The solution must meet the following requirements:
Endpoint detection and response (EDR) capabilities must be enabled.
Antivirus conflicts must be prevented during onboarding.
What should you do on the servers?

  • A. Set the Microsoft Defender for Endpoint service to Disabled.
  • B. Disable Microsoft Defender Antivirus real-time protection by using Set-MpPreference.
  • C. Configure the ForceDefenderPassiveMode registry value.
  • D. Enable EDR in block mode.


Answer : C

You have an Azure subscription named Sub1 that contains an Azure Kubernetes Service (AKS) cluster named cluster1 and an Azure container registry named ACR1. Sub1 has Microsoft Defender for Containers enabled, and runtime protection is active on cluster1.
The developers at your company deploy pods that have elevated privileges, and the deployments are created in cluster1.
You need to prevent pods with elevated privileges from being accepted by cluster1.
What should you do?

  • A. Create an Azure policy for cluster1.
  • B. Enable agentless discovery for Kubernetes in Defender for Containers.
  • C. Configure runtime threat protection alerts for privileged container activity.
  • D. Enable vulnerability assessment for images in ACR1.


Answer : A

DRAG DROP -
You have an Azure virtual network named VNet1 that contains an AzureBastionSubnet. VNet1 contains a subnet named Subnet1. Subnet1 contains multiple virtual machines.
You plan to deploy Azure Bastion to provide secure RDP access to the virtual machines on Subnet1. You associate a network security group (NSG) named NSG1 to AzureBastionSubnet.
You need to configure rules for NSG1. The solution must meet the following requirements:
Allow required inbound access to Azure Bastion from the internet.
Allow user access to the virtual machines by using Azure Bastion.
Which TCP ports should you allow for the NSG1 rules? To answer, drag the appropriate ports to the correct rules. Each port may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.



Answer :

DRAG DROP -
You have a Microsoft Defender XDR environment.
You have a Microsoft Power Platform environment where makers publish custom Microsoft Copilot Studio agents.
You need to enable real-time protection so that suspicious tool invocations are blocked before an agent runs actions, and related alerts appear in the Microsoft Defender portal.
What should you do? To answer, drag the appropriate actions to the correct services. Each action may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.



Answer :

You have a Microsoft Copilot Studio agent.
A Microsoft Power Platform administrator configures external threat detection for the agent by using a Microsoft Entra application.
You need to ensure that real-time protection is enabled during agent runtime.
What should you do in the Microsoft Defender portal?

  • A. Configure Microsoft Defender for Cloud Apps session policies.
  • B. Connect the Microsoft 365 app connector.
  • C. Enable Global Secure Access for Agents.
  • D. From Microsoft Sentinel, configure the Microsoft Purview data connector.


Answer : B

DRAG DROP -
You have a Microsoft 365 subscription. All users have Microsoft Exchange Online mailboxes.
You use Microsoft Entra Agent ID to register and manage AI agents.
The developers at your company create the following two agents:
Agent1: An interactive agent that helps users summarize their own Exchange Online email
Agent2: An autonomous agent that sends nightly updates to a Microsoft Teams channel
You need to grant each agent access to Microsoft Graph. The solution must minimize the access scope, while meeting each agent’s operating model.
Which type of permission should you assign to each agent? To answer, drag the appropriate permission types to the correct agents. Each permission type may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.



Answer :

Page:    1 / 5   
Exam contains 67 questions

Talk to us!


Have any questions or issues ? Please dont hesitate to contact us

Certlibrary.com is owned by MBS Tech Limited: Room 1905 Nam Wo Hong Building, 148 Wing Lok Street, Sheung Wan, Hong Kong. Company registration number: 2310926
Certlibrary doesn't offer Real Microsoft Exam Questions. Certlibrary Materials do not contain actual questions and answers from Cisco's Certification Exams.
CFA Institute does not endorse, promote or warrant the accuracy or quality of Certlibrary. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Terms & Conditions | Privacy Policy | Amazon Exams | Cisco Exams | CompTIA Exams | Databricks Exams | Fortinet Exams | Google Exams | Microsoft Exams | VMware Exams