Microsoft Certified: Azure Security Engineer Associate Practice Exam 2025: Latest Questions

You need to grant a security team time-bound access to manage Azure subscriptions only when requested, and you must require approval before access is granted. What should you use?

A web app hosted on Azure App Service must access secrets (connection strings and API keys) stored in Azure Key Vault. You must avoid storing credentials in code or configuration. What is the best solution?

You have an Azure Storage account that should be accessible only from a specific set of on-premises public IP addresses. What should you configure?

You are using Microsoft Defender for Cloud. You want to ensure that security recommendations are automatically created as work items in an Azure DevOps project. What should you configure?

A team created a custom Azure RBAC role to manage virtual machines. Users assigned this role can start and stop VMs but cannot reset the local administrator password. Which action should be added to the role definition to allow password reset through the Azure portal?

Your organization uses a hub-and-spoke network. You deploy an Azure Firewall in the hub and want to ensure all internet-bound traffic from spoke VNets is inspected by the firewall. What should you configure?

You must encrypt an Azure SQL Database using a customer-managed key stored in Azure Key Vault, and you need Azure to handle key rotation without database downtime. What should you implement?

Your Azure Kubernetes Service (AKS) cluster must pull images from a private Azure Container Registry (ACR). You want to avoid using admin credentials and minimize credential management. What is the recommended approach?

You need to detect and investigate suspicious sign-ins and lateral movement attempts across Azure resources. The solution must correlate signals from multiple sources (sign-in logs, alerts, and activity logs) and support incident management. What should you deploy and configure?

A company uses Azure Storage accounts that currently allow shared key authorization. A new requirement states that all data plane access must use Microsoft Entra ID authentication and that shared key usage must be blocked, while still allowing Azure services to access storage when using managed identities. What should you configure?

You have an Azure AD tenant with multiple administrators. You need to ensure that whenever a user is assigned the Global Administrator role, an approval is required and the assignment is time-bound. What should you use?

A storage account is configured with a private endpoint in a virtual network. Users report they can still access the storage account from the public internet using the storage account public endpoint. You need to ensure the storage account can be accessed only through the private endpoint. What should you change?

You need to centrally store application secrets and certificates used by several Azure services and ensure access is controlled with Azure AD identities. What service should you use?

You must enforce that all Azure SQL Databases in a subscription use Azure AD authentication (Microsoft Entra ID) and disallow SQL authentication. What should you implement?

Your organization uses Azure Firewall as a central egress point. You need to allow outbound access to a specific FQDN (for example, api.contoso.com) for all subnets without managing changing IP addresses. What should you use in Azure Firewall?

You manage several Azure subscriptions. You need to continuously assess secure configuration across all subscriptions, receive prioritized recommendations, and track secure score improvements. What should you use?

A team reports that a Linux VM can be accessed using SSH from the internet even though the NSG inbound rules deny port 22. You discover the VM has a public IP and is behind an Azure Standard Load Balancer. What is the most likely cause?

You need to ensure that workloads in an Azure Kubernetes Service (AKS) cluster can access an Azure Key Vault without storing credentials in code. The solution must use Azure AD identities and support least privilege per workload. What should you implement?

Your security team needs to detect and investigate suspicious sign-in activity and automatically open incidents in a SIEM. You want a cloud-native solution that can ingest Azure AD sign-in logs and correlate them with other data sources. What should you use?

A confidential application running on Azure VMs must ensure that encryption keys used by the application cannot be exported and must be protected by hardware security modules. The keys will be used for cryptographic operations and must support strict separation of duties. What should you use?

You need to ensure that when administrators connect to Azure portal and Azure PowerShell, they can only authenticate from corporate-managed devices that are marked as compliant. What should you configure?

A developer created a new service principal for an automation tool. The tool cannot obtain tokens and receives errors indicating that user consent is required. You need to allow the tool to access Microsoft Graph with application permissions without prompting users. What should you do?

You have a virtual network with multiple subnets hosting Azure VMs. You must centrally log and analyze all NSG flow logs across subscriptions and retain them for 90 days. What should you configure?

A team wants to grant an Azure Kubernetes Service (AKS) workload access to an Azure Storage account without storing secrets in pods. The solution must support automatic credential rotation. What should you use?

Microsoft Sentinel analytics rules are generating too many incidents due to repeated alerts from the same host and user within short time windows. You need to reduce alert fatigue while preserving high-fidelity incidents. What should you configure?