50 Microsoft Certified: Azure Security Engineer Associate Practice Questions: Question Bank 2025

You manage an Azure subscription that contains several resource groups. Developers must be able to start and stop virtual machines (VMs) but must not be able to delete VMs or change networking. What is the BEST way to meet the requirement with least privilege?

A storage account is used to host sensitive blobs. You must ensure all access is authenticated with Microsoft Entra ID and prevent access via shared keys and SAS that use the account key. What should you configure?

You have a virtual network with three subnets: Web, App, and Data. Only the Web subnet should accept inbound HTTPS traffic from the internet. The App and Data subnets must not be directly reachable from the internet. What should you use?

You need to ensure that administrators can elevate privileges only when needed and that all elevations require approval and are time-bound. Which Microsoft Entra feature should you implement?

A security team wants to query and correlate Azure activity logs, VM security events, and Microsoft Defender for Cloud alerts in a single workspace and create scheduled alert rules based on KQL queries. Which Azure service should they use?

Your organization requires that all PaaS resources (Storage, SQL, Key Vault) be accessible only via private IP addresses from an Azure virtual network, without traversing the public internet. What should you implement?

A Windows VM is accessed using RDP from the internet. You must reduce exposure by allowing RDP only through a controlled entry point and require MFA for administrators. Which solution should you implement?

You need to enforce that all new Key Vaults must have purge protection enabled and must not allow public network access. Existing noncompliant Key Vaults should be identified and, where possible, remediated. What should you use?

You manage Azure SQL Database. The security team wants to detect and alert on suspicious database activities such as potential SQL injection and anomalous access patterns. Which feature should you enable?

You suspect a compromised VM is exfiltrating data. You must quickly block all outbound internet traffic from that VM without affecting other VMs in the same subnet, and you need an auditable change that can be reverted. What should you do?

You need to ensure that administrators can elevate to privileged roles only when needed, require approval, and automatically remove the elevated access after a set time. Which Azure AD feature should you use?

A security engineer must prevent users from creating OAuth consent grants to third-party applications unless the apps are approved. What should you configure in Microsoft Entra ID (Azure AD)?

You have two Azure virtual networks (VNetA and VNetB) peered together. Traffic between subnets must be allowed only if it is explicitly permitted, and you must be able to log allowed and denied flows. What should you use?

Your organization requires that all outbound internet traffic from multiple spokes goes through a single security appliance in a hub VNet. You are using a hub-and-spoke architecture. What is the most appropriate Azure feature to implement this routing requirement?

A storage account contains confidential blobs. You must ensure that data is encrypted using customer-managed keys (CMK) stored in Azure Key Vault, and you must be able to rotate keys without re-encrypting data manually. What should you configure?

You need to reduce the risk of long-lived credentials for an Azure Function that accesses Azure Key Vault. The Function runs in Azure and must retrieve secrets without storing any credentials in code or configuration. What should you use?

You must ensure that Windows and Linux VMs in Azure automatically collect security-related logs and send them to Microsoft Sentinel for detection and hunting. Which approach best meets this requirement?

An alert in Microsoft Defender for Cloud indicates possible SQL injection attempts against an Azure App Service. You need to block malicious requests at the edge and apply OWASP rules without modifying the application code. What should you implement?

Your security team wants to ensure that when an Azure key in Key Vault is accidentally deleted, it can be recovered for a defined retention period. Additionally, after deletion, the key must not be permanently purged by users during that retention period. What should you enable on the Key Vault?

You are investigating suspicious activity and need to correlate sign-in events with Azure Activity logs and Microsoft 365 alerts in one place. You also want to write KQL queries and create analytics rules. Which solution should you implement?

You need to ensure that only users who are members of the "Privileged-VM-Operators" group can sign in to Azure portal and Azure CLI from compliant devices. What should you configure?

A web app hosted on Azure App Service must be accessible only via HTTPS. Requests over HTTP must be denied. What is the simplest configuration to meet this requirement?

You need to store application secrets and certificates and allow an Azure VM to access them without storing credentials in code. Which solution should you use?

Your organization must prevent creation of public IP addresses in production subscriptions, but allow an exception for a specific resource group used by the networking team. What should you implement?

A storage account contains sensitive data. You must ensure it cannot be accessed over the public internet and that only resources in a specific VNet can access it. What should you configure?

You need to ensure all new and existing Azure SQL databases are encrypted using customer-managed keys stored in Azure Key Vault. What should you configure?

Security operations wants to forward Microsoft Defender for Cloud security alerts and recommendations to a third-party SIEM in near real time. Which Azure-native integration should you use?

Your company uses Privileged Identity Management (PIM). Administrators report they can activate an eligible Azure AD role, but after activation they still cannot manage Azure resources that require that role. What is the most likely cause?

You must restrict inbound traffic to a set of Azure VMs so that only requests coming through an Azure Application Gateway with WAF are allowed. The VMs are in a subnet behind an internal load balancer. What should you implement on the VM subnet to enforce this?

You need to detect suspicious PowerShell activity and credential dumping attempts on Azure VMs and generate incidents in Microsoft Sentinel. Which combination should you use?

You manage several Azure subscriptions. You need to ensure that only users signed in from compliant or hybrid Azure AD-joined devices can access the Azure portal and Azure Resource Manager. What should you implement?

A team needs to store secrets and certificates used by an Azure Function. Security requires that access to the secrets is granted to the Function without storing credentials in code. Which approach should you use?

You need to enforce that all new Azure Storage accounts created in a subscription allow access only from selected virtual networks and deny public network access by default. What should you use?

A subnet contains multiple Azure VMs. You need to block inbound traffic from the internet to TCP port 3389 (RDP) on all VMs while still allowing internal management from a jump server subnet. What should you configure?

Your security team wants to receive alerts when an Azure Key Vault secret is read or a key is used for cryptographic operations. You must be able to query events in a centralized workspace. What should you configure?

You host a web app in Azure App Service that must connect to an Azure SQL Database. Security requires that the connection uses Azure AD authentication and avoids SQL logins. What should you implement?

A company uses Azure AD Privileged Identity Management (PIM). You need to ensure that users must provide a business justification and obtain approval before activating the Owner role in a subscription. What should you configure?

You need to provide outbound internet access for several spokes in a hub-and-spoke topology. Security requires centralized egress filtering and application-level outbound control (FQDN-based rules). What should you deploy in the hub?

You must allow developers to run ad-hoc queries against production logs in a Log Analytics workspace. Security requires that sensitive fields (for example, email addresses) are masked at query time so developers cannot view them in clear text. What should you use?

Your organization uses Azure Kubernetes Service (AKS). Security requires that container images can be deployed only if they pass vulnerability scanning and are signed by a trusted authority. You need to enforce this at cluster admission time. What should you implement?

You need to grant a third-party security vendor access to query Microsoft Entra ID sign-in logs and audit logs in your tenant. The vendor must not be able to modify any directory settings or users. What is the best solution?

You deploy Azure Key Vault with a firewall enabled to allow only selected networks. An application hosted on an Azure VM in a permitted subnet still cannot retrieve secrets from the vault. You confirm the VM has the correct managed identity permissions on the vault. What is the most likely cause?

You want to reduce the risk of data exfiltration from an Azure Storage account by requiring all network traffic to remain on the Microsoft backbone and preventing public internet access. Which configuration best meets the requirement?

Your organization wants to enforce that administrators can only elevate to privileged roles after completing MFA and providing a business justification, and that the elevation automatically expires after a set duration. Which service should you implement?

You are designing outbound traffic controls for a set of Azure VMs that should only access approved fully qualified domain names (FQDNs) on the internet. You must also be able to log and review these outbound connections centrally. What is the best approach?

A team stores sensitive documents in Azure Blob Storage. You must ensure that if a blob is accidentally made public, the data is still protected and unreadable without authorization. What should you implement?

You need to ensure all Linux VMs in a subscription continuously send security-relevant logs (such as auth and syslog) to a Log Analytics workspace for monitoring and alerting. Which solution best meets the requirement?

You are using Azure SQL Database. You must detect anomalous access patterns and potential SQL injection attempts and generate security alerts without building a custom detection system. What should you enable?

Your security team wants to automatically deploy a set of security configurations across newly created subscriptions, including enabling Microsoft Defender for Cloud plans and enforcing that public IPs must have DDoS network protection enabled. The solution must support governance at scale. What should you use?

You suspect an Azure VM is communicating with a command-and-control server. You need to quickly isolate the VM from the network while still allowing your incident responders to access it for investigation from a jump box subnet. What is the best approach?