Microsoft Certified: Azure Security Engineer Associate Advanced Practice Exam: Hard Questions 2025

Your organization has two Azure AD tenants: TenantA (corporate) and TenantB (subsidiary). A security policy requires that all privileged access to Azure subscriptions in TenantB must be governed by TenantA’s identity governance controls and Conditional Access policies, while keeping TenantB as the resource tenant. You must minimize administrative overhead and avoid creating duplicate privileged accounts. What should you implement?

You manage several Azure subscriptions. Security has discovered that some workloads still authenticate to Azure resources using legacy shared secrets stored in pipeline variables. You must enforce a tenant-wide policy that blocks creation of new app secrets, and ensures that only certificate-based authentication or managed identities are used going forward. Existing secrets must continue to work temporarily for a limited set of break-glass apps. What is the best approach?

A critical Azure Storage account contains sensitive blobs and must be accessible only from a set of approved corporate devices. Users authenticate with Entra ID and access via Azure Storage Explorer and custom apps. You already require MFA. The security team requires that access be blocked from unmanaged devices even if credentials are compromised. You must implement the most robust control with minimal application changes. What should you do?

You need to provide JIT elevation for Azure RBAC roles across 20 subscriptions. The security requirement states: (1) elevation requests must require approval, (2) activations must be time-bound and logged, (3) eligible assignments must be used instead of permanent roles, and (4) access must be scoped to specific resource groups. What should you implement?

A hub-and-spoke network hosts a multi-tier application. Only the web tier should be reachable from the internet, and the app tier must be reachable only from the web tier. The database is Azure SQL Database with private endpoint. You discover intermittent connectivity failures from the app tier to Azure SQL after enabling an Azure Firewall in the hub and forcing all outbound traffic through it. Name resolution for the SQL private endpoint sometimes resolves to the public endpoint. What is the most likely cause and best fix?

You are designing secure inbound access for a set of Azure Kubernetes Service (AKS) clusters. Requirements: (1) Only allow HTTPS inbound, (2) protect against OWASP Top 10 and bot attacks, (3) support end-to-end TLS with certificate rotation, (4) avoid exposing node ports, and (5) centralize logging for incident response. Which architecture best meets these requirements?

A VM-based workload uses Azure Disk Encryption (ADE) with customer-managed keys. After a key rotation event in Key Vault, several VMs fail to boot and show encryption-related errors. You discover that the Key Vault has firewall restrictions enabled and was recently configured to allow only selected virtual networks. What is the most likely root cause and the correct remediation?

You must secure an Azure SQL Database used by a SaaS app. Requirements: (1) prevent data exfiltration by privileged users, (2) allow the app to query sensitive columns, (3) ensure administrators can manage the database without seeing plaintext sensitive data, and (4) support searching/sorting on some sensitive fields. What is the best solution?

An Azure Storage account is used for internal backups. Security requires: (1) immutability for 30 days against deletion and modification, (2) protection against compromised storage account keys, and (3) the ability to prove backups were not altered. The backup process currently uses shared key authentication. What should you implement?

Microsoft Defender for Cloud raises an alert indicating suspicious PowerShell activity on several Azure VMs. You need to (1) rapidly contain the threat, (2) preserve evidence for investigation, and (3) implement a repeatable response for future incidents across subscriptions. Which approach best meets these requirements?