Microsoft Azure Security Engineer Associate Practice Exam 2025: Latest Questions

You need to grant an Azure VM access to a storage account without storing any secrets on the VM. The access must be managed centrally and be revocable. What should you use?

A web app hosted on an Azure VM must allow inbound HTTPS only from a specific on-premises public IP range. You must minimize management overhead. What should you implement?

You want to ensure all secrets, certificates, and keys in an Azure Key Vault cannot be accessed from the public internet. What should you configure?

You need to monitor sign-in activity and receive alerts for potentially risky sign-ins in your Microsoft Entra ID tenant. Which solution provides built-in detection and risk reporting for sign-ins?

A company uses Azure Storage accounts. Security requires that all blobs are encrypted using customer-managed keys (CMK) stored in Azure Key Vault. What should you configure on the storage account?

You must ensure administrators can manage Azure resources only from compliant, domain-joined devices. Which Conditional Access control best meets this requirement?

Your organization uses hub-and-spoke networking. You need to provide outbound internet access for multiple spoke VNets, enforce FQDN-based egress controls, and centralize logging. What should you deploy in the hub?

You sent Azure subscription activity logs to a Log Analytics workspace and enabled Microsoft Sentinel. You need to detect when a user grants the Owner role to another principal in a subscription. What should you use?

You have an Azure SQL Database that must be accessible only from a set of Azure VNets and must not allow any public endpoint access. You also need to keep authentication and authorization using Microsoft Entra ID. What is the best approach?

You manage multiple Azure subscriptions. Security requires that any new storage account must have secure transfer required enabled and must block public access to blobs. You need to enforce this automatically and prevent noncompliant deployments. What should you implement?

You need to ensure that only compliant or hybrid Azure AD-joined devices can access the Azure portal. Users should still be able to sign in from any location. What should you configure?

A web app hosted on Azure App Service must access secrets stored in Azure Key Vault without using any stored credentials or connection strings. What should you use?

You need to enforce that all newly created Azure Storage accounts disable public access to blobs. What is the recommended way to implement this at scale?

A company connects an on-premises network to an Azure virtual network using a site-to-site VPN. They must ensure that only approved FQDNs on the Internet can be accessed from workloads in a subnet. What should you deploy?

You need to ensure that administrators can manage Azure resources only from a specific set of corporate public IP addresses. The solution must apply across multiple subscriptions. What should you configure?

A team reports that a VM can access Azure Storage over the Internet even though you configured a private endpoint for the storage account. You want to ensure the VM uses the private endpoint. What is the most likely missing configuration?

You are ingesting Windows security events from Azure VMs into Microsoft Sentinel. You need to detect when the same account fails to sign in more than 20 times within 10 minutes and then succeeds. What should you create?

Your organization uses Azure SQL Database. You must ensure that any export of a database (bacpac) is encrypted at rest with customer-managed keys (CMK). Which feature should you use?

You must allow a third-party security tool (running outside Azure) to read Azure activity logs for a subscription. The tool must not have permission to create or modify any Azure resources. What is the least-privileged approach?

A highly regulated workload requires that secrets in Azure Key Vault are accessible only from a specific VNet and that data exfiltration via public endpoints is prevented. Additionally, administrators must still be able to manage the vault from the Azure portal. What should you configure?

You need to allow a third-party security operations (SOC) vendor to investigate incidents in Microsoft Sentinel. The vendor must be able to view incidents, run hunting queries, and update incident status, but must NOT be able to create or modify analytic rules, automation rules, or data connectors. What is the BEST approach?

Your organization uses Azure AD Privileged Identity Management (PIM) for role activation. You must ensure that when administrators activate the Global Administrator role, they are required to use phishing-resistant MFA. What should you configure?

You deploy an Azure Firewall Premium in a hub virtual network. Spoke VNets connect to the hub via VNet peering. After deploying a TLS inspection policy, users in a spoke report that some HTTPS sites fail to load, while others work. You verify the firewall rules allow the traffic. What is the MOST likely cause?

You manage several Azure Key Vaults. You must ensure that all secrets, keys, and certificates are protected from accidental or malicious deletion, and that they can be recovered after deletion. What should you enable?

You enable Microsoft Defender for Containers. The security team wants to prevent deployments to an Azure Kubernetes Service (AKS) cluster if container images have critical vulnerabilities. The enforcement must occur before the workload runs in the cluster. What should you implement?