50 Microsoft Azure Security Engineer Associate Practice Questions: Question Bank 2025

Your company uses Azure AD (Microsoft Entra ID) and wants to ensure that users must re-authenticate when they access the Azure portal from an unmanaged device. What should you configure to enforce this requirement?

You need to allow an on-premises application to access Azure Key Vault secrets without using a client secret or certificate stored in the app. The app runs on an Azure VM. What is the recommended approach?

You deployed an Azure Storage account with a private endpoint. A VM in the same virtual network cannot resolve the storage account's private endpoint name to a private IP. What is the most likely cause?

You want to ensure that Azure VMs only accept inbound RDP/SSH connections through a hardened entry point with logging and MFA support. What should you implement?

You need to prevent public access to a new Azure Storage account and ensure that all access occurs over Azure Private Link. Which configuration best meets the requirement?

A security team wants to centrally manage TLS certificates for multiple Azure web apps and automatically rotate them without storing certificates in the app code. What should you use?

You are implementing Azure Policy to ensure that all new Azure SQL databases have auditing enabled. You want non-compliant deployments to be blocked. Which policy effect should you use?

Microsoft Defender for Cloud reports that several VMs are missing endpoint protection. You need to automatically deploy the required agent/extension to supported VMs. What should you configure?

You must allow developers to request temporary access to manage a production subscription. Access must be time-bound, require approval, and provide auditability. Which solution best meets these requirements with least administrative overhead?

Your organization is migrating to a hub-and-spoke network. You must ensure that all internet-bound traffic from spokes is inspected by a centralized Azure Firewall in the hub. Spoke workloads must not be able to bypass the firewall by using their own default routes. What should you implement?

You need to ensure that only compliant devices can access Microsoft 365 and Azure portal. Users should be able to sign in from managed Windows devices, but access must be blocked from unmanaged personal devices. What should you implement?

Your security team wants to receive alerts when suspicious sign-in activity is detected, such as impossible travel and atypical token usage. Which Microsoft Entra feature should you use?

You host an internal web app on Azure App Service. The app must be accessible only from your corporate network and must not be exposed to the public internet. What is the best solution?

You need to allow an Azure VM to securely retrieve secrets from an Azure Key Vault without using stored credentials, certificates, or shared keys. What should you configure?

You deploy Azure SQL Database. Security requires that the database is reachable only from specific Azure VNets and that traffic does not traverse the public internet. Which feature should you use?

Your organization wants to ensure that all new Azure Storage accounts deny public access to blobs. The requirement must be enforced consistently across subscriptions and should prevent noncompliant deployments. What should you implement?

You are investigating a potential breach. You need to query security events across Azure Activity logs, Microsoft Defender alerts, and custom application logs stored in a Log Analytics workspace. Which tool should you use to write a single query across these datasets?

You must ensure that virtual machines can access the internet for updates, but inbound connections from the internet are not allowed. You also need to control and log outbound traffic by FQDN and use TLS inspection. Which solution meets the requirements?

Your company uses Microsoft Sentinel. You want to automatically quarantine a suspicious endpoint and create a ticket in your ITSM tool when a high-severity incident is created. What should you configure?

You manage multiple Azure subscriptions. Security requires that only approved administrators can create role assignments, and all role assignment changes must be reviewed and time-bound. Administrators should not have permanent privileged access. What should you implement?

You need to ensure that only devices marked as compliant in Microsoft Intune can access the Azure portal and Microsoft 365 services. What should you implement?

A web app hosted on Azure App Service must allow inbound requests only from a specific on-premises public IP range. What is the recommended way to enforce this at the app entry point?

You want to encrypt data at rest for an Azure Storage account using your own key stored in Azure Key Vault. Which feature should you configure?

You have multiple Azure subscriptions and want to centrally manage security alerts, incidents, and recommendations across them. What should you deploy?

A security team needs to query security logs across Azure resources using a single query language and create alert rules based on those queries. Which solution meets the requirement?

You must ensure that all Key Vaults in a subscription are not publicly accessible and can be reached only through private endpoints. Which approach is best to enforce this at scale?

A VM in a subnet cannot reach a storage account even though the storage account firewall allows the subnet and a private endpoint exists. DNS for the storage account resolves to the public endpoint. What is the most likely fix?

Your organization wants to prevent token replay and reduce phishing risk for administrators by requiring phishing-resistant authentication for privileged roles. Which option best meets this requirement in Microsoft Entra ID?

You manage an Azure Kubernetes Service (AKS) cluster that must restrict egress so workloads can only reach approved FQDNs and Azure services. Which design best satisfies this requirement?

You need to allow an application to retrieve secrets from Azure Key Vault without storing any credentials in code or configuration. The application runs on an Azure VM. What should you use?

You need to require multi-factor authentication (MFA) only when users access the Azure portal from outside your corporate public IP ranges. What should you configure?

A web app hosted on Azure App Service must only be accessible from a specific Azure Virtual Network (VNet). You want to minimize exposure to the public internet. Which feature should you use?

You have an Azure Storage account that should only accept connections over HTTPS. What should you configure?

Your security team wants to be notified when a specific user account performs an administrative action in Azure. You need a near real-time alert without writing custom code. What should you use?

You must allow administrators to request just-in-time (JIT) elevation to the Security Administrator role for 2 hours, and require approval. Which solution should you implement?

You need to centrally manage inbound and outbound traffic filtering for multiple virtual networks across subscriptions. The solution must support application (FQDN) filtering and TLS inspection capabilities are not required. What should you deploy?

You are hardening a Linux VM that hosts a public-facing workload. You need to reduce the attack surface by ensuring that the VM has no public IP and inbound management is performed securely when needed. Which approach is recommended?

You have Microsoft Sentinel connected to multiple data sources. You want to reduce noise by automatically closing incidents created by rules when the related entities are later determined to be benign, and you want to add a comment explaining why. What should you use?

A storage account must be accessible only from selected VNets and must prevent data exfiltration to unapproved Azure tenants by restricting SAS usage. Which configuration best meets the requirement?

You suspect that a compromised VM is performing outbound connections to known malicious IPs. You need to confirm the traffic pattern and identify the destination IPs with minimal operational impact. What is the best option?

You need to ensure that when administrators sign in to the Azure portal from outside the corporate network, they must perform phishing-resistant MFA. What should you implement?

An Azure Storage account hosts sensitive blobs. You must ensure that blob data can only be accessed through a specific Azure Front Door profile and not directly via the storage endpoint from the internet. What should you configure?

You have an Azure SQL Database that must not be reachable over the public internet. The application runs on Azure App Service. Which configuration meets the requirement with minimal changes?

You need to allow a VM in a spoke VNet to reach Azure Key Vault privately. The Key Vault uses private endpoint in a hub VNet. DNS resolution from the spoke currently returns the public Key Vault IP. What should you do?

You want to grant a vendor read-only access to a single resource group for 7 days without managing passwords. The vendor will use their own identity provider. What is the recommended solution?

A company wants to ensure that administrators do not have standing access to the Owner role in a subscription and must activate it only when needed with MFA. What should you use?

A Linux VM stores application secrets in environment variables. You need to reduce exposure and centralize secret management without storing secrets in code. What should you implement?

You are investigating suspicious activity and want to correlate Azure Activity log events with Microsoft Sentinel incidents. Logs are being collected, but incidents are not created for role assignment changes. What should you configure in Sentinel?

Your organization requires that new Azure resources cannot be created without specific tags (CostCenter and DataClassification). The security team also needs an audit trail for any noncompliant attempts. What should you implement?

You must ensure that all outbound internet traffic from multiple VNets is inspected for threats and that only approved FQDNs are allowed. The solution must be centrally managed and support TLS inspection at scale. What should you deploy?