Microsoft Azure Security Engineer Associate Advanced Practice Exam: Hard Questions 2025

Your company uses Microsoft Entra ID. A legacy on-premises app is published through Azure AD Application Proxy. The app must be accessible only from compliant, Intune-managed Windows devices AND only by users who have completed MFA. Additionally, admins must be able to break-glass access if the Conditional Access system is unavailable. Which design best meets the requirements with least administrative risk?

You manage multiple Azure subscriptions. An internal policy requires that any creation of a service principal credential (client secret or certificate) is immediately detected and triggers an approval workflow. You also need to reduce false positives from legitimate certificate rotation performed by an automation account. Which approach is most appropriate?

A finance team uses Azure SQL Database. They must allow a vendor to run read-only reports from a specific VM in the vendor’s Azure subscription. Requirements: (1) Access must be private (no public endpoints), (2) prevent data exfiltration to other networks, (3) avoid managing shared keys/secrets, and (4) enforce least privilege. What is the best solution?

You have a hub-and-spoke network with Azure Firewall Premium in the hub. Spokes contain AKS clusters with private API servers. Security requires that all egress from AKS pods to the internet is forced through Azure Firewall and inspected with TLS termination where possible. However, workloads are failing to pull images from Microsoft Container Registry endpoints and intermittently cannot resolve DNS. Which change most directly addresses the root cause without relaxing the security requirement?

You must design inbound access to a set of internal web apps hosted on Azure App Service (ILB ASE is not used). Apps are reachable only via Private Endpoints in a spoke VNet. Requirements: (1) WAF protection, (2) mTLS from clients, (3) no public exposure of app endpoints, (4) centralized certificate management and rotation. Which architecture best meets these requirements?

A company uses Azure Virtual WAN and wants to enforce segmentation so that only a shared-services VNet can reach an Azure SQL Managed Instance subnet in another spoke. All other spokes must be denied even if they are connected to the same vHub. Additionally, security must be centrally managed and auditable. What is the best approach?

You are securing an Azure Storage account used by an Azure Function (consumption plan) and an on-premises batch job. Requirements: (1) Storage must deny public network access, (2) only the Function and on-premises job can access, (3) minimize secret management, (4) support key rotation without downtime. Which configuration best meets the requirements?

A team deploys Windows Server Azure VMs that must store application secrets and certificates. Security requires: secrets never exposed to admins, attestation of VM health, and only code running inside a specific VM can retrieve secrets. Which solution best satisfies these requirements?

Your organization uses Azure Kubernetes Service (AKS). A security audit found that developers can deploy pods that access the Instance Metadata Service (IMDS) and obtain node-managed identity tokens, potentially accessing other Azure resources. You must mitigate this with minimal impact on workload networking and without breaking legitimate use of workload identity for specific namespaces. What is the best mitigation?

You operate Microsoft Sentinel connected to multiple Log Analytics workspaces across regions. During an incident, you discover that a new data collection rule (DCR) was created that redirects critical Windows security events to a workspace not connected to Sentinel, reducing detections. You need to (1) detect this quickly in the future, (2) prevent unauthorized DCR changes, and (3) retain an audit trail. Which combination of controls best meets the requirements?