Microsoft Certified: Cybersecurity Architect Expert Practice Exam 2025: Latest Questions

Your organization is adopting Zero Trust. You want to ensure that access to Microsoft 365 and Azure resources requires continuous evaluation of user risk and device compliance, not just a one-time sign-in decision. Which capability best meets this requirement?

You need to reduce the risk of credential theft for administrators managing Azure resources. The solution must provide time-bound elevation and approval capabilities for privileged roles. What should you implement?

A security architect wants to prevent data exfiltration from corporate-managed endpoints to personal cloud storage while still allowing access to sanctioned apps like SharePoint Online. Which Microsoft solution is most appropriate?

You are designing network security for Azure IaaS workloads. You need centralized, stateful filtering, threat intelligence-based blocking, and application and network rules for multiple virtual networks. What should you deploy?

You must enforce secure configurations across all Azure subscriptions using a single, scalable approach. Requirements include: prevent public IP creation unless approved, enforce resource tagging, and audit encryption settings. What is the best solution?

A company is migrating critical workloads to Azure. Security requirements include: isolate internet-facing apps from internal tiers, inspect inbound and outbound traffic, and minimize lateral movement between workloads. Which architecture best meets these requirements?

Your development teams use Azure Kubernetes Service (AKS) and need to store secrets (connection strings and certificates). Requirements: secrets must not be stored in container images, access must be controlled via Azure identity, and retrieval should be auditable. What is the best design?

You are implementing a Zero Trust approach for SaaS applications. You need to reduce data leakage by enforcing session controls (for example, block download on unmanaged devices) when users access a sanctioned SaaS app. Which solution should you use?

Your organization uses Azure PaaS databases and storage accounts that must be accessible only from private networks. You also need to prevent data exfiltration from those services to unauthorized Azure tenants and services. Which combination best meets the requirement?

A multinational organization must meet regulatory requirements to retain security logs for long periods, ensure logs are immutable, and support investigations across Microsoft 365, endpoints, identities, and Azure resources. Which architecture is most appropriate?

Your organization wants to reduce attack surface by ensuring that only compliant, healthy devices can access Microsoft 365 and Azure resources. You need an approach that enforces device compliance at sign-in and supports Zero Trust. What should you implement?

You need to centrally govern and consistently enforce that all new Azure subscriptions deny public IP creation unless an approved exception is granted. The solution must scale across management groups. What should you use?

A security team wants to secure secret storage for applications running in Azure. They need automatic secret rotation support for some credentials and hardware-backed key protection for cryptographic keys. What is the best solution?

Your company is adopting a Zero Trust architecture. You must segment administrative access to Azure resources so that admin endpoints are isolated, monitored, and only reachable through strong authentication. Which design best meets the requirement?

A regulated organization must ensure that data classified as "Highly Confidential" is always encrypted with customer-managed keys, and access to the keys must be auditable and controlled using least privilege. Multiple Azure services will use the keys. What architecture should you recommend?

You discover that several Azure resources across subscriptions are logging to inconsistent locations, and retention varies. Your requirement is to standardize security logging, enforce retention, and make logs queryable for incident response. What should you implement?

An audit requires that only approved, compliant SaaS applications can be accessed by corporate users and that risky OAuth app permissions are controlled. Which Microsoft solution best addresses this requirement?

Your organization must demonstrate separation of duties: the team that deploys Azure resources must not be able to approve exceptions to security controls (for example, policy exemptions). What is the best approach?

A company runs an internet-facing API hosted on Azure Kubernetes Service (AKS). Security requirements include: (1) restrict egress to approved destinations, (2) enforce layer 7 protection against OWASP threats, and (3) provide centralized policy management across namespaces. What is the best architecture?

You are designing a multi-tenant application that stores customer data in Azure. Requirements: (1) prevent accidental data exposure between tenants, (2) support per-tenant encryption key separation, and (3) enable rapid revocation of a single tenant’s access without impacting others. Which design best meets the requirements?

A company uses Microsoft 365 and Azure. Security leadership wants to measure progress toward Zero Trust adoption across identity, devices, apps, infrastructure, data, and network. They need a built-in assessment that produces prioritized improvement actions. What should you use?

Your organization must ensure that all new Azure subscriptions inherit mandatory security controls (resource tagging, logging to a central workspace, and restrictions on public IP creation). The solution must be enforceable at scale and auditable. What should you implement?

You are designing access for a finance application hosted in Azure. The app is fronted by Azure Application Gateway and accessed by users from the internet. The security requirement is: block malicious web requests (OWASP threats) and allow access only for users who satisfy Conditional Access policies (for example MFA and compliant device). Which architecture best meets the requirement?

A security architect needs to reduce the risk of administrators accessing production data stored in Azure SQL Database. The requirement is to keep sensitive columns unreadable to admins while still allowing the application to query and use the data. What should you implement?

Your organization plans to store highly sensitive secrets, keys, and certificates in Azure Key Vault. The security team requires the highest level of protection for cryptographic operations such that key material cannot be extracted and operations occur in FIPS-validated hardware. Which Key Vault configuration best meets the requirement?