50 Microsoft Certified: Cybersecurity Architect Expert Practice Questions: Question Bank 2025

Your organization is adopting Zero Trust. You must ensure that access to Microsoft 365 and Azure portal is granted only when users meet risk-based requirements (for example, trusted device and low user risk). Which solution should you implement?

You are designing an incident response process for a hybrid environment. Security teams want a single place to correlate logs from Microsoft Defender XDR and non-Microsoft network devices, then automate response actions (isolate device, disable account). Which architecture best meets the requirement?

A security architect must ensure that highly privileged Azure roles are never permanently assigned and require approval and time-bound activation. Which Microsoft solution should be used?

Your company must demonstrate compliance by ensuring that all Azure resources include an owner tag and that deployments without the tag are blocked. Which approach should you use?

You are building a governance model for multiple Azure subscriptions. Security wants consistent controls for logging, policy assignment, and RBAC inheritance across business units while allowing workload teams to manage resources independently. What should you design?

A team stores customer data in Azure Blob Storage. Regulatory requirements mandate that data be encrypted at rest using customer-managed keys (CMK) and that key usage be auditable. Which design best satisfies the requirement?

You need to design network security for workloads hosted in Azure. The requirement is to inspect and control outbound internet traffic from multiple virtual networks while centralizing policy management. Which solution should you recommend?

Security operations reports that several Azure virtual machines are exposed to the internet on management ports. You need to reduce exposure without requiring users to maintain IP allowlists. What should you implement?

You are designing a segmentation strategy in Azure that aligns with Zero Trust. The organization wants to reduce lateral movement between workloads across subnets and virtual networks, including east-west traffic visibility and micro-segmentation. Which approach best meets the goal?

A development team uses GitHub Actions to deploy Azure resources. You must design a secure approach that eliminates long-lived secrets, supports conditional access-like restrictions for workloads, and provides auditable identity for deployments. What should you recommend?

Your organization wants to adopt Zero Trust for Microsoft 365 and Azure. A key requirement is to ensure that user access decisions include the security posture of the device (for example, whether it is compliant and managed). Which approach best meets this requirement?

A security team needs to centrally manage and enforce Azure Policy assignments across multiple subscriptions that belong to different business units. They also want consistent compliance reporting at scale. What should they implement?

You want to reduce the risk of exposed management ports on Azure virtual machines while still allowing administrators to connect securely from the Azure portal. Which solution should you use?

A company stores sensitive documents in SharePoint Online and OneDrive. They want to automatically apply encryption and usage restrictions to documents labeled as "Highly Confidential" and ensure those restrictions persist when the files are downloaded and shared. What should you design?

You are designing identity governance for privileged administrative roles in Azure and Microsoft 365. Requirements include: just-in-time elevation, approval workflows, access reviews, and time-bound assignments. Which solution best meets these requirements?

A regulated organization wants to assess and improve its security posture across Azure subscriptions and on-premises servers. They need unified recommendations, secure score tracking, and regulatory compliance reporting. Which service should you use as the primary solution?

You are designing network segmentation for a hub-and-spoke Azure architecture. A requirement states that all outbound internet traffic from spokes must be inspected by a centralized security appliance, and spokes must not have direct internet egress. What should you implement?

Your organization is implementing DevSecOps for containerized workloads running in Azure Kubernetes Service (AKS). They want to detect vulnerabilities in container images, enforce baseline configurations, and receive security recommendations for clusters. Which approach best fits?

You must design a data exfiltration control strategy for Microsoft 365. The requirement is to block users from uploading files labeled "Confidential" to unsanctioned cloud storage apps while allowing uploads to approved corporate storage. Which solution best meets the requirement with the least disruption?

A multinational company wants to implement a unified incident response and threat hunting capability across Microsoft 365, Azure, and multiple third-party security tools. They require automation to enrich incidents and orchestrate response actions. Which architecture should you recommend?

Your organization is standardizing Zero Trust authentication for Microsoft 365 and Azure. You want to require stronger authentication only when users are outside trusted networks or show elevated sign-in risk, while minimizing impact for low-risk internal users. What should you implement?

You are designing governance controls for Azure resources. Security requires that all resources must be tagged with DataClassification and Owner, and deployments that omit these tags must be blocked. What is the best solution?

You need to centralize and correlate security telemetry from Microsoft Defender XDR, Microsoft Sentinel, and Azure platform logs to support investigation and incident response. Which solution should you use as the primary SIEM/SOAR platform?

A financial services company must meet regulatory requirements for retaining audit logs and providing evidence of administrative actions across Azure subscriptions. They want a centralized, tamper-resistant approach with consistent collection. What should you design?

You are designing secure connectivity for Azure PaaS services. A web app in Azure App Service must access an Azure Storage account without traversing the public internet, and access should be restricted to only the app. What is the best architecture?

Your organization wants to prevent accidental or malicious deletion of critical Azure resources (for example, Key Vaults and virtual networks) while still allowing normal updates. What should you implement?

A development team is building containerized microservices on AKS. Security requires that only approved images can be deployed and that image vulnerabilities are detected before deployment. Which design best meets this requirement?

Your organization has multiple Azure subscriptions and wants to ensure that security teams can investigate incidents across all resources, but only elevate privileges for a limited time and with approvals. They also want to minimize standing administrative access. What should you design?

You must design data protection for a PaaS application that stores sensitive customer data in Azure SQL Database. Requirements: prevent data exfiltration by stolen database files/backups, restrict privileged access by DB admins, and enable auditing of sensitive queries. Which combination best meets the requirements?

A company is adopting Microsoft Sentinel and wants to reduce alert fatigue while ensuring true incidents are escalated consistently. They require automated enrichment (asset/user context), suppression of known benign patterns, and automated ticketing/containment for confirmed incidents. What should you implement?

You are designing a Zero Trust strategy for a hybrid organization. They want to minimize lateral movement between workloads in Azure and on-premises while keeping application connectivity. Which approach best aligns with Zero Trust segmentation principles?

A security team needs to ensure administrative access to Azure resources requires phishing-resistant authentication and is scoped just-in-time. Which solution best meets this requirement?

Your organization wants to standardize governance by preventing deployments that lack required tags and enforcing approved regions. Which technical strategy best supports this at scale across subscriptions?

A company is migrating PII data to Azure. They need a simple way to automatically classify and label sensitive data across Microsoft 365 and Azure data stores to support compliance reporting. What should you recommend?

Your organization uses multiple Azure subscriptions. Security leadership wants consistent monitoring and incident response workflows, including correlation of incidents across Microsoft Defender XDR and cloud resources. Which architecture best supports this goal?

A DevOps team deploys containerized workloads to Azure Kubernetes Service (AKS). Security requirements include: (1) block deployment of images with known critical vulnerabilities, and (2) continuously assess running clusters for security misconfigurations. What should you recommend?

You are designing a compliance approach for a regulated enterprise. They need to continuously assess Azure resources against multiple regulatory frameworks and produce audit-ready reports with remediation tracking. Which solution best fits?

A company hosts APIs in Azure and wants consistent application-layer protection across regions, including OWASP protections and centralized policy management. The solution must work even if the backend services are in multiple VNets. What should you recommend?

A security architect must design an access model for third-party vendors who manage specific Azure resources. Requirements: (1) least privilege, (2) time-bound access, (3) vendor administrators should not be able to grant themselves additional roles, and (4) access requests must be auditable and require approval. What is the best design?

An application stores highly sensitive customer records in Azure SQL Database. Security requirements include: (1) prevent data exfiltration by insiders with direct database access, (2) allow applications to query normally, and (3) enable security to review anomalous query behavior. Which combination best meets these requirements?

Your organization wants a single, continuously updated view of regulatory compliance across Azure, Microsoft 365, and third-party cloud services. Security leadership also wants to assign responsibility to control owners and track improvement actions. Which solution best meets these requirements?

You are designing a Zero Trust access strategy for internal web applications hosted on Azure. Requirements: enforce per-app Conditional Access, require phishing-resistant MFA for privileged users, and avoid exposing the apps to the public internet. What is the best architectural approach?

A security team must ensure that Azure resources are deployed only if they meet minimum security baselines (for example, specific encryption settings and logging enabled). The team wants deployments to be blocked when noncompliant. Which governance control should you recommend?

You are creating an identity governance strategy for external partner users who access Microsoft 365 and selected Azure applications. Requirements: time-bound access, access reviews, and automatic removal of access when the engagement ends. Which feature best satisfies these requirements?

A company wants to reduce the risk of lateral movement in Azure virtual networks. Requirements: micro-segmentation, awareness of application dependencies, and a plan to gradually tighten allowed flows without breaking production. What should you recommend?

You are designing a data security strategy for a multi-tenant SaaS application that stores customer data in Azure Storage and Azure SQL Database. Requirements: prevent accidental exposure of sensitive data, detect and classify sensitive data, and apply consistent labeling across Microsoft 365 and Azure data sources. Which approach best meets the requirements?

A workload in Azure uses managed identities to access Azure Key Vault. After enabling a firewall on the Key Vault, the application starts failing with network errors. The team wants to keep the vault private and accessible only from the workload’s virtual network. What is the best fix?

Your organization plans to adopt a Secure Access Service Edge (SASE) model. Requirements: unify internet access and private application access controls, enforce Conditional Access, and provide consistent user experience for remote users without requiring full-tunnel VPN. Which Microsoft-centric design aligns best?

A company needs to ensure cryptographic separation between tenants for a regulated application running in AKS. Requirements: customer-managed keys, hardware-backed key protection, and the ability to prove keys cannot be exported. Which key management design should you recommend?

You are designing an incident response and threat detection strategy across Azure, Microsoft 365, and on-premises servers. The security operations team wants to reduce alert fatigue by automatically correlating related signals into a single incident and enriching it with entity context. Which solution best meets this requirement?