Microsoft Certified: Cybersecurity Architect Expert Advanced Practice Exam: Hard Questions 2025

Your organization is migrating to Microsoft Entra ID and adopting Zero Trust. You have a mix of managed Windows devices, unmanaged BYOD, and workloads running in Azure and AWS. A security incident showed that a compromised user session token was reused from a different device and location within minutes (token replay). You must reduce token replay risk while maintaining usability for managed devices and ensuring access to both Microsoft 365 and custom apps. Which architecture choice best addresses the scenario?

A global enterprise uses Microsoft Defender for Cloud Apps (MDCA) and Conditional Access App Control to govern access to a sanctioned SaaS that contains regulated data. Users must be allowed to view documents from unmanaged devices but must be prevented from downloading, printing, or syncing via desktop clients. Some executives require full access from unmanaged devices when traveling, but only for a subset of low-sensitivity files labeled 'Public'. Which design best meets the requirements with least privilege and minimal administrative overhead?

You are designing access to an internal API hosted on Azure Kubernetes Service (AKS). The API is consumed by workloads in Azure, AWS, and by a vendor partner. The API must not be exposed publicly. Your team wants to avoid long-lived secrets, and you must support fine-grained authorization and continuous monitoring. Which design is the best fit?

Your organization must align security controls to multiple regulations. The CISO wants a single technical strategy that: (1) continuously assesses compliance posture across Microsoft 365, Azure, and connected data sources, (2) provides evidence for audits, and (3) enforces policy to reduce drift. The security team currently uses spreadsheets and ad-hoc scripts. Which approach best meets the requirements end-to-end?

A security review found that multiple Azure subscriptions have inconsistent role assignments, including permanent Owner access for contractors. The organization needs to: enforce least privilege, reduce standing access, require approval for sensitive roles, and generate an auditable access trail. The solution must work at scale across management groups. Which strategy should you implement?

You are designing network security for an Azure landing zone with strict segmentation. Workloads include: (1) AKS hosting internal services, (2) PaaS databases (Azure SQL and Cosmos DB), and (3) several Storage accounts. Requirements: no public network access to PaaS, minimize data exfiltration risk, support centralized inspection for egress, and avoid breaking PaaS service dependencies. Which architecture best meets the requirements?

A regulated workload runs on Azure Virtual Machines and uses Azure Disk Encryption and customer-managed keys (CMK) stored in Azure Key Vault. During a disaster recovery test, several VMs failed to boot because keys were unavailable due to regional Key Vault access issues. The business requires crypto-shredding capability and CMK, but also requires resilient recovery during regional failures. What should you recommend?

Your SOC reports frequent alerts for suspicious lateral movement in an Azure hub-and-spoke environment. Investigation shows that a legacy VM in a spoke has broad outbound access, and NSGs are permissive. You must reduce lateral movement risk while keeping required east-west connectivity between specific apps across spokes. You also need micro-segmentation and identity-aware controls where possible. Which design is most appropriate?

A product team is building a multi-tenant SaaS on Azure. Each tenant’s data must be logically isolated, and highly sensitive tenants require customer-managed keys and the ability to revoke access to their data (crypto-shredding). The app uses Azure SQL Database and stores documents in Azure Storage. The team also needs to prevent accidental data exposure via misconfigured sharing links. Which solution best meets these requirements?

An organization is modernizing apps using Azure App Service, Azure Functions, and AKS. They must secure secrets and certificates, reduce secret sprawl, and support CI/CD with short-lived credentials. They also need to enable automated rotation without app downtime and enforce least privilege for workload access to Azure resources. Which design is the best approach?