Microsoft Certified: Cybersecurity Architect Expert Intermediate Practice Exam: Medium Difficulty 2025

A company is adopting a Zero Trust strategy. Users access Microsoft 365, several Azure-hosted apps, and a few on-premises apps published through Azure AD Application Proxy. The security team wants to reduce credential theft risk and ensure access decisions use identity risk, device compliance, and location. Which solution best meets the requirement with minimal changes to apps?

A financial services organization wants to implement Zero Trust for administrators who manage Azure resources. They require just-in-time privileged access, approval workflows for sensitive roles, and auditing of privileged role activations. Which solution should you recommend?

A company uses a hub-and-spoke network in Azure. Remote users connect from unmanaged devices. The organization wants to prevent data exfiltration from a sensitive web app, ensuring only compliant or managed devices can download files, while still allowing browser-based access for others. Which approach best aligns with Zero Trust and the requirement?

A healthcare organization must ensure that all Azure resources are tagged with data classification and owner information. Noncompliant resources must be blocked from deployment, and exceptions must be centrally approved and tracked. Which combination best meets the requirement?

A multinational company needs to assess compliance against common regulatory frameworks across multiple Azure subscriptions and prioritize remediation actions. They want a centralized view of compliance posture and secure score improvements. Which solution should you recommend?

An organization is migrating workloads to Azure and wants to reduce the risk of lateral movement if a VM is compromised. They also want centralized threat detection for anomalous east-west traffic patterns across subnets. Which design choice best addresses both needs?

A company hosts a mission-critical web application on Azure. They want to protect it from OWASP Top 10 attacks and also ensure that the web tier is not directly exposed to the internet. Which architecture best meets the requirement?

An organization uses Azure PaaS services (Azure SQL Database, Storage, and Key Vault). They want to prevent data exposure over the public internet while allowing access from multiple VNets across subscriptions. Which design is most appropriate?

A company stores sensitive documents in SharePoint Online and OneDrive. They need to automatically apply sensitivity labels, enforce encryption, and prevent sharing outside the organization for documents containing government ID numbers. Which solution should you recommend?

A development team deploys containerized APIs to Azure Kubernetes Service (AKS). The security team wants to reduce secrets exposure, ensure only signed images are deployed, and detect vulnerable images before deployment. Which approach best meets these requirements?