Microsoft Certified: Cybersecurity Architect Expert Practice Exam 2025: Latest Questions

Your organization is adopting Zero Trust. You want to ensure that every sign-in to Microsoft 365 is evaluated for user risk and sign-in risk, and that high-risk sign-ins require MFA or are blocked automatically. Which solution best meets this requirement?

You need to centralize security operations across Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Defender for Cloud. Your requirement is to track work items, measure SLA, and maintain auditability for incident response. What should you implement?

You are designing governance for Azure resources. You must ensure that all production resources are deployed only in approved regions and must have specific tags. Noncompliant resources should be detected and, where possible, automatically remediated. Which solution should you use?

A team plans to store application secrets and certificates for multiple Azure workloads. They need centralized secret management, access control using Azure AD identities, and support for key rotation. What is the recommended service?

You are modernizing an internet-facing application hosted in Azure. The security requirement is to protect against OWASP Top 10 attacks and provide centralized Layer 7 traffic inspection with TLS termination and WAF policies. Which Azure service is the best fit?

A company has multiple Azure subscriptions and wants consistent network security controls. They require centralized outbound filtering, application/FQDN-based rules, and logging for all egress traffic from spokes. Which architecture is most appropriate?

You need to apply a Zero Trust approach to lateral movement within Azure virtual networks. Your requirement is to segment traffic so that only explicitly allowed east-west flows occur between workloads, and to centrally manage rules across multiple VNets. Which solution best meets this requirement?

An organization needs to prevent accidental sharing of sensitive data in Microsoft Teams and SharePoint Online. They must classify content and then block external sharing for items labeled as Highly Confidential. What should you implement?

You are designing privileged access for Azure and Microsoft 365 administration. Requirements: just-in-time elevation, approval workflows, time-bound access, and access reviews for privileged roles. Which design best satisfies the requirements?

A company uses Azure SQL Database and stores highly sensitive customer data. They must meet these requirements: keep data encrypted at rest, ensure that database administrators cannot view sensitive columns in plaintext, and allow the application to query the data without code changes where possible. Which approach best meets the requirements?

Your organization wants to enforce Zero Trust by requiring MFA for all users accessing Microsoft 365, but security administrators must use phishing-resistant MFA. You need a single Conditional Access design that applies different strength requirements based on role. What should you implement?

A security operations team wants to standardize incident tracking across Microsoft Sentinel and Microsoft Defender XDR. They need to ensure incidents are correlated and handled in a single queue when possible. What is the recommended approach?

You need to prevent accidental deletion of critical secrets used by production workloads in Azure. The security team requires recoverability with minimal operational overhead. What should you configure?

A multinational company must ensure that endpoints accessing SaaS apps meet security requirements (patched OS, disk encryption, and device not jailbroken). The requirement is to block access when the device is noncompliant, regardless of user location. Which architecture best meets the requirement?

Your organization uses multiple Azure subscriptions managed by different teams. You need to ensure security configurations (logging, threat protection, and security baselines) are applied consistently and centrally monitored across all subscriptions. Which design is most appropriate?

A company stores sensitive customer documents in Azure Storage accounts. They must prevent public access and ensure that data exfiltration to non-approved tenants is blocked where possible. Which combination best satisfies the requirement?

You are designing an application on Azure Kubernetes Service (AKS) that processes regulated data. The security team requires: (1) workload identity without storing secrets in pods, and (2) access to Key Vault using least privilege. What should you recommend?

A security team wants to reduce alert fatigue in Microsoft Sentinel while ensuring high-fidelity detection. They plan to ingest logs from multiple sources and currently generate many low-confidence incidents. What should you recommend first?

A financial services company must implement a privileged access strategy that prevents standing administrative access in Azure and Microsoft 365. They also need approvals and time-bound access for sensitive roles, and the design must support audits. What is the best approach?

Your organization hosts multiple internal line-of-business APIs in Azure. They require strong protection against OWASP API threats, centralized authentication/authorization, request validation, and consistent policy enforcement across APIs. The APIs are consumed by internal and partner applications. Which architecture best meets these requirements?

Your organization is standardizing on a Zero Trust model. You must ensure that access to Microsoft 365 and Azure resources is continuously evaluated based on real-time risk signals, and that high-risk sign-ins are blocked automatically. What should you implement?

A security team needs to apply consistent data classification and labeling across Microsoft 365 (SharePoint, OneDrive, Teams) and also label files stored in on-premises file shares. The team wants a single labeling taxonomy and centralized policy management. What should you use?

You are designing security operations for a hybrid environment. The organization wants to standardize security monitoring and incident response in a single SIEM/SOAR, ingesting logs from Azure, on-premises servers, and multiple SaaS applications, and orchestrating automated playbooks. Which solution best meets these requirements?

A company is deploying a hub-and-spoke network in Azure. The security requirement is to centrally inspect all inbound and outbound internet traffic from spoke VNets, apply application-layer controls, and reduce the risk of lateral movement. Which design is the best fit?

You are designing access controls for highly privileged cloud administration across Azure and Microsoft 365. Requirements: (1) admins should not have standing privileges, (2) elevation must require approval and justification, (3) privileged actions must be recorded for later review. Which approach best meets these requirements?