50 Microsoft Certified: Cybersecurity Architect Expert Practice Questions: Question Bank 2025

Your organization is adopting a Zero Trust strategy. You need to ensure that all user and service sign-ins are continuously evaluated for risk and that high-risk sign-ins are blocked or require stronger authentication. Which solution should you implement?

You need to design governance controls to ensure that any Azure resource created in production subscriptions must have specific tags (CostCenter, DataClassification) and must be deployed only in approved regions. Which approach best meets the requirement?

You are designing security for an Azure IaaS workload. The security team requires that virtual machines have no public IP addresses and that administrative access use least privilege and be audited. Which solution should you recommend?

A development team is building an internal API hosted on Azure App Service. Secrets such as database credentials must not be stored in code or configuration files and must support rotation. Which solution should you recommend?

You are designing a Zero Trust architecture for a company with Microsoft 365 and Azure. The company wants to reduce reliance on the corporate network boundary and ensure device trust is evaluated before allowing access to sensitive apps. What should you implement?

Your SOC uses Microsoft Sentinel. You need to reduce alert fatigue by automatically enriching incidents with asset details and then opening tickets in a third-party ITSM system when incidents meet severity criteria. What should you use?

A company is migrating workloads to Azure. Security requires segmentation so that only specific subnets can communicate, and traffic between subnets must be inspected by a network virtual appliance (NVA). Which design best meets the requirement?

You need to design a data protection strategy for sensitive documents stored in SharePoint Online and exchanged via email. The requirement is to prevent external sharing and ensure that only specific departments can access documents even if they are downloaded. Which solution should you recommend?

You are designing privileged access for Azure and Microsoft 365 administration. The organization requires time-bound elevation, approval workflows, and automated access reviews for privileged roles. Which solution best meets these requirements?

A company hosts a multi-tenant SaaS API on Azure Kubernetes Service (AKS). They must prevent data exfiltration and ensure that pods can access PaaS services (for example, Key Vault and Storage) without using secrets in configuration. They also require network controls so only approved egress destinations are reachable. Which design is most appropriate?

Your organization is adopting Zero Trust. You must reduce risk from stale access while keeping user friction low for Microsoft 365 and Azure management portals. Which design choice best aligns with Zero Trust principles?

You need to standardize security configurations across multiple Azure subscriptions and ensure new resources are evaluated continuously against organizational requirements. Which solution should you implement?

A development team wants to store application secrets and certificates securely for Azure-hosted apps and needs automatic key rotation support. What should you recommend?

Your SOC wants to prioritize incident response using MITRE ATT&CK mapping and unified investigation across identity, endpoint, email, and cloud apps. Which architecture best meets the requirement?

You are designing network security for an Azure landing zone. The requirement is to centrally control and inspect outbound internet traffic from multiple spoke VNets while allowing selective direct egress for specific workloads. What is the most appropriate design?

A company wants to reduce the risk of data exfiltration from Microsoft 365 and also prevent users from uploading sensitive data to unsanctioned cloud apps. Which combination best addresses both needs?

You are implementing a privileged access strategy. Security requires that standing administrative permissions be removed and that all privileged actions be time-bound with approval and auditability across Azure and Microsoft Entra ID. What should you use?

Your organization uses Azure SQL Database and requires that database administrators cannot view sensitive customer fields, but applications must be able to query them. Which design best meets the requirement?

A multinational company must enforce data residency so that specific datasets remain within defined geographic boundaries while still enabling analytics. They want policy-driven controls with ongoing compliance reporting. What should you recommend?

You are designing security for a set of Azure PaaS services (Storage, Key Vault, Azure SQL) used by workloads in multiple VNets. The security requirement is to eliminate public network exposure and reduce data exfiltration risk while maintaining service functionality. Which design is most appropriate?

Your organization is standardizing on Microsoft Entra ID for identity. You need to reduce password-based attacks while keeping the user sign-in experience simple for both cloud apps and on-premises apps published through a reverse proxy. Which approach best aligns with Zero Trust and provides the strongest phishing resistance?

A security operations team wants to improve alert triage by correlating incidents across Microsoft Defender for Endpoint, Defender for Identity, and Microsoft Defender for Cloud Apps. They also want to run investigation playbooks automatically when high-severity incidents occur. Which solution should you recommend?

You are designing an application that uses Azure Storage accounts for blobs containing customer invoices. The security requirement is to ensure data is encrypted at rest using customer-managed keys (CMK) stored in a centralized key management service. What should you implement?

Your company hosts multiple Azure subscriptions under one tenant. A regulatory requirement states that certain workload teams must not be able to disable or change security monitoring on their resources. You use Microsoft Defender for Cloud for posture management. Which design best meets the requirement with least operational overhead?

You are designing network security for an Azure hub-and-spoke architecture. The spokes host PaaS services and VM workloads. Requirements: (1) Inspect all outbound internet traffic, (2) allow only approved FQDN destinations, and (3) minimize direct public exposure. Which solution best meets these requirements?

A developer team is building a containerized API on Azure Kubernetes Service (AKS). Security requires that secrets are not stored in Kubernetes etcd and must be retrieved at runtime from a managed secrets store with tight access controls and auditing. What should you recommend?

Your organization wants to implement a Zero Trust access model for administrators managing Azure resources. Requirements: (1) Admin privileges must be time-bound and approved, (2) risky sign-ins must trigger additional controls, and (3) auditability is required. Which combination best meets these requirements?

A multinational organization stores highly sensitive research data in Azure. They require that Microsoft personnel cannot access the data even during support operations, and that access to encryption keys is controlled solely by the organization. Which design should you recommend?

You are designing security monitoring for a hybrid environment with on-premises servers and multiple clouds. The security team needs a single incident queue, advanced hunting across normalized logs, and the ability to create detections using a query language. Which architecture best meets the requirement?

A critical Azure workload uses multiple virtual machines in a spoke VNet. The security team requires east-west traffic inspection between subnets and wants to prevent bypass of the inspection layer. The current design uses only NSGs. What is the most appropriate design change?

A company uses Microsoft Entra ID and wants to ensure that only compliant, managed devices can access Microsoft 365 and Azure portal. They also want to block legacy authentication protocols. What should you implement?

You are designing a security architecture for Azure workloads. The business wants a single place to assess secure configuration across multiple Azure subscriptions and to enforce configuration baselines at scale. What is the best approach?

A team stores secrets used by Azure Functions to call internal APIs. The security requirement is to remove secrets from configuration files and rotate them centrally. What solution best meets this requirement?

You need to reduce the attack surface of Azure virtual machines by eliminating inbound public access while still allowing administrators to connect when required. Which solution should you recommend?

An organization wants to enforce least privilege for cloud administrators by granting permissions only when needed, with approval workflows and time-bound access. Which capability should you use?

You are designing workload segmentation for a hub-and-spoke Azure network. Security requirements state that internet egress must be inspected and logged centrally and that spoke-to-spoke traffic must be blocked by default unless explicitly allowed. What is the best design?

Your organization must classify and protect sensitive documents across Microsoft 365 and ensure that protection persists when files are shared outside the company. Which solution should you implement?

Security operations needs to reduce alert fatigue by correlating incidents across endpoints, identities, email, and cloud apps, and then automate common response actions. Which approach best meets these goals?

A company is building a multi-tenant SaaS on Azure. Tenants must use their own identities (their own Entra tenants), and the app must enforce tenant-specific authorization while minimizing administrative overhead. Which architecture best fits?

Your organization requires end-to-end protection against data exfiltration for a PaaS application that processes highly confidential data in Azure. Requirements include: encrypt data at rest with customer-managed keys, ensure secrets are never stored in code, and prevent outbound access to public internet from the app unless explicitly approved. Which design best meets the requirements?

You are designing a Zero Trust strategy for a company with Microsoft 365 and Azure. The business requirement is: "Users must complete phishing-resistant MFA only when risk is elevated; otherwise allow seamless access." Which approach best meets the requirement?

A security team wants to track and manage security recommendations across Azure subscriptions, on-premises servers, and AWS accounts in a single place and align them to regulatory standards. Which service should you use?

A company must ensure that all new Azure Storage accounts are created with secure transfer required and public network access disabled. They want enforcement at scale with auditability. What should you implement?

You are designing identity governance for a partner collaboration scenario using Microsoft Entra External ID (B2B). Partners should receive time-bound access to a specific application and their access should be periodically revalidated by an internal sponsor. Which solution best fits?

A company runs an internet-facing application on Azure Kubernetes Service (AKS). Security requires that east-west traffic between microservices is encrypted in transit, and that each service can be authorized based on its identity rather than IP addresses. Which design best meets the requirement?

A company wants to prevent accidental public exposure of sensitive data in Microsoft Teams and SharePoint Online by detecting sensitive info types and automatically restricting external sharing. Which Microsoft solution is best aligned?

A security operations team wants to reduce analyst workload by automatically enriching incidents with threat intelligence, then opening and tracking tickets in ServiceNow, and finally isolating compromised endpoints when high confidence is reached. Which architecture best accomplishes this?

A company is modernizing legacy applications to Azure App Service. They must ensure secrets (API keys, connection strings) are not stored in code or configuration files and must be rotated regularly with minimal application changes. What is the recommended design?

Your organization uses a hub-and-spoke network with Azure Firewall in the hub. Multiple spokes host PaaS services (Storage, Key Vault, Azure SQL) using private endpoints. Security requires that all name resolution for these private endpoints is centrally controlled and that workloads in all spokes resolve the correct private IPs without custom DNS per spoke. What should you design?

A global organization must enforce that highly sensitive customer data is only accessed from compliant corporate devices and only from approved countries/regions. They also need to prevent copy/paste and download to unmanaged devices for browser-based access. Which set of controls best meets the requirement end-to-end?