Microsoft Certified: Cybersecurity Architect Expert Advanced Practice Exam: Hard Questions 2025

Your organization is standardizing Zero Trust across Microsoft 365, Azure, and several SaaS apps. A business unit requires access from unmanaged contractor devices, but security leadership mandates: (1) no persistent credentials on the device, (2) continuous risk evaluation during sessions, and (3) least privilege with rapid revocation if risk changes. Which architecture best meets the requirements with minimal user friction?

You are designing microsegmentation for a hub-and-spoke Azure network hosting both PaaS and IaaS workloads. Requirements: (1) block lateral movement between spokes, (2) allow only approved east-west app flows, (3) detect anomalous traffic patterns, and (4) minimize operational overhead for frequent application changes. Which approach best fits?

A global enterprise must implement identity governance for thousands of external partner users across multiple tenants. Requirements: (1) partners request access to specific app roles, (2) approvals must be time-bound and periodically re-certified, (3) access must be automatically removed upon partner employment termination signaled by the partner IdP, and (4) audit evidence must be retained and searchable. What should you design?

Your CISO asks you to validate that security controls in Azure align to an internal control framework and to continuously measure compliance drift. Requirements: (1) map technical controls to a control framework, (2) produce evidence for audits, (3) track exceptions with compensating controls, and (4) integrate findings into security operations triage. Which solution architecture best satisfies these needs?

You are responding to an incident where an attacker used a compromised workload identity to access Azure Storage and Key Vault. Logs show token issuance was valid and MFA was satisfied for the human operator earlier that day. You must redesign to reduce blast radius and improve detection for workload identities without breaking automated deployments. Which combination is the best next step?

A company runs mission-critical workloads on Azure Kubernetes Service (AKS) with strict regulatory requirements. They need: (1) prevent deployment of containers with critical vulnerabilities, (2) block unsigned images, (3) enforce least-privilege at runtime, and (4) produce auditable policy results. Which design best meets the requirements end-to-end?

You must design secure connectivity for an Azure landing zone hosting sensitive workloads. Requirements: (1) all inbound internet traffic must be inspected and centrally logged, (2) outbound traffic must be restricted with FQDN-based controls, (3) minimize exposure of PaaS services, and (4) support private access from on-premises. Which architecture is the best fit?

A finance organization needs to classify and protect sensitive data across Microsoft 365 and Azure. Requirements: (1) automatically discover and label sensitive info, (2) enforce encryption and usage restrictions that persist outside the organization, (3) prevent exfiltration to personal cloud storage, and (4) provide audit visibility for investigations. What should you implement?

Your team is modernizing an application to use Azure SQL Database and Azure Storage. Security requirements include: (1) no public network access, (2) least-privilege app access without secrets, (3) tenant-wide governance to prevent accidental public exposure, and (4) ability to rotate access quickly during incidents. Which design best meets the requirements?

A multi-tenant SaaS runs in Azure and uses a shared AKS cluster and shared data plane services. A new requirement mandates tenant-level encryption boundaries so that a compromise of one tenant's app layer cannot decrypt another tenant's sensitive records, while maintaining centralized operations. Which design is most appropriate?