Microsoft Certified: Cybersecurity Architect Expert Intermediate Practice Exam: Medium Difficulty 2025

A global company is adopting a Zero Trust strategy across Microsoft 365 and Azure. They want to reduce account takeover risk by requiring strong authentication only when risk is elevated, while minimizing user friction for low-risk sign-ins. They also want the policy decisions to consider user risk and sign-in risk signals. What should you design?

A company has on-premises apps and Azure apps. They want to enforce least privilege for administrative access, require time-bound elevation, and reduce standing privileges across both Microsoft Entra roles and Azure resource roles. What solution should you recommend?

A security architect must segment access to Azure PaaS services (Storage, Key Vault, SQL) so that they are reachable only from approved networks and do not traverse the public internet. The company also wants to reduce data exfiltration risk from compromised workloads. Which design best meets these requirements?

A company must meet internal governance requirements: all Azure resources must be deployed in approved regions, must include mandatory tags (CostCenter, DataClassification), and noncompliant deployments must be blocked. They also need evidence of compliance for audits. What should you design?

A company is designing security operations for a hybrid environment (Azure, Microsoft 365, and on-premises). They want centralized incident investigation and automated response playbooks for common alerts like suspicious sign-ins and malware detection. Which approach should you recommend?

A company hosts internet-facing applications in Azure. They need protection against large-scale volumetric attacks and want to ensure inbound traffic to the apps is inspected for common web exploits. Which design best meets these requirements with layered controls?

A company wants to enforce a secure administrative model in Azure where administrators manage resources from hardened, isolated workstations. They also want to reduce the risk of credential theft and lateral movement from typical user devices. What should you recommend?

A company uses AKS for microservices and wants to reduce supply-chain risk and runtime threats. They need to: (1) prevent deployment of images with known vulnerabilities, and (2) detect suspicious container behavior at runtime. Which design best meets these requirements?

A company stores sensitive customer data in Azure SQL Database and Azure Storage. They must ensure encryption keys are centrally managed, access to keys is tightly controlled, and key usage is audited. What should you recommend?

A company wants to reduce the blast radius of compromised credentials when accessing an internal web application. The application is hosted on Azure App Service and authenticated with Microsoft Entra ID. They want to avoid storing client secrets in the app and still call downstream Azure resources (such as Key Vault and Storage) securely. What should you design?