1
Q
How are multiple Conditional Access policies evaluated when more than one applies to a sign-in?
A
All applicable policies are evaluated. If ANY policy blocks, access is denied (block always wins). If no policy blocks, ALL grant controls from ALL matching policies must be satisfied. Grant controls are merged/summed across policies.
2
Q
Policy A requires MFA. Policy B requires compliant device. Both match a sign-in. What must the user provide?
A
Both MFA AND a compliant device. Grant controls from multiple matching policies are cumulative. The user must satisfy every control from every matching policy.
3
Q
Policy A blocks access from outside the country. Policy B grants access with MFA from anywhere. A user signs in from abroad. What happens?
A
Access is BLOCKED. If any matching policy blocks, block always wins regardless of what other policies grant. There are no exceptions to this rule.
4
Q
What is the difference between ‘Require one of the selected controls’ and ‘Require all the selected controls’?
A
‘Require one’ (OR): user satisfies ANY one of the listed controls (e.g., MFA OR compliant device). ‘Require all’ (AND): user must satisfy EVERY listed control (e.g., MFA AND compliant device). Default is AND.
5
Q
What are all the available grant controls in Conditional Access?
A
Block access, Require MFA, Require authentication strength, Require device compliant (Intune), Require Entra hybrid joined device, Require approved client app (retiring March 2026), Require app protection policy, Require password change, Require Terms of Use.
6
Q
What is authentication strength in Conditional Access?
A
Allows admins to require specific authentication method combinations instead of just ‘MFA’. Built-in: MFA strength, Passwordless MFA strength, Phishing-resistant MFA strength. Custom strengths can be defined with specific method combinations.
7
Q
A policy requires ‘Require compliant device’. A user on an unmanaged personal laptop completes MFA. Is access granted?
A
No. The policy specifically requires a compliant device (managed by Intune with passing compliance policy). MFA alone does not satisfy a device compliance requirement. The device must be enrolled and marked compliant.
8
Q
How are assignments within a single Conditional Access policy logically combined?
A
All assignment sections are combined with AND logic. Users AND Cloud apps AND Conditions must all be true for the policy to apply. Within each section, multiple selections are combined with OR (e.g., user in Group A OR Group B).
9
Q
A policy targets ‘All users’ and excludes ‘Group_Admins’. User1 is in Group_Admins. Does the policy apply?
A
No. Exclusions override inclusions. User1 is excluded because they are in Group_Admins, even though ‘All users’ includes them.
10
Q
Can Conditional Access target specific Azure resources like a single storage account or VM?
A
No. CA targets cloud apps or user actions. You can target ‘Microsoft Azure Management’ (covers Azure portal, CLI, PowerShell, ARM API) but not individual resources. For resource-level control, use Azure RBAC and resource firewalls.
11
Q
What does the ‘Microsoft Azure Management’ cloud app cover in Conditional Access?
A
Azure portal (portal.azure.com), Azure PowerShell, Azure CLI, Azure Resource Manager API, Azure mobile app. A CA policy targeting this app affects ALL Azure management activities through these clients.
12
Q
What does the ‘Office 365’ cloud app cover vs. selecting individual Office apps?
A
‘Office 365’ is a meta-app that includes Exchange Online, SharePoint Online, Teams, and other O365 services. Selecting individual apps gives finer control. Selecting Office 365 applies the policy to all O365 services at once.
13
Q
What sign-in risk levels can be used as conditions?
A
No risk, Low, Medium, High. Requires Entra ID P2. Configure: if sign-in risk is Medium or High â require MFA. Common risks: anonymous IP, atypical travel, malware-linked IP, unfamiliar properties, password spray, token anomaly.
14
Q
What user risk levels can be used as conditions?
A
No risk, Low, Medium, High. Requires Entra ID P2. Configure: if user risk is High â require secure password change + MFA. Common risks: leaked credentials, anomalous user activity, suspicious API traffic.
15
Q
What client app types can be used as conditions?
A
Browser, Mobile apps and desktop clients, Exchange ActiveSync clients, Other clients (legacy auth: POP, IMAP, SMTP, older Office). Default: all client apps. To block legacy auth, target ‘Other clients’ with Block access.
16
Q
How do device platform conditions work?
A
Filter by: Android, iOS, Windows, macOS, Linux. Based on user-agent strings (not verified). Best practice: create policies for supported platforms, then a separate policy blocking ‘Any device’ excluding supported platforms.
17
Q
User signs in from a trusted Named Location but their user risk is High. Policy 1: exclude trusted locations from MFA. Policy 2: require password change for high user risk. What happens?
A
Policy 1 does NOT apply (trusted location excluded). Policy 2 DOES apply (high user risk). User must change password. These are independent policies evaluating different conditions.
18
Q
You want to allow access to Exchange Online only from compliant iOS/Android devices OR from corporate network. How do you configure this?
A
Create two policies: Policy 1: target Exchange Online, condition = mobile platforms, grant = require compliant device. Policy 2: target Exchange Online, condition = ANY location except corporate network + desktop platforms, grant = block. Or: single policy with require compliant device OR trusted location.
19
Q
A legacy mail client (POP3) attempts to sign in. Your policy requires MFA for all users. What happens?
A
The sign-in is BLOCKED. Legacy auth clients cannot complete MFA. When a CA policy requires MFA and the client uses legacy auth, the sign-in fails. This is why you should explicitly block legacy auth with a dedicated policy.
20
Q
What is the Conditional Access What If tool?
A
A testing tool that simulates a sign-in with specified parameters (user, app, location, device, risk) and shows which policies would apply and their results. Found in Entra ID > Security > Conditional Access > What If. Essential for troubleshooting.
21
Q
What does ‘Sign-in frequency’ session control do?
A
Forces users to re-authenticate after a specified time period (e.g., every 8 hours). Overrides the default token refresh behavior. Useful for sensitive apps. Setting of ‘Every time’ forces re-auth on every access.
22
Q
What does ‘Persistent browser session’ control do?
A
Controls whether users stay signed in after closing and reopening the browser. ‘Never persistent’ forces re-auth on new browser sessions. ‘Always persistent’ allows Remember Me. Overrides the ‘Stay signed in?’ prompt behavior.
23
Q
Describe the complete NSG evaluation flow for inbound traffic to a VM.
A
1) Traffic hits subnet NSG first â evaluated against inbound rules by priority (lowest number first). 2) If subnet NSG allows, traffic then hits NIC NSG â evaluated against its inbound rules. 3) BOTH must allow. If either denies, traffic is dropped. 4) If no rule matches, default DenyAllInBound (65500) applies.
24
Q
Describe the complete NSG evaluation flow for outbound traffic from a VM.
A
1) Traffic hits NIC NSG first â evaluated against outbound rules by priority. 2) If NIC NSG allows, traffic then hits subnet NSG â evaluated against its outbound rules. 3) BOTH must allow. Outbound is NIC first, then subnet (opposite of inbound).
25
An NSG has: Priority 100 Allow TCP 443, Priority 200 Deny TCP 443, Priority 300 Allow All. What happens to HTTPS traffic?
ALLOWED. Priority 100 (Allow TCP 443) matches first. Once a rule matches, no further rules are evaluated for that flow. The Deny at 200 and Allow All at 300 are never reached.
26
An NSG has: Priority 100 Deny All, Priority 200 Allow TCP 22. Is SSH traffic allowed?
NO. Priority 100 (Deny All) matches first and blocks everything including SSH. The Allow at priority 200 is never evaluated. Rule order by priority number is critical.
27
What are the exact default rules and their priorities in an NSG?
Inbound: AllowVNetInBound (65000, allows VNet-to-VNet), AllowAzureLoadBalancerInBound (65001), DenyAllInBound (65500). Outbound: AllowVNetOutBound (65000), AllowInternetOutBound (65001), DenyAllOutBound (65500). Cannot be deleted, only overridden with lower priority numbers.
28
A VM has a NIC NSG allowing port 80 and a subnet NSG with no rule for port 80 (default deny). Can HTTP traffic reach the VM?
NO. The subnet NSG has no allow rule for port 80, so the default DenyAllInBound blocks it at the subnet level before it even reaches the NIC NSG. Both subnet and NIC NSGs must allow the traffic.
29
Name 5 commonly used service tags in NSG rules and what they represent.
VirtualNetwork: VNet address space + peered VNets + on-prem (gateway). Internet: all public IPs. AzureLoadBalancer: Azure health probes. Storage: Azure Storage IPs (or Storage.RegionName). Sql: Azure SQL IPs. AzureActiveDirectory: Entra ID endpoints.
30
You have WebServers ASG and DbServers ASG. How do you allow web servers to reach databases on port 1433 only?
Create an NSG rule: Source = WebServers ASG, Destination = DbServers ASG, Port = 1433, Protocol = TCP, Action = Allow. Assign the web VM NICs to WebServers ASG and database VM NICs to DbServers ASG.
31
What are augmented NSG security rules?
Rules that allow multiple IP addresses, ranges, ports, and service tags in a single rule. Instead of creating 10 rules for 10 different ports, create one rule with all 10 ports. Simplifies management and stays within rule limits.
32
Explain the two Key Vault access models and when to use each.
Vault access policy (legacy): permissions per principal on entire vault (get/list/set/delete/backup/restore per object type). RBAC (recommended): Azure RBAC roles at vault, key, secret, or certificate level. RBAC allows more granular scoping and is consistent with other Azure resource RBAC.
33
Map the Key Vault RBAC roles to their capabilities.
Administrator: full data plane ops. Secrets Officer: CRUD secrets. Secrets User: read secrets only. Crypto Officer: CRUD keys + crypto ops. Crypto User: crypto ops only (encrypt/decrypt/sign/verify/wrap/unwrap). Certificates Officer: CRUD certs. Reader: read metadata only (no values).
34
A Key Vault has firewall enabled with 'Deny' default. An App Service with VNet Integration needs to access it. What are the options?
Option 1: Add the App Service's VNet/subnet as an allowed network via Service Endpoints. Option 2: Create a Private Endpoint for Key Vault in the VNet. Option 3: Enable 'Allow trusted Microsoft services' (but this only covers specific Azure first-party services, NOT App Service directly). Best: Private Endpoint.
35
What specific Azure services bypass Key Vault firewall with 'Allow trusted Microsoft services'?
Azure Backup, Azure Disk Encryption, Azure Resource Manager (template deployment), Azure Storage (CMK), Azure SQL (TDE with CMK), Azure Event Hubs, Azure Data Factory, Azure Import/Export, Azure Machine Learning, and others. NOT: App Service, Functions, AKS (these need explicit network access).
36
Explain the relationship between soft delete, purge protection, and retention.
Soft delete: deleted objects recoverable for 7-90 days (default 90, mandatory). Purge protection: prevents permanent deletion during retention period (optional but recommended, irreversible once enabled). Without purge protection: admin can purge immediately. With: must wait for retention to expire.
37
What happens when a key is rotated in Key Vault?
A new key version is created. The old version remains. Services using the key (e.g., Storage CMK) automatically use the latest version for NEW encrypt operations. Old versions are used to decrypt data encrypted with them. Rotation policy: set interval + notification days.
38
An app needs to encrypt data using a Key Vault key but should NOT be able to read or manage the key itself. Which role?
Key Vault Crypto User. This role allows crypto operations (encrypt, decrypt, sign, verify, wrap, unwrap) but does NOT allow reading key material, creating/deleting keys, or managing key properties.
39
You need to allow Azure Disk Encryption to use a Key Vault. What must you configure?
Set the Key Vault access property 'enabledForDiskEncryption' = true (under Properties or via ARM/PowerShell). This is a management plane setting separate from data plane access policies/RBAC. It allows the ADE service to access the vault.
40
How do you audit who accessed a Key Vault secret and when?
Enable Diagnostic Settings on Key Vault: send AuditEvent logs to Log Analytics workspace. Query: AzureDiagnostics | where ResourceProvider == 'MICROSOFT.KEYVAULT' | where OperationName == 'SecretGet' | project TimeGenerated, CallerIPAddress, identity_claim_upn_s, ResultType.
41
Explain how Private Endpoint DNS resolution works end-to-end.
1) Client queries: storageaccount.blob.core.windows.net. 2) Public DNS returns CNAME: storageaccount.privatelink.blob.core.windows.net. 3) If client is in VNet linked to Private DNS zone privatelink.blob.core.windows.net, the zone returns the Private Endpoint's private IP. 4) If outside the VNet (no DNS zone link), the CNAME resolves to the public IP.
42
List the Private DNS zone names for the 6 most common Azure services.
Blob Storage: privatelink.blob.core.windows.net. Azure SQL: privatelink.database.windows.net. Key Vault: privatelink.vaultcore.azure.net. Web Apps: privatelink.azurewebsites.net. Azure Files: privatelink.file.core.windows.net. Cosmos DB: privatelink.documents.azure.com.
43
What Private DNS zone is needed for Azure Queue Storage?
privatelink.queue.core.windows.net. Each storage sub-service needs its own Private Endpoint and DNS zone: blob, file, queue, table, web (static website), dfs (Data Lake).
44
You created a Private Endpoint for SQL Database but apps still connect via the public IP. What are the 3 things to check?
1) Private DNS zone (privatelink.database.windows.net) exists with the correct A record pointing to the PE's private IP. 2) The Private DNS zone is linked to the VNet where the client resides. 3) The client VM is using Azure-provided DNS (168.63.129.16) or a DNS forwarder that can resolve the private zone.
45
An on-premises server needs to resolve a Private Endpoint IP. The Private DNS zone is in Azure. What architecture is needed?
Deploy Azure Private Resolver in the hub VNet (or a DNS forwarder VM). Configure on-premises DNS servers with conditional forwarders for privatelink.*.core.windows.net (and other privatelink zones) pointing to the Private Resolver's inbound endpoint IP (or forwarder VM IP). The resolver queries the Private DNS zone.
46
What is the IP address of Azure's built-in DNS resolver?
168.63.129.16. This is the virtual IP that every VNet uses for DNS resolution by default. The Azure Private Resolver forwards queries to this address to resolve Private DNS zones and Azure-provided DNS.
47
After creating a Private Endpoint, is the public endpoint automatically disabled?
NO. The public endpoint remains active unless you explicitly disable it. To fully lock down: set 'Public network access = Disabled' on the resource, or configure the resource firewall to deny all public access.
48
You have a hub-spoke topology with Private DNS zones in the hub. Spoke VNets use VNet peering. Can spoke VMs resolve Private Endpoint IPs?
Yes, IF the Private DNS zones are linked to all spoke VNets (not just the hub). Each VNet that needs to resolve Private Endpoint IPs must have a virtual network link to the Private DNS zone. DNS zones don't auto-link through peering.
49
Give 5 concrete differences between Service Endpoints and Private Endpoints.
1) SE: service keeps public IP; PE: private IP in your VNet. 2) SE: Azure backbone routing; PE: fully private via NIC. 3) SE: no DNS change needed; PE: requires Private DNS zone. 4) SE: no cost for the endpoint; PE: per-hour + data cost. 5) SE: VNet traffic only; PE: accessible from on-prem via VPN/ExpressRoute.
50
Describe Azure Firewall rule processing order in detail.
1) DNAT (NAT) rules evaluated first for inbound traffic. 2) Network rules evaluated next. If a network rule matches (allow/deny), application rules are NOT evaluated for that flow. 3) Application rules evaluated last (only for traffic not matched by network rules). Within each collection type: lowest priority number evaluated first.
51
Azure Firewall has Network rule allowing TCP 443 to any IP and Application rule blocking *.malicious.com on 443. Traffic goes to malicious.com:443. Is it blocked?
NO. The Network rule matches first (TCP 443 to any IP) and allows the traffic. Application rules are NOT evaluated because the network rule already matched. To block by FQDN, remove the broad network rule and use application rules for FQDN filtering, or use Premium TLS inspection + IDPS.
52
How do rule collection priorities interact with rule priorities?
Rule collections have priorities (lower = first). All rules within a rule collection are evaluated together. The firewall processes rule collections in priority order. Once a rule in a collection matches, processing stops for that flow. Rules within a collection don't have individual priorities â the collection's priority determines order.
53
How does DNAT work on Azure Firewall?
DNAT translates inbound traffic from the firewall's public IP:port to a private IP:port. Example: firewall public IP:8080 â VM at 10.0.1.4:80. The firewall automatically creates a corresponding network rule to allow the translated traffic. DNAT rules implicitly allow the translated traffic.
54
Why is DNS Proxy important for Azure Firewall and what happens without it?
DNS Proxy: Firewall intercepts DNS queries from VMs and resolves FQDNs. Required for: 1) FQDN filtering in network rules, 2) Reliable FQDN resolution in application rules. Without DNS Proxy: FQDNs in network rules don't work, and application rule FQDN resolution may use stale DNS cache.
55
What does threat intelligence-based filtering do on Azure Firewall?
Alerts on or denies traffic to/from known malicious IPs and FQDNs. Microsoft's threat intel feed. Three modes: Off, Alert only (logs), Alert and deny (blocks). Applied before any rule processing. Covers both inbound and outbound.
56
List the 4 Premium-only features and what each does.
1) TLS inspection: decrypt, inspect, re-encrypt HTTPS traffic. 2) IDPS: signature-based intrusion detection/prevention (alert or deny). 3) URL filtering: filter by full URL path (not just FQDN). 4) Web categories: allow/deny traffic based on website category (gambling, social media, etc.).
57
You need to allow outbound HTTPS only to *.microsoft.com and block all other HTTPS. Which rule type?
Application rule. Create an application rule collection: target FQDN tag or FQDN = *.microsoft.com, protocol HTTPS (443), action Allow. Set a lower-priority application rule collection with a deny-all for HTTPS. Application rules are purpose-built for FQDN filtering on HTTP/S.
58
You need to allow outbound SSH (port 22) only to a specific IP range. Which rule type?
Network rule. SSH is non-HTTP/S traffic, so it cannot use application rules (which only support HTTP/S and MSSQL). Create a network rule: source = your subnet, destination = specific IP range, port = 22, protocol = TCP, action = Allow.
59
User has Contributor on a subscription and a custom deny assignment from Azure Blueprints on a resource group. What happens?
The deny assignment blocks the denied actions on that resource group, even though Contributor would normally allow them. Deny assignments are the only way to explicitly deny in Azure RBAC and they override all role assignments.
60
User has Reader on subscription and Storage Blob Data Contributor on a storage account. Can they upload blobs?
Yes. RBAC is additive. Reader gives read-only on the management plane. Storage Blob Data Contributor gives read/write/delete on the data plane of that storage account. The data plane role allows blob uploads.
61
A security auditor needs to read all security settings in Azure but should not modify anything. Minimum role?
Security Reader (Entra role) for security features + Reader (Azure role) on subscriptions for resource visibility. Security Reader provides read access to Defender for Cloud, ID Protection, and security-related Entra settings.
62
A developer needs to deploy VMs and configure NSGs but should not manage Key Vault secrets or assign roles. Minimum role?
Virtual Machine Contributor (manage VMs) + Network Contributor (manage NSGs and networking). These are job-function roles that don't include Key Vault data plane access or role assignment permissions.
63
A user needs to read blob data from a storage account using Entra ID auth. Minimum role?
Storage Blob Data Reader at the storage account (or container) scope. This grants read-only access to blob data via the data plane. Reader role alone only gives management plane access (see account exists) but NOT data access.
64
What is the difference between role assignments at resource group vs. resource scope?
Resource group: role applies to ALL resources in the group (inherited). Resource: role applies to that specific resource only. Assign at the narrowest scope needed. Example: Storage Blob Data Reader on a specific storage account rather than the entire resource group.
65
List all configurable PIM settings for a role.
Maximum activation duration (up to 24 hrs), require MFA on activation, require justification, require ticket information, require approval (+ designated approvers), allow/disallow permanent eligible assignments, allow/disallow permanent active assignments, assignment expiration policies, notification recipients for each event type.
66
A user activates an eligible role in PIM. The role has MFA + approval + justification required. Describe the exact flow.
1) User goes to PIM > My roles > Activate. 2) User enters justification text. 3) User completes MFA challenge. 4) Activation request is submitted to designated approvers. 5) Approver receives email notification. 6) Approver reviews and approves/denies in PIM. 7) If approved, role activates for configured duration. 8) User receives notification of activation.
67
How do PIM access reviews work for Azure resource roles?
Create an access review in PIM for a specific Azure role at a scope. Reviewers (self-review, managers, or specific users) evaluate each assignment. After review period: auto-apply results (remove denied assignments) or manual apply. Recurrence: one-time or recurring (weekly, monthly, quarterly, annually).
68
A Global Admin needs emergency access but PIM is configured with approval. How should this be handled?
Emergency access accounts should have PERMANENT ACTIVE Global Admin assignments, excluded from PIM eligible workflow. They bypass the activation/approval process. This is why break-glass accounts exist â PIM approval workflows should never block emergency access.
69
User A has an eligible Contributor role on a resource group. They activate it for 4 hours. After 4 hours, what happens?
The role automatically deactivates. The user's Contributor permissions are removed. They return to having no Contributor access. If they need access again, they must go through the activation process again.
70
A user delegation SAS is created with Read + Write permissions for a blob container. The user who created it has Read-only RBAC. What are the effective SAS permissions?
Read only. User Delegation SAS effective permissions are the INTERSECTION of: the SAS permissions AND the user's RBAC permissions. Even though the SAS says Read+Write, the user only has Read RBAC, so the SAS only grants Read.
71
You suspect a storage account access key was compromised. What are the immediate steps?
1) Regenerate the compromised key immediately. 2) Update all applications using that key to use the other key (or switch to Entra ID auth). 3) Regenerate the second key as precaution. 4) Review access logs for unauthorized access. 5) Consider switching to managed identity + RBAC to eliminate key dependency.
72
A storage account firewall is set to 'Selected networks' with VNet1 allowed. A VM in VNet2 (peered with VNet1) tries to access the account. Is access allowed?
NO. Service Endpoints and firewall rules are per-subnet, not per-VNet peering. VNet2's subnet must be explicitly added to the storage firewall, or VNet2 must have its own Service Endpoint for Microsoft.Storage. Peering alone doesn't transfer firewall access.
73
Can Azure Backup access a storage account with firewall enabled (deny all)?
Yes, IF 'Allow trusted Microsoft services to bypass this firewall' is enabled. Azure Backup is a trusted Microsoft service. Without this exception, Backup cannot access the account even though it's a Microsoft service.
74
You need time-limited read access to a private blob for an external partner who has no Entra ID account. Best approach?
Generate a Service SAS (or Account SAS) with: Read permission only, short expiry (hours/days), restricted IP range if possible, HTTPS only. Use a stored access policy for revocability. User Delegation SAS is not possible without Entra ID.
75
Can you write NEW blobs to a container with a time-based retention policy?
Yes. Immutable storage prevents modification and deletion of EXISTING blobs but allows writing new blobs. The policy protects existing data from being overwritten or deleted.
76
What is the TDE encryption hierarchy?
Database Encryption Key (DEK): symmetric key that encrypts the database data. TDE Protector: asymmetric key (or certificate) that encrypts the DEK. Service-managed: Microsoft manages the protector. BYOK: your key in Key Vault serves as the protector.
77
You switch from service-managed TDE key to BYOK in Key Vault. What happens to existing data?
The DEK is re-encrypted with the new Key Vault key (TDE protector). The actual database data is NOT re-encrypted â only the DEK wrapper changes. This is fast because only the key encryption key changes, not all the data.
78
The Key Vault key used for TDE BYOK is deleted (or access revoked). What happens?
The database becomes INACCESSIBLE within ~10 minutes (key cache expiry). All connections fail. To restore: re-grant access to the key in Key Vault (or restore a soft-deleted key). Database remains encrypted but unreadable without the protector.
79
What are the three audit log destinations and when to use each?
Storage account: long-term retention, compliance archival, cheapest. Log Analytics workspace: KQL queries, dashboards, Sentinel integration. Event Hub: SIEM integration (Splunk, QRadar), real-time streaming. You can enable multiple destinations simultaneously.
80
Server-level auditing is enabled with storage destination. Database-level auditing is also enabled with Log Analytics. What happens?
BOTH audits run independently. Events are logged to both destinations. This is called 'dual auditing'. If you enable auditing at both levels, both apply. To avoid duplicate logs, usually configure at server level only.
81
What are the 4 masking functions and their outputs?
Default: XXXX (or 0 for numbers). Email: first letter + aXXX@XXXX.com. Random: random number within specified range (for number types). Custom string: configurable prefix + padding + suffix (e.g., first 2 chars + XXXX + last 2 chars).
82
A user with db_datareader role queries a masked column. Do they see actual or masked data?
Masked data. By default, db_datareader sees masked data. Only db_owner, sysadmin, and users with explicit UNMASK permission see actual data. You can grant UNMASK per-user: GRANT UNMASK TO [username].
83
You need read-only users to see only the last 4 digits of credit card numbers. Which feature and function?
Dynamic data masking with a Custom String function. Configure: prefix = '', padding = 'XXXX-XXXX-XXXX-', suffix showing last 4 digits. Or use the partial() function: partial(0, 'XXXX-XXXX-XXXX-', 4).
84
How is Secure Score calculated?
Each security control has a maximum score. Your score = (sum of achieved control scores) / (sum of max control scores) Ã 100. A control scores its maximum only when ALL its recommendations are remediated. Partial = 0 for that control.
85
Control 'Restrict unauthorized network access' is worth 4 points and has 8 recommendations. You fix 6 of 8. Score for this control?
0 points. No partial credit. ALL 8 recommendations must be remediated to earn the 4 points. The control remains at 0 until 100% of its recommendations are resolved.
86
Which actions improve Secure Score and which don't?
Improves: remediate recommendations (fix all in a control), implement missing security controls, add excemption. Does NOT improve: dismissing alerts, creating suppression rules
87
How do you add a custom compliance standard to Defender for Cloud?
1) Create an Azure Policy initiative containing your custom policy definitions. 2) Assign it to your subscription. 3) In Defender for Cloud > Environment settings > Security policies, the initiative appears as a compliance standard. 4) View results in the Regulatory Compliance dashboard.
88
What is the relationship between Azure Policy and Defender for Cloud recommendations?
Defender for Cloud recommendations are backed by Azure Policy definitions. The MCSB initiative contains policies that generate recommendations. Each recommendation maps to one or more policy definitions. Compliance is evaluated by Azure Policy; results surface in Defender for Cloud.
89
Compare Defender for Servers Plan 1 vs. Plan 2 features.
Plan 1: Defender for Endpoint (EDR), vulnerability scanning via MDE, Endpoint Detection and Response. Plan 2: ALL Plan 1 features PLUS: JIT VM access, adaptive application controls, adaptive network hardening, file integrity monitoring, agentless scanning, vulnerability assessment, Docker host hardening.
90
What data does Defender for Cloud collect from connected AWS accounts?
CSPM: configuration assessment of EC2, S3, IAM, RDS, etc. against MCSB. Workload protection (if enabled): Defender for Servers on EC2 (via Azure Arc), Defender for Databases on RDS, Defender for Containers on EKS. Compliance assessment against frameworks.
91
Compare all 4 analytics rule types in detail.
Scheduled: custom KQL, configurable schedule (5min-14d), entity mapping, alert grouping, most flexible. NRT: runs every minute, ~1min latency, single query, no grouping, fastest. Microsoft Security: auto-creates incidents from Defender alerts, no KQL needed. Fusion: ML-based, multi-stage attack correlation, not customizable.
92
What is entity mapping in analytics rules and why is it critical?
Maps KQL query output fields to Sentinel entity types (Account, Host, IP, URL, File, etc.). Enables: investigation graph, UEBA, entity pages, cross-incident correlation, playbook entity access. Without mapping, entities aren't recognized and investigation features don't work.
93
What is alert grouping in scheduled analytics rules?
Groups multiple alerts (from the same rule) into a single incident instead of creating one incident per alert. Grouping options: by time window (all alerts in X hours), by entity match, or by alert details. Reduces alert fatigue and enables contextual investigation.
94
Write the components of a scheduled analytics rule configuration.
1) Rule query (KQL). 2) Query scheduling: run every X, lookup data from last Y. 3) Alert threshold: trigger when results > N. 4) Entity mapping: map columns to entity types. 5) Alert grouping: group into incidents by time/entity. 6) Incident settings: create incident yes/no. 7) Automated response: trigger automation rules.
95
What is the difference between an automation rule trigger and a playbook trigger?
Automation rule triggers: 'When incident is created', 'When incident is updated', 'When alert is created'. Playbook triggers: 'Microsoft Sentinel Incident' (gets full incident object), 'Microsoft Sentinel Alert' (gets alert). Automation rules can call playbooks. Playbooks need the matching trigger type.
96
An automation rule sets severity to High AND runs a playbook. Does the playbook see the updated severity?
Yes. Automation rule actions execute in order. If severity change is before the playbook action, the playbook receives the incident with updated severity. Action order within an automation rule matters.
97
What is the difference between AMA-based and legacy (MMA) data collection for Sentinel?
AMA (Azure Monitor Agent): modern, uses Data Collection Rules (DCRs), granular filtering, multi-homing, supports Linux/Windows. MMA (Microsoft Monitoring Agent/Log Analytics Agent): legacy, deprecated, less flexible filtering, direct workspace config. Microsoft recommends migrating to AMA.
98
What data does the Microsoft Entra ID connector provide?
Sign-in logs: interactive, non-interactive, service principal, managed identity sign-ins. Audit logs: directory changes (user/group/app management). Provisioning logs. Risky users and risk detections. Requires: Entra ID P1/P2 for sign-in logs. At least Security Reader or Global Reader.
99
What information does a Sentinel incident contain?
Title, description, severity (High/Medium/Low/Informational), status (New/Active/Closed), owner, creation time, related alerts (with timeline), entities (users, IPs, hosts), evidence (bookmarks), comments, MITRE ATT&CK tactics, investigation graph link.
100
Explain each Azure Policy effect and when it's evaluated.
Deny: blocks non-compliant CREATE/UPDATE (evaluated at request time). Audit: logs non-compliance, allows the operation. AuditIfNotExists: audits if a related resource doesn't exist. DeployIfNotExists: deploys a related resource if missing (requires remediation task for existing). Modify: adds/updates/removes properties. Append: adds fields to request. Disabled: policy not enforced.
101
What is the Azure Policy effect evaluation order?
1) Disabled (skipped). 2) Append/Modify (request is modified). 3) Deny (request blocked if non-compliant). 4) Audit (logged after allowing). 5) AuditIfNotExists/DeployIfNotExists (evaluated after resource exists). Deny is checked before the resource is created.
102
A policy with Modify effect and a remediation task: what happens to new vs. existing resources?
New resources: Modify is applied automatically during creation (inline). Existing non-compliant resources: require a remediation task to be created manually. The task uses a managed identity to apply the modification to existing resources.
103
You assign a Deny policy for 'Storage accounts must use HTTPS' at the subscription level. An existing storage account has HTTP enabled. What happens?
The existing account is flagged as non-compliant but is NOT modified or blocked. Deny only prevents NEW non-compliant creations or updates. If someone tries to UPDATE the account to disable HTTPS, the update is denied. But the existing state persists until remediated.
104
A DeployIfNotExists policy requires Azure Monitor Agent on all VMs. You assign it. Do existing VMs immediately get the agent?
No. You must create a remediation task. The task evaluates all existing non-compliant VMs and deploys the agent using the policy's ARM template. New VMs created after assignment will trigger the deployment automatically.
105
What is the relationship between the MCSB initiative and Defender for Cloud?
MCSB (Microsoft Cloud Security Benchmark) is an Azure Policy initiative assigned by default to all subscriptions via Defender for Cloud. Each policy in the initiative maps to a Defender for Cloud recommendation. Compliance % in Defender for Cloud = policy compliance % for the initiative.
106
Describe exactly what JIT does to the NSG when access is requested.
1) JIT adds a Deny inbound rule for management ports (3389, 22, etc.) with a HIGH priority (before your allow rules). 2) When access is requested: JIT creates an Allow rule with a HIGHER priority than the deny rule, scoped to the requester's IP, for the requested duration. 3) When time expires: the Allow rule is removed, leaving the Deny rule active.
107
What ports can JIT protect?
Any port, not just RDP (3389) and SSH (22). You can configure JIT to protect custom ports. However, the most common use is for management ports. JIT policies define which ports to protect and the maximum allowed request time per port.
108
Can JIT work with Azure Firewall instead of NSGs?
Yes. If the VM has an Azure Firewall instead of (or in addition to) an NSG, JIT creates DNAT rules on the firewall to temporarily allow access. This works with Azure Firewall's centralized security model.
109
What are the Bastion connection methods by SKU?
Developer: browser-based RDP/SSH (limited). Basic: browser-based RDP/SSH. Standard: browser + native client (az network bastion rdp/ssh), file transfer, shareable links, IP-based connection, Kerberos auth. Premium: all Standard + session recording.
110
How does Bastion handle the network flow?
User connects to Bastion via HTTPS (port 443) from browser/native client. Bastion terminates TLS. Bastion initiates RDP/SSH to the target VM over the VM's private IP within the VNet. The VM needs NO public IP and NO inbound NSG rules for RDP/SSH from the internet.
111
You need to provide 50 developers secure RDP access to VMs without public IPs. They work remotely. Best approach?
Deploy Azure Bastion Standard SKU in the hub VNet. Developers connect via browser (Azure portal) or native RDP client (az network bastion rdp). No public IPs on VMs, no VPN needed. Shareable links can give access to specific VMs without portal access.
az-500
flashcards
Decks in class (8)
# Cards
