Microsoft Implementing End-to-End Security Controls for Cloud and AI Workloads Sample Questions:

1. Hotspot Question
You have an Azure subscription.
You need to create and deploy an Azure policy that meets the following requirements:
- When a new virtual machine is deployed, automatically install a
custom security extension.
- Trigger an autogenerated remediation task for non-compliant virtual
machines to install the extension.
What should you include in the policy? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

2. Case Study 2 - Fabrikam, Inc.
Overview
Fabrikam, Inc. is a consulting company. The company has a main office in New York City and branch offices in Amsterdam and Singapore.
Existing Environment. Network environment
The on-premises network contains a datacenter in each office.
Existing Environment. Cloud environment
Fabrikam has two Azure subscriptions named Sub1 and Sub2 and a Microsoft 365 subscription that includes Microsoft 365 E5 licenses.
All the subscriptions are linked to a Microsoft Entra tenant named fabrikam.com that contains the identities shown in the following table.

The tenant contains the groups shown in the following table.

All devices are enrolled in Microsoft Intune.
Existing Environment. Sub1 Resources
Sub1 contains a resource group named RG1 that contains the resources shown in the following table.

SQLServer1 uses Microsoft SQL Server authentication.
Sub1 has an Azure Web Application Firewall (WAF) named WAF1 that has the following types of rule sets:
- Bot Manager 1.1
- Azure-managed Default Rule Set (DRS)
Sub1 has the following compliance standards assigned in Microsoft Defender for Cloud:
- NIST SP 800-53 Rev. 4
- Microsoft cloud security benchmark (MCSB)
- System and Organization Controls (SOC) 2 Type 2
Existing Environment. Sub2 Resources
Sub2 contains a resource group named RG2.
Planned Changes and Requirements. Planned Changes
Fabrikam plans to implement the following changes:
- Deploy the following key vaults to RG1:
* AKV2 in the West Europe Azure region
* AKV3 in the Central US Azure region
* AKV4 in the East US Azure region
- Deploy the following key vaults to RG2:
* AKV5 in the East US region
- Configure VM1 to read data from storage1.
- Create function apps that have the following hosting plans:
* Fa1: Flex Consumption hosting plan
* Fa2: Consumption hosting plan
* Fa3: Dedicated hosting plan
- For WAF1, implement rate limiting rules based on the request
location.
- Enable the NIST SP 800-53 Rev. 5 compliance standard in Defender for
Cloud.
- Create a new storage account named storage2 that supports Azure Table storage.
- Enforce multifactor authentication (MFA) when database administrators access SQLdb1.
- Implement ExpressRoute circuits to the on-premises network as shown
in the following table.

- For RG1, create a new Privileged Identity Management (PIM) eligible role assignment that assigns the Contributor role to supported groups.
Planned Changes and Requirements. Technical Requirements
Fabrikam has the following technical requirements:
- If VM1 is deleted, the permissions for VM1 must be removed
automatically.
- The AKS1 managed identity must only be able to pull images from
Registry1.
- The ID1 managed identity must be able to push images to and pull
images from Registry1.
- All the data in the storage accounts must be encrypted by using
Fabrikam-managed keys.
- All outbound traffic from the function apps to the on-premises
network must use ExpressRoute circuits.
- ExpressRoute connectivity between the on-premises network and the
Azure environment must be encrypted by using Layer 2 or Layer 3
encryption.
You need to implement the function apps to meet the technical requirements. Which apps should you include in the implementation?

A) Fa1, Fa2, and Fa3
B) Fa1 and Fa2 only
C) Fa2 and Fa3 only
D) Fa1 and Fa3 only

3. Hotspot Question
You have an Azure subscription that contains the following resources:
- An Azure SQL Database logical server named Server1 that contains a database named DB1
- An Azure SQL Managed Instance named Instance1 that contains a database named DB2
You need to configure database auditing. The solution must meet the following requirements:
- Ensure that audit data is centrally available in a location that supports for KQL queries.
- Minimize ongoing administrative effort as additional databases are added.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

4. You have an Azure subscription named Sub1 that contains multiple virtual machines. Sub1 has the Microsoft Defender Cloud Security Posture Management (CSPM) plan enabled.
You discover that Defender for Cloud fails to identify plaintext connection strings and SSH keys stored on the virtual machines.
You need to ensure that secrets can be identified on the virtual machines.
What should you do?

A) Configure the Defender for Cloud data connector in Microsoft Sentinel.
B) Enable Microsoft Defender for Key Vault.
C) Deploy the Azure Monitor Agent to all the virtual machines.
D) Enable agentless machine scanning.

5. You have a Microsoft Entra tenant that has user consent for applications disabled.
You register an application named App1 that requests the following Microsoft Graph delegated permissions:
- User.Read
- Mail.Read
You need to configure tenant permissions to meet the following requirements:
- Enable users to grant consent for low-risk permissions without
administrator interaction.
- Ensure that applications requesting higher-privilege permissions
require administrator approval.
What should you do?

A) Grant tenant-wide admin consent to App1.
B) Configure application assignments for App1.
C) Configure Privileged Identity Management (PIM) role assignments.
D) Create an app consent policy.

Solutions: