Hugging Face's logo

Spaces:
eaglelandsonce
/
SC100_Game
Running

App Files Community
SC100_Game / index.html
eaglelandsonce's picture
eaglelandsonce
Create index.html
1c11502 verified
raw
history blame contribute delete
277 kB
<!DOCTYPE html>
<html lang="en">
<head>
 <meta charset="UTF-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1.0" />
 <title>SC-100 Security Quest RPG</title>
 <style>
 :root {
 --bg: #0b1020;
 --panel: #121a31;
 --panel-2: #182447;
 --text: #e8eefc;
 --muted: #a8b6dd;
 --accent: #6ee7ff;
 --accent-2: #8b5cf6;
 --good: #34d399;
 --bad: #fb7185;
 --warn: #fbbf24;
 --border: rgba(255,255,255,0.1);
 --shadow: 0 16px 40px rgba(0,0,0,0.35);
 }
 * { box-sizing: border-box; }
 html, body {
 height: 100%;
 overflow: hidden;
 }
 body {
 margin: 0;
 font-family: Inter, Segoe UI, Arial, sans-serif;
 background:
 radial-gradient(circle at top, rgba(110,231,255,0.12), transparent 30%),
 radial-gradient(circle at right, rgba(139,92,246,0.10), transparent 28%),
 linear-gradient(180deg, #08101f 0%, #0b1020 100%);
 color: var(--text);
 min-height: 100vh;
 }
 .container {
 width: min(1400px, 100%);
 margin: 0 auto;
 padding: 14px;
 height: 100vh;
 overflow: hidden;
 display: flex;
 flex-direction: column;
 }
 .screen { display: none; flex: 1; min-height: 0; }
 .screen.active { display: flex; flex-direction: column; min-height: 0; }
 .hero {
 background: linear-gradient(135deg, rgba(110,231,255,0.12), rgba(139,92,246,0.12));
 border: 1px solid var(--border);
 border-radius: 24px;
 padding: 24px;
 box-shadow: var(--shadow);
 height: 100%;
 overflow: auto;
 }
 h1, h2, h3 { margin-top: 0; }
 h1 {
 font-size: clamp(2rem, 4vw, 3.25rem);
 margin-bottom: 8px;
 }
 .subtitle, .muted { color: var(--muted); }
 .grid {
 display: grid;
 gap: 18px;
 }
 .class-grid {
 grid-template-columns: repeat(auto-fit, minmax(220px, 1fr));
 margin-top: 22px;
 }
 .card {
 background: rgba(255,255,255,0.03);
 border: 1px solid var(--border);
 border-radius: 20px;
 padding: 18px;
 box-shadow: var(--shadow);
 }
 .class-card {
 cursor: pointer;
 transition: transform .18s ease, border-color .18s ease, background .18s ease;
 }
 .class-card:hover { transform: translateY(-2px); border-color: rgba(110,231,255,0.35); }
 .class-card.selected {
 border-color: var(--accent);
 background: linear-gradient(135deg, rgba(110,231,255,0.12), rgba(139,92,246,0.12));
 }
 .pill {
 display: inline-flex;
 align-items: center;
 gap: 8px;
 padding: 8px 12px;
 border: 1px solid var(--border);
 border-radius: 999px;
 color: var(--muted);
 font-size: 0.9rem;
 background: rgba(255,255,255,0.03);
 margin-right: 8px;
 margin-bottom: 8px;
 }
 button {
 border: none;
 border-radius: 14px;
 padding: 12px 16px;
 font-size: 0.98rem;
 font-weight: 700;
 color: #06111f;
 background: linear-gradient(135deg, var(--accent), #9af0ff);
 cursor: pointer;
 transition: transform .15s ease, opacity .15s ease;
 }
 button:hover { transform: translateY(-1px); }
 button:disabled { opacity: .45; cursor: not-allowed; transform: none; }
 .secondary {
 background: rgba(255,255,255,0.06);
 color: var(--text);
 border: 1px solid var(--border);
 }
 .danger { background: linear-gradient(135deg, #fb7185, #f43f5e); color: white; }
 .good { background: linear-gradient(135deg, #34d399, #10b981); color: #08110f; }
 .hud {
 display: grid;
 grid-template-columns: 1.3fr .8fr .8fr .8fr .8fr;
 gap: 10px;
 margin-bottom: 12px;
 flex-shrink: 0;
 }
 .hud .card { padding: 12px 14px; }
 .bar-wrap {
 width: 100%;
 height: 12px;
 border-radius: 999px;
 background: rgba(255,255,255,0.08);
 overflow: hidden;
 border: 1px solid rgba(255,255,255,0.06);
 }
 .bar {
 height: 100%;
 width: 0%;
 background: linear-gradient(90deg, var(--good), #7ef7c4);
 transition: width .25s ease;
 }
 .enemy-bar { background: linear-gradient(90deg, var(--bad), #fda4af); }
 .layout {
 display: grid;
 grid-template-columns: 320px minmax(0, 1fr);
 gap: 12px;
 flex: 1;
 min-height: 0;
 align-items: stretch;
 }
 .enemy {
 position: static;
 display: flex;
 flex-direction: column;
 min-height: 0;
 overflow: hidden;
 }
 .enemy-avatar {
 font-size: 4rem;
 text-align: center;
 margin: 10px 0 4px;
 }
 .encounter-tag {
 display: inline-block;
 padding: 6px 10px;
 border-radius: 999px;
 background: rgba(251,191,36,0.12);
 color: #fcd34d;
 border: 1px solid rgba(251,191,36,0.25);
 font-size: .85rem;
 font-weight: 700;
 }
 .question-text {
 white-space: pre-wrap;
 line-height: 1.5;
 color: var(--text);
 margin-bottom: 16px;
 font-size: 1rem;
 }
 .option {
 display: flex;
 align-items: flex-start;
 gap: 12px;
 padding: 14px;
 border: 1px solid var(--border);
 border-radius: 16px;
 background: rgba(255,255,255,0.03);
 margin-bottom: 12px;
 transition: border-color .18s ease, transform .18s ease, background .18s ease;
 }
 .option:hover { border-color: rgba(110,231,255,0.3); transform: translateY(-1px); }
 .option.correct { border-color: rgba(52,211,153,0.7); background: rgba(52,211,153,0.12); }
 .option.wrong { border-color: rgba(251,113,133,0.7); background: rgba(251,113,133,0.12); }
 .option input { margin-top: 4px; transform: scale(1.15); }
 .letter {
 min-width: 28px;
 height: 28px;
 border-radius: 999px;
 display: grid;
 place-items: center;
 background: rgba(255,255,255,0.08);
 font-weight: 800;
 color: var(--accent);
 font-size: .9rem;
 }
 .actions, .utility {
 display: flex;
 flex-wrap: wrap;
 gap: 10px;
 margin-top: 14px;
 }
 .utility { margin-top: 18px; }
 .feedback {
 margin-top: 16px;
 padding: 14px;
 border-radius: 16px;
 display: none;
 white-space: pre-wrap;
 line-height: 1.5;
 }
 .feedback.show { display: block; }
 .feedback.good { background: rgba(52,211,153,0.12); color: #ccfbf1; border: 1px solid rgba(52,211,153,0.35); }
 .feedback.bad { background: rgba(251,113,133,0.12); color: #ffe4e6; border: 1px solid rgba(251,113,133,0.35); }
 .log {
 flex: 1;
 min-height: 0;
 max-height: none;
 overflow: auto;
 padding-right: 6px;
 font-size: .95rem;
 line-height: 1.45;
 }
 .log-entry {
 padding: 10px 0;
 border-bottom: 1px solid rgba(255,255,255,0.06);
 color: var(--muted);
 }
 .summary-grid {
 display: grid;
 grid-template-columns: repeat(auto-fit, minmax(160px, 1fr));
 gap: 14px;
 margin: 20px 0;
 }
 .big {
 font-size: 1.8rem;
 font-weight: 800;
 color: var(--accent);
 }
 .tiny { font-size: 0.82rem; color: var(--muted); }
 .footer-note {
 margin-top: 18px;
 color: var(--muted);
 font-size: 0.9rem;
 }
 #gameScreen {
 overflow: hidden;
 }
 #gameScreen > .layout,
 #gameScreen > .hud {
 width: 100%;
 }
 #gameScreen main.card {
 display: flex;
 flex-direction: column;
 min-height: 0;
 overflow: hidden;
 padding: 16px;
 }
 #questionTitle {
 margin-bottom: 10px;
 font-size: clamp(1.25rem, 2vw, 1.7rem);
 }
 #questionText {
 flex-shrink: 0;
 max-height: 18vh;
 overflow: auto;
 padding-right: 4px;
 margin-bottom: 12px;
 }
 #optionsForm {
 flex: 1;
 min-height: 0;
 overflow: auto;
 padding-right: 4px;
 }
 #feedback {
 flex-shrink: 0;
 }
 .audio-panel {
 position: fixed;
 top: 10px;
 right: 10px;
 z-index: 20;
 display: flex;
 gap: 8px;
 flex-wrap: wrap;
 justify-content: flex-end;
 }
 .audio-panel button {
 padding: 10px 12px;
 font-size: 0.88rem;
 border-radius: 999px;
 background: rgba(8,17,31,0.85);
 color: var(--text);
 border: 1px solid var(--border);
 backdrop-filter: blur(8px);
 }
 .audio-panel button.off {
 opacity: 0.65;
 border-color: rgba(251,113,133,0.35);
 }
 @media (max-width: 960px) {
 .hud { grid-template-columns: repeat(2, 1fr); }
 .layout { grid-template-columns: 1fr; }
 .enemy { max-height: 30vh; }
 #questionText { max-height: 14vh; }
 }
 @media (max-width: 640px) {
 .container { padding: 10px; }
 .hero { padding: 18px; }
 .hud { grid-template-columns: 1fr; }
 .actions button, .utility button { width: 100%; }
 .audio-panel { top: 6px; right: 6px; }
 .audio-panel button { padding: 8px 10px; font-size: 0.8rem; }
 #questionText { max-height: 12vh; }
 }
 </style>
</head>
<body>
<div class="audio-panel">
 <button id="musicToggle" type="button">🎵 Music: On</button>
 <button id="sfxToggle" type="button">🔊 SFX: On</button>
 </div>
 <div class="container">
 <section id="startScreen" class="screen active">
 <div class="hero">
 <h1>SC-100 Security Quest RPG</h1>
 <p class="subtitle">Battle through Microsoft security domains by answering the exam questions correctly. Every right answer strikes the enemy. Every mistake costs health.</p>
 <div>
 <span class="pill">🧠 209 playable multiple-choice encounters</span>
 <span class="pill">⚔️ Single-answer and multi-answer battles</span>
 <span class="pill">📚 Built from your uploaded SC-100 question document</span>
 </div>
 <div class="class-grid grid">
 <div class="card class-card" data-class="architect">
 <h3>🛡️ Cloud Architect</h3>
 <p class="muted">Starts tougher than the others.</p>
 <p><strong>Bonus:</strong> +20 max HP</p>
 </div>
 <div class="card class-card" data-class="sentinel">
 <h3>🔮 Sentinel Mage</h3>
 <p class="muted">Turns knowledge into faster growth.</p>
 <p><strong>Bonus:</strong> +25% XP gain</p>
 </div>
 <div class="card class-card" data-class="ranger">
 <h3>🏹 Zero Trust Ranger</h3>
 <p class="muted">Sees through bad choices faster.</p>
 <p><strong>Bonus:</strong> +1 extra 50/50 Scan</p>
 </div>
 </div>
 <div class="actions">
 <button id="startBtn" disabled>Start Adventure</button>
 </div>
 <p class="footer-note">Hotspot and drag-drop items were not included as encounters because the uploaded file text does not contain complete answer choices for those question types.</p>
 </div>
 </section>
<section id="gameScreen" class="screen">
 <div class="hud">
 <div class="card">
 <div class="tiny">Hero</div>
 <div id="heroClassName"><strong>Cloud Architect</strong></div>
 <div class="tiny" id="heroLevelLine">Level 1</div>
 <div class="bar-wrap" style="margin-top:10px;"><div id="playerHpBar" class="bar"></div></div>
 <div class="tiny" id="playerHpText" style="margin-top:8px;">HP 100 / 100</div>
 </div>
 <div class="card"><div class="tiny">Score</div><div id="scoreValue" class="big">0</div></div>
 <div class="card"><div class="tiny">Gold</div><div id="goldValue" class="big">0</div></div>
 <div class="card"><div class="tiny">Potions</div><div id="potionsValue" class="big">2</div></div>
 <div class="card"><div class="tiny">Progress</div><div id="progressValue" class="big">1/209</div></div>
 </div>
<div class="layout">
 <aside class="enemy card">
 <div class="encounter-tag" id="encounterTag">Encounter</div>
 <div class="enemy-avatar" id="enemyAvatar">👾</div>
 <h2 id="enemyName">Misconfiguration Goblin</h2>
 <div class="muted" id="enemyFlavor">A roaming threat blocks the path.</div>
 <div class="bar-wrap" style="margin-top:12px;"><div id="enemyHpBar" class="bar enemy-bar"></div></div>
 <div class="tiny" id="enemyHpText" style="margin-top:8px;">Threat 30 / 30</div>
<div class="utility">
 <button id="potionBtn" class="secondary">Use Potion (+25 HP)</button>
 <button id="scanBtn" class="secondary">50/50 Scan</button>
 </div>
<h3 style="margin-top:22px;">Battle Log</h3>
 <div id="log" class="log"></div>
 </aside>
<main class="card">
 <div class="tiny" id="questionMeta">Question</div>
 <h2 id="questionTitle">Loading question...</h2>
 <div id="questionText" class="question-text"></div>
 <div id="instruction" class="pill">Select one answer.</div>
 <form id="optionsForm"></form>
 <div class="actions">
 <button id="submitBtn" type="button">Attack</button>
 <button id="nextBtn" type="button" class="good" style="display:none;">Next Encounter</button>
 </div>
 <div id="feedback" class="feedback"></div>
 </main>
 </div>
 </section>
<section id="endScreen" class="screen">
 <div class="hero">
 <h1 id="endTitle">Adventure Complete</h1>
 <p id="endSubtitle" class="subtitle">You cleared the question dungeon.</p>
 <div class="summary-grid">
 <div class="card"><div class="tiny">Final Score</div><div id="finalScore" class="big">0</div></div>
 <div class="card"><div class="tiny">Accuracy</div><div id="finalAccuracy" class="big">0%</div></div>
 <div class="card"><div class="tiny">Questions Cleared</div><div id="finalCleared" class="big">0</div></div>
 <div class="card"><div class="tiny">Hero Level</div><div id="finalLevel" class="big">1</div></div>
 </div>
 <div class="actions">
 <button id="restartBtn">Play Again</button>
 </div>
 </div>
 </section>
 </div>
<script>
const QUESTION_BANK = [{"order": 1, "questionNumber": 1, "topic": "Topic 1", "title": "1. Question #1 - Topic 1", "text": "Your company has a Microsoft 365 ES subscription.\nThe Chief Compliance Officer plans to enhance privacy management in the working environment.\nYou need to recommend a solution to enhance the privacy management. The solution must meet the following requirements:\n✑ Identify unused personal data and empower users to make smart data handling decisions.\n✑ Provide users with notifications and guidance when a user sends personal data in Microsoft Teams.\n✑ Provide users with recommendations to mitigate privacy risks.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "communication compliance in insider risk management"}, {"letter": "B", "text": "Microsoft Viva Insights"}, {"letter": "C", "text": "Privacy Risk Management in Microsoft Priva"}, {"letter": "D", "text": "Advanced eDiscovery"}], "answer": ["C"], "multi": false}, {"order": 2, "questionNumber": 2, "topic": "Topic 1", "title": "2. Question #2 - Topic 1", "text": "You have an Azure subscription that has Microsoft Defender for Cloud enabled.\nSuspicious authentication activity alerts have been appearing in the Workload protections dashboard.\nYou need to recommend a solution to evaluate and remediate the alerts by using workflow automation. The solution must minimize development effort.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Azure Monitor webhooks"}, {"letter": "B", "text": "Azure Event Hubs"}, {"letter": "C", "text": "Azure Functions apps"}, {"letter": "D", "text": "Azure Logics Apps"}], "answer": ["D"], "multi": false}, {"order": 3, "questionNumber": 3, "topic": "Topic 1", "title": "3. Question #3 - Topic 1", "text": "Your company is moving a big data solution to Azure.\nThe company plans to use the following storage workloads:\n✑ Azure Storage blob containers\n✑ Azure Data Lake Storage Gen2\n\nAzure Storage file shares -\n\n✑ Azure Disk Storage\nWhich two storage workloads support authentication by using Azure Active Directory (Azure AD)? Each correct answer presents a complete solution.\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Azure Storage file shares"}, {"letter": "B", "text": "Azure Disk Storage"}, {"letter": "C", "text": "Azure Storage blob containers"}, {"letter": "D", "text": "Azure Data Lake Storage Gen2"}], "answer": ["C", "D"], "multi": true}, {"order": 5, "questionNumber": 5, "topic": "Topic 1", "title": "5. Question #5 - Topic 1", "text": "You have a Microsoft 365 E5 subscription and an Azure subscription.\nYou are designing a Microsoft deployment.\nYou need to recommend a solution for the security operations team. The solution must include custom views and a dashboard for analyzing security events.\nWhat should you recommend using in Microsoft Sentinel?", "options": [{"letter": "A", "text": "notebooks"}, {"letter": "B", "text": "playbooks"}, {"letter": "C", "text": "workbooks"}, {"letter": "D", "text": "threat intelligence"}], "answer": ["C"], "multi": false}, {"order": 6, "questionNumber": 6, "topic": "Topic 1", "title": "6. Question #6 - Topic 1", "text": "Your company has a Microsoft 365 subscription and uses Microsoft Defender for Identity.\nYou are informed about incidents that relate to compromised identities.\nYou need to recommend a solution to expose several accounts for attackers to exploit. When the attackers attempt to exploit the accounts, an alert must be triggered.\nWhich Defender for Identity feature should you include in the recommendation?", "options": [{"letter": "A", "text": "sensitivity labels"}, {"letter": "B", "text": "custom user tags"}, {"letter": "C", "text": "standalone sensors"}, {"letter": "D", "text": "honeytoken entity tags"}], "answer": ["D"], "multi": false}, {"order": 7, "questionNumber": 7, "topic": "Topic 1", "title": "7. Question #7 - Topic 1", "text": "Your company is moving all on-premises workloads to Azure and Microsoft 365.\nYou need to design a security orchestration, automation, and response (SOAR) strategy in Microsoft Sentinel that meets the following requirements:\n✑ Minimizes manual intervention by security operation analysts\n✑ Supports triaging alerts within Microsoft Teams channels\nWhat should you include in the strategy?", "options": [{"letter": "A", "text": "KQL"}, {"letter": "B", "text": "playbooks"}, {"letter": "C", "text": "data connectors"}, {"letter": "D", "text": "workbooks"}], "answer": ["B"], "multi": false}, {"order": 8, "questionNumber": 8, "topic": "Topic 1", "title": "8. Question #8 - Topic 1", "text": "You have an Azure subscription that contains virtual machines, storage accounts, and Azure SQL databases.\nAll resources are backed up multiple times a day by using Azure Backup.\nYou are developing a strategy to protect against ransomware attacks.\nYou need to recommend which controls must be enabled to ensure that Azure Backup can be used to restore the resources in the event of a successful ransomware attack.\nWhich two controls should you include in the recommendation? Each correct answer presents a complete solution.\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Enable soft delete for backups."}, {"letter": "B", "text": "Require PINs for critical operations."}, {"letter": "C", "text": "Encrypt backups by using customer-managed keys (CMKs)."}, {"letter": "D", "text": "Perform offline backups to Azure Data Box."}, {"letter": "E", "text": "Use Azure Monitor notifications when backup configurations change."}], "answer": ["A", "B"], "multi": true}, {"order": 11, "questionNumber": 11, "topic": "Topic 1", "title": "11. Question #11 - Topic 1", "text": "Your company has a third-party security information and event management (SIEM) solution that uses Splunk and Microsoft Sentinel.\nYou plan to integrate Microsoft Sentinel with Splunk.\nYou need to recommend a solution to send security events from Microsoft Sentinel to Splunk.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "a Microsoft Sentinel data connector"}, {"letter": "B", "text": "Azure Event Hubs"}, {"letter": "C", "text": "a Microsoft Sentinel workbook"}, {"letter": "D", "text": "Azure Data Factory"}], "answer": ["B"], "multi": false}, {"order": 12, "questionNumber": 12, "topic": "Topic 1", "title": "12. Question #12 - Topic 1", "text": "A customer follows the Zero Trust model and explicitly verifies each attempt to access its corporate applications.\nThe customer discovers that several endpoints are infected with malware.\nThe customer suspends access attempts from the infected endpoints.\nThe malware is removed from the endpoints.\nWhich two conditions must be met before endpoint users can access the corporate applications again? Each correct answer presents part of the solution.\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "The client access tokens are refreshed."}, {"letter": "B", "text": "Microsoft Intune reports the endpoints as compliant."}, {"letter": "C", "text": "A new Azure Active Directory (Azure AD) Conditional Access policy is enforced."}, {"letter": "D", "text": "Microsoft Defender for Endpoint reports the endpoints as compliant."}], "answer": ["A", "B"], "multi": true}, {"order": 14, "questionNumber": 14, "topic": "Topic 1", "title": "14. Question #14 - Topic 1", "text": "You have a customer that has a Microsoft 365 subscription and uses the Free edition of Azure Active Directory (Azure AD).\nThe customer plans to obtain an Azure subscription and provision several Azure resources.\nYou need to evaluate the customer's security environment.\nWhat will necessitate an upgrade from the Azure AD Free edition to the Premium edition?", "options": [{"letter": "A", "text": "Azure AD Privileged Identity Management (PIM)"}, {"letter": "B", "text": "role-based authorization"}, {"letter": "C", "text": "resource-based authorization"}, {"letter": "D", "text": "Azure AD Multi-Factor Authentication"}], "answer": ["A"], "multi": false}, {"order": 15, "questionNumber": 15, "topic": "Topic 1", "title": "15. Question #15 - Topic 1", "text": "You are designing the security standards for a new Azure environment.\nYou need to design a privileged identity strategy based on the Zero Trust model.\nWhich framework should you follow to create the design?", "options": [{"letter": "A", "text": "Microsoft Security Development Lifecycle (SDL)"}, {"letter": "B", "text": "Enhanced Security Admin Environment (ESAE)"}, {"letter": "C", "text": "Rapid Modernization Plan (RaMP)"}, {"letter": "D", "text": "Microsoft Operational Security Assurance (OSA)"}], "answer": ["C"], "multi": false}, {"order": 16, "questionNumber": 16, "topic": "Topic 1", "title": "16. Question #16 - Topic 1", "text": "A customer has a hybrid cloud infrastructure that contains a Microsoft 365 E5 subscription and an Azure subscription.\nAll on-premises servers in the perimeter network are prevented from connecting directly to the internet.\nThe customer recently recovered from a ransomware attack.\nThe customer plans to deploy Microsoft Sentinel.\nYou need to recommend solutions to meet the following requirements:\n✑ Ensure that the security operations team can access the security logs and the operation logs.\n✑ Ensure that the IT operations team can access only the operations logs, including the event logs of the servers in the perimeter network.\nWhich two solutions should you include in the recommendation? Each correct answer presents a complete solution.\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "a custom collector that uses the Log Analytics agent"}, {"letter": "B", "text": "the Azure Monitor agent"}, {"letter": "C", "text": "resource-based role-based access control (RBAC)"}, {"letter": "D", "text": "Azure Active Directory (Azure AD) Conditional Access policies"}], "answer": ["B", "C"], "multi": true}, {"order": 17, "questionNumber": 17, "topic": "Topic 1", "title": "17. Question #17 - Topic 1", "text": "Your company is developing a serverless application in Azure that will have the architecture shown in the following exhibit.\n\nYou need to recommend a solution to isolate the compute components on an Azure virtual network.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Azure Active Directory (Azure AD) enterprise applications"}, {"letter": "B", "text": "an Azure App Service Environment (ASE)"}, {"letter": "C", "text": "Azure service endpoints"}, {"letter": "D", "text": "an Azure Active Directory (Azure AD) application proxy"}], "answer": ["B"], "multi": false}, {"order": 19, "questionNumber": 19, "topic": "Topic 1", "title": "19. Question #19 - Topic 1", "text": "Your company plans to apply the Zero Trust Rapid Modernization Plan (RaMP) to its IT environment.\n\nYou need to recommend the top three modernization areas to prioritize as part of the plan.\n\nWhich three areas should you recommend based on RaMP? Each correct answer presents part of the solution.\n\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "data, compliance, and governance"}, {"letter": "B", "text": "infrastructure and development"}, {"letter": "C", "text": "user access and productivity"}, {"letter": "D", "text": "operational technology (OT) and IoT"}, {"letter": "E", "text": "modern security operations"}], "answer": ["A", "C", "E"], "multi": true}, {"order": 21, "questionNumber": 21, "topic": "Topic 1", "title": "21. Question #21 - Topic 1", "text": "For an Azure deployment, you are designing a security architecture based on the Microsoft Cloud Security Benchmark.\n\nYou need to recommend a best practice for implementing service accounts for Azure API management.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "application registrations in Azure AD"}, {"letter": "B", "text": "managed identities in Azure"}, {"letter": "C", "text": "Azure service principals with usernames and passwords"}, {"letter": "D", "text": "device registrations in Azure AD"}, {"letter": "E", "text": "Azure service principals with certificate credentials"}], "answer": ["B"], "multi": false}, {"order": 22, "questionNumber": 22, "topic": "Topic 1", "title": "22. Question #22 - Topic 1", "text": "You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain. Client computers run Windows and are hybrid-joined to Azure AD.\n\nYou are designing a strategy to protect endpoints against ransomware. The strategy follows Microsoft Security Best Practices.\n\nYou plan to remove all the domain accounts from the Administrators groups on the Windows computers.\n\nYou need to recommend a solution that will provide users with administrative access to the Windows computers only when access is required. The solution must minimize the lateral movement of ransomware attacks if an administrator account on a computer is compromised.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Local Administrator Password Solution (LAPS)"}, {"letter": "B", "text": "Azure AD Identity Protection"}, {"letter": "C", "text": "Azure AD Privileged Identity Management (PIM)"}, {"letter": "D", "text": "Privileged Access Workstations (PAWs)"}], "answer": ["A"], "multi": false}, {"order": 24, "questionNumber": 24, "topic": "Topic 1", "title": "24. Question #24 - Topic 1", "text": "You have legacy operational technology (OT) devices and IoT devices.\n\nYou need to recommend best practices for applying Zero Trust principles to the OT and IoT devices based on the Microsoft Cybersecurity Reference Architectures (MCRA). The solution must minimize the risk of disrupting business operations.\n\nWhich two security methodologies should you include in the recommendation? Each correct answer presents part of the solution.\n\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "active scanning"}, {"letter": "B", "text": "threat monitoring"}, {"letter": "C", "text": "software patching"}, {"letter": "D", "text": "passive traffic monitoring"}], "answer": ["B", "D"], "multi": true}, {"order": 25, "questionNumber": 25, "topic": "Topic 1", "title": "25. Question #25 - Topic 1", "text": "You have an on-premises network and a Microsoft 365 subscription.\n\nYou are designing a Zero Trust security strategy.\n\nWhich two security controls should you include as part of the Zero Trust solution? Each correct answer presents part of the solution.\n\nNOTE: Each correct answer is worth one point.", "options": [{"letter": "A", "text": "Always allow connections from the on-premises network."}, {"letter": "B", "text": "Disable passwordless sign-in for sensitive accounts."}, {"letter": "C", "text": "Block sign-in attempts from unknown locations."}, {"letter": "D", "text": "Block sign-in attempts from noncompliant devices."}], "answer": ["C", "D"], "multi": true}, {"order": 26, "questionNumber": 26, "topic": "Topic 1", "title": "26. Question #26 - Topic 1", "text": "You are designing a ransomware response plan that follows Microsoft Security Best Practices.\n\nYou need to recommend a solution to minimize the risk of a ransomware attack encrypting local user files.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Windows Defender Device Guard"}, {"letter": "B", "text": "Microsoft Defender for Endpoint"}, {"letter": "C", "text": "Azure Files"}, {"letter": "D", "text": "BitLocker Drive Encryption (BitLocker)"}, {"letter": "E", "text": "protected folders"}], "answer": ["E"], "multi": false}, {"order": 27, "questionNumber": 27, "topic": "Topic 1", "title": "27. Question #27 - Topic 1", "text": "You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain.\n\nYou are designing an Azure DevOps solution to deploy applications to an Azure subscription by using continuous integration and continuous deployment (CI/CD) pipelines.\n\nYou need to recommend which types of identities to use for the deployment credentials of the service connection. The solution must follow DevSecOps best practices from the Microsoft Cloud Adoption Framework for Azure.\n\nWhat should you recommend?", "options": [{"letter": "A", "text": "a managed identity in Azure"}, {"letter": "B", "text": "an Azure AD user account that has role assignments in Azure AD Privileged Identity Management (PIM)"}, {"letter": "C", "text": "a group managed service account (gMSA)"}, {"letter": "D", "text": "an Azure AD user account that has a password stored in Azure Key Vault"}], "answer": ["A"], "multi": false}, {"order": 28, "questionNumber": 28, "topic": "Topic 1", "title": "28. Question #28 - Topic 1", "text": "You have an Azure Kubernetes Service (AKS) cluster that hosts Linux nodes.\n\nYou need to recommend a solution to ensure that deployed worker nodes have the latest kernel updates. The solution must minimize administrative effort.\n\nWhat should you recommend?", "options": [{"letter": "A", "text": "The nodes must restart after the updates are applied."}, {"letter": "B", "text": "The updates must first be applied to the image used to provision the nodes."}, {"letter": "C", "text": "The AKS cluster version must be upgraded."}], "answer": ["B"], "multi": false}, {"order": 29, "questionNumber": 29, "topic": "Topic 1", "title": "29. Question #29 - Topic 1", "text": "You have the following on-premises servers that run Windows Server:\n\n• Two domain controllers in an Active Directory Domain Services (AD DS) domain\n• Two application servers named Server1 and Server2 that run ASP.NET web apps\n• A VPN server named Served that authenticates by using RADIUS and AD DS\n\nEnd users use a VPN to access the web apps over the internet.\n\nYou need to redesign a user access solution to increase the security of the connections to the web apps. The solution must minimize the attack surface and follow the Zero Trust principles of the Microsoft Cybersecurity Reference Architectures (MCRA).\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Publish the web apps by using Azure AD Application Proxy."}, {"letter": "B", "text": "Configure the VPN to use Azure AD authentication."}, {"letter": "C", "text": "Configure connectors and rules in Microsoft Defender for Cloud Apps."}, {"letter": "D", "text": "Configure web protection in Microsoft Defender for Endpoint."}], "answer": ["A"], "multi": false}, {"order": 31, "questionNumber": 31, "topic": "Topic 1", "title": "31. Question #31 - Topic 1", "text": "You are designing a security operations strategy based on the Zero Trust framework.\n\nYou need to minimize the operational load on Tier 1 Microsoft Security Operations Center (SOC) analysts.\n\nWhat should you do?", "options": [{"letter": "A", "text": "Enable built-in compliance policies in Azure Policy."}, {"letter": "B", "text": "Enable self-healing in Microsoft 365 Defender."}, {"letter": "C", "text": "Automate data classification."}, {"letter": "D", "text": "Create hunting queries in Microsoft 365 Defender."}], "answer": ["B"], "multi": false}, {"order": 34, "questionNumber": 34, "topic": "Topic 1", "title": "34. Question #34 - Topic 1", "text": "You have a Microsoft Entra tenant that contains 10 Windows 11 devices and two groups named Group1 and Group2. The Windows 11 devices are joined to the Microsoft Entra tenant and are managed by using Microsoft Intune.\n\nYou are designing a privileged access strategy based on the rapid modernization plan (RaMP). The strategy will include the following configurations:\n\n• Each user in Group1 will be assigned a Windows 11 device that will be configured as a privileged access device.\n• The Security Administrator role will be mapped to the privileged access security level.\n• The users in Group1 will be assigned the Security Administrator role.\n• The users in Group2 will manage the privileged access devices.\n\nYou need to configure the local Administrators group for each privileged access device. The solution must follow the principle of least privilege.\n\nWhat should you include in the solution?", "options": [{"letter": "A", "text": "Only add Group2 to the local Administrators group."}, {"letter": "B", "text": "Configure Windows Local Administrator Password Solution (Windows LAPS) in legacy Microsoft LAPS emulation mode."}, {"letter": "C", "text": "Add Group2 to the local Administrators group. Add the user that is assigned the Security Administrator role to the local Administrators group of the user's assigned privileged access device."}], "answer": ["A"], "multi": false}, {"order": 36, "questionNumber": 36, "topic": "Topic 1", "title": "36. Question #36 - Topic 1", "text": "You have an Azure subscription.\n\nYou plan to deploy enterprise-scale landing zones based on the Microsoft Cloud Adoption Framework for Azure. The deployment will include a single-platform landing zone for all shared services and three application landing zones that will each host a different Azure application.\n\nYou need to recommend which resource to deploy to each landing zone. The solution must meet the Cloud Adoption Framework best-practice recommendations for enterprise-scale landing zones.\n\nWhat should you recommend?", "options": [{"letter": "A", "text": "an Azure firewall"}, {"letter": "B", "text": "an Azure virtual network gateway"}, {"letter": "C", "text": "an Azure Private DNS zone"}, {"letter": "D", "text": "an Azure key vault"}], "answer": ["D"], "multi": false}, {"order": 39, "questionNumber": 39, "topic": "Topic 1", "title": "39. Question #39 - Topic 1", "text": "You have 10 Azure subscriptions that contain 100 role-based access control (RBAC) role assignments.\n\nYou plan to consolidate the role assignments.\n\nYou need to recommend a solution to identify which role assignments were NOT used during the last 90 days. The solution must minimize administrative effort.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Microsoft Defender for Cloud"}, {"letter": "B", "text": "Microsoft Entra access reviews"}, {"letter": "C", "text": "Microsoft Entra Privileged Identity Management (PIM)"}, {"letter": "D", "text": "Microsoft Entra Permissions Management"}], "answer": ["D"], "multi": false}, {"order": 40, "questionNumber": 40, "topic": "Topic 1", "title": "40. Question #40 - Topic 1", "text": "You have a Microsoft Entra tenant that syncs with an Active Directory Domain Services (AD DS) domain.\n\nYou have an on-premises datacenter that contains 100 servers. The servers run Windows Server and are backed up by using Microsoft Azure Backup Server (MABS).\n\nYou are designing a recovery solution for ransomware attacks. The solution follows Microsoft Security Best Practices.\n\nYou need to ensure that a compromised local administrator account cannot be used to stop scheduled backups.\n\nWhat should you do?\n\nPage5", "options": [{"letter": "A", "text": "From Azure Backup, configure multi-user authorization by using Resource Guard."}, {"letter": "B", "text": "From Microsoft Entra Privileged Identity Management (PIM), create a role assignment for the Backup Contributor role."}, {"letter": "C", "text": "From Microsoft Azure Backup Setup, register MABS with a Recovery Services vault."}, {"letter": "D", "text": "From a Recovery Services vault, generate a security PIN for critical operations."}], "answer": ["A"], "multi": false}, {"order": 52, "questionNumber": 52, "topic": "Topic 1", "title": "52. Question #52 - Topic 1", "text": "You are designing a ransomware mitigation strategy.\n\nYou perform a ransomware risk assessment and identify business-critical assets.\n\nYou need to recommend a solution to mitigate ransomware threats. The solution must follow Microsoft security best practices.\n\nWhich two actions should you include in the recommendation? Each correct answer presents a complete solution.\n\nNOTE: Each correct answer is worth one point.", "options": [{"letter": "A", "text": "Enable firewall logging for auditing, without restricting inbound or outbound traffic."}, {"letter": "B", "text": "Use extended patching cycles to reduce the risk of update-related service disruptions."}, {"letter": "C", "text": "Implement immutable, offline backups that have restricted access and test restore procedures regularly."}, {"letter": "D", "text": "Deploy Privileged Identity Management (PIM) that uses just-in-time (JIT) access and approval workflows."}], "answer": ["C", "D"], "multi": true}, {"order": 55, "questionNumber": 55, "topic": "Topic 1", "title": "55. Question #55 - Topic 1", "text": "You have a Microsoft 365 subscription that contains a group named Group1. The subscription contains 1,000 Windows devices that are joined to a Microsoft Entra tenant and managed by using Microsoft Intune. All users sign in to the devices by using standard user accounts.\n\nYou plan to deploy a new app named App1 to the members of Group1. The Group1 members must have administrative rights to install new versions of App1.\n\nYou need to ensure that the Group1 members can install new versions of App1. The solution must follow the principles of Zero Trust.\n\nWhat should you implement?", "options": [{"letter": "A", "text": "Microsoft Entra Privileged Identity Management (PIM)"}, {"letter": "B", "text": "Microsoft Intune Endpoint Privilege Management (EPM)"}, {"letter": "C", "text": "Microsoft Local Administrator Password Solution (Microsoft LAPS)"}, {"letter": "D", "text": "Microsoft Entra entitlement management"}], "answer": ["B"], "multi": false}, {"order": 56, "questionNumber": 1, "topic": "Topic 2", "title": "56. Question #1 - Topic 2", "text": "You are evaluating an Azure environment for compliance.\nYou need to design an Azure Policy implementation that can be used to evaluate compliance without changing any resources.\nWhich effect should you use in Azure Policy?", "options": [{"letter": "A", "text": "Deny"}, {"letter": "B", "text": "Modify"}, {"letter": "C", "text": "Append"}, {"letter": "D", "text": "Disabled"}], "answer": ["D"], "multi": false}, {"order": 57, "questionNumber": 2, "topic": "Topic 2", "title": "57. Question #2 - Topic 2", "text": "You have an Azure subscription that has Microsoft Defender for Cloud enabled.\nYou are evaluating the Azure Security Benchmark V3 report as shown in the following exhibit.\n\nYou need to verify whether Microsoft Defender for servers is installed on all the virtual machines that run Windows.\nWhich compliance control should you evaluate?", "options": [{"letter": "A", "text": "Asset Management"}, {"letter": "B", "text": "Posture and Vulnerability Management"}, {"letter": "C", "text": "Data Protection"}, {"letter": "D", "text": "Endpoint Security"}, {"letter": "E", "text": "Incident Response"}], "answer": ["D"], "multi": false}, {"order": 59, "questionNumber": 4, "topic": "Topic 2", "title": "59. Question #4 - Topic 2", "text": "Your company has an Azure subscription that has enhanced security enabled for Microsoft Defender for Cloud.\nThe company signs a contract with the United States government.\nYou need to review the current subscription for NIST 800-53 compliance.\nWhat should you do first?", "options": [{"letter": "A", "text": "From Azure Policy, assign a built-in initiative that has a scope of the subscription."}, {"letter": "B", "text": "From Microsoft Sentinel, configure the Microsoft Defender for Cloud data connector."}, {"letter": "C", "text": "From Defender for Cloud, review the Azure security baseline for audit report."}, {"letter": "D", "text": "From Microsoft Defender for Cloud Apps, create an access policy for cloud applications."}], "answer": ["A"], "multi": false}, {"order": 60, "questionNumber": 5, "topic": "Topic 2", "title": "60. Question #5 - Topic 2", "text": "You have an Azure subscription that has Microsoft Defender for Cloud enabled.\nYou have an Amazon Web Services (AWS) implementation.\nYou plan to extend the Azure security strategy to the AWS implementation. The solution will NOT use Azure Arc.\nWhich three services can you use to provide security for the AWS resources? Each correct answer presents a complete solution.\nNOTE: Each correct selection is worth one point.\n\nPage7", "options": [{"letter": "A", "text": "Microsoft Defender for Containers"}, {"letter": "B", "text": "Microsoft Defender for servers"}, {"letter": "C", "text": "Azure Active Directory (Azure AD) Conditional Access"}, {"letter": "D", "text": "Azure Active Directory (Azure AD) Privileged Identity Management (PIM)"}, {"letter": "E", "text": "Azure Policy"}], "answer": ["A", "C", "E"], "multi": true}, {"order": 61, "questionNumber": 6, "topic": "Topic 2", "title": "61. Question #6 - Topic 2", "text": "Your company has on-premises network in Seattle and an Azure subscription. The on-premises network contains a Remote Desktop server.\nThe company contracts a third-party development firm from France to develop and deploy resources to the virtual machines hosted in the Azure subscription.\nCurrently, the firm establishes an RDP connection to the Remote Desktop server. From the Remote Desktop connection, the firm can access the virtual machines hosted in Azure by using custom administrative tools installed on the Remote Desktop server. All the traffic to the Remote Desktop server is captured by a firewall, and the firewall only allows specific connections from France to the server.\nYou need to recommend a modern security solution based on the Zero Trust model. The solution must minimize latency for developers.\nWhich three actions should you recommend? Each correct answer presents part of the solution.\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Configure network security groups (NSGs) to allow access from only specific logical groupings of IP address ranges."}, {"letter": "B", "text": "Deploy a Remote Desktop server to an Azure region located in France."}, {"letter": "C", "text": "Migrate from the Remote Desktop server to Azure Virtual Desktop."}, {"letter": "D", "text": "Implement Azure Firewall to restrict host pool outbound access."}, {"letter": "E", "text": "Configure Azure Active Directory (Azure AD) Conditional Access with multi-factor authentication (MFA) and named locations."}], "answer": ["C", "D", "E"], "multi": true}, {"order": 63, "questionNumber": 8, "topic": "Topic 2", "title": "63. Question #8 - Topic 2", "text": "Your company has a hybrid cloud infrastructure.\nThe company plans to hire several temporary employees within a brief period. The temporary employees will need to access applications and data on the company's on-premises network.\nThe company's secutity policy prevents the use of personal devices for accessing company data and applications.\nYou need to recommend a solution to provide the temporary employee with access to company resources. The solution must be able to scale on demand.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Deploy Azure Virtual Desktop, Azure Active Directory (Azure AD) Conditional Access, and Microsoft Defender for Cloud Apps."}, {"letter": "B", "text": "Redesign the VPN infrastructure by adopting a split tunnel configuration."}, {"letter": "C", "text": "Deploy Microsoft Endpoint Manager and Azure Active Directory (Azure AD) Conditional Access."}, {"letter": "D", "text": "Migrate the on-premises applications to cloud-based applications."}], "answer": ["A"], "multi": false}, {"order": 64, "questionNumber": 9, "topic": "Topic 2", "title": "64. Question #9 - Topic 2", "text": "Your company is preparing for cloud adoption.\nYou are designing security for Azure landing zones.\nWhich two preventative controls can you implement to increase the secure score? Each correct answer presents a complete solution.\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Azure Web Application Firewall (WAF)"}, {"letter": "B", "text": "Azure Active Directory (Azure AD) Privileged Identity Management (PIM)"}, {"letter": "C", "text": "Microsoft Sentinel"}, {"letter": "D", "text": "Azure Firewall"}, {"letter": "E", "text": "Microsoft Defender for Cloud alerts"}], "answer": ["A", "D"], "multi": true}, {"order": 65, "questionNumber": 10, "topic": "Topic 2", "title": "65. Question #10 - Topic 2", "text": "You are designing security for an Azure landing zone.\nYour company identifies the following compliance and privacy requirements:\n✑ Encrypt cardholder data by using encryption keys managed by the company.\n✑ Encrypt insurance claim files by using encryption keys hosted on-premises.\nWhich two configurations meet the compliance and privacy requirements? Each correct answer presents part of the solution.\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Store the cardholder data in an Azure SQL database that is encrypted by using Microsoft-managed keys."}, {"letter": "B", "text": "Store the insurance claim data in Azure Blob storage encrypted by using customer-provided keys."}, {"letter": "C", "text": "Store the cardholder data in an Azure SQL database that is encrypted by using keys stored in Azure Key Vault Managed HSM."}, {"letter": "D", "text": "Store the insurance claim data in Azure Files encrypted by using Azure Key Vault Managed HSM."}], "answer": ["B", "C"], "multi": true}, {"order": 66, "questionNumber": 11, "topic": "Topic 2", "title": "66. Question #11 - Topic 2", "text": "You have an Azure subscription that has Microsoft Defender for Cloud enabled.\nYou need to enforce ISO 27001:2013 standards for the subscription. The solution must ensure that noncompliant resources are remediated automatically.\nWhat should you use?", "options": [{"letter": "A", "text": "Azure Policy"}, {"letter": "B", "text": "Azure Blueprints"}, {"letter": "C", "text": "the regulatory compliance dashboard in Defender for Cloud"}, {"letter": "D", "text": "Azure role-based access control (Azure RBAC)"}], "answer": ["A"], "multi": false}, {"order": 68, "questionNumber": 13, "topic": "Topic 2", "title": "68. Question #13 - Topic 2", "text": "Your company finalizes the adoption of Azure and is implementing Microsoft Defender for Cloud.\nYou receive the following recommendations in Defender for Cloud\n✑ Access to storage accounts with firewall and virtual network configurations should be restricted.\n✑ Storage accounts should restrict network access using virtual network rules.\n✑ Storage account should use a private link connection.\n✑ Storage account public access should be disallowed.\nYou need to recommend a service to mitigate identified risks that relate to the recommendations.\nWhat should you recommend?", "options": [{"letter": "A", "text": "Azure Policy"}, {"letter": "B", "text": "Azure Network Watcher"}, {"letter": "C", "text": "Azure Storage Analytics"}, {"letter": "D", "text": "Microsoft Sentinel"}], "answer": ["A"], "multi": false}, {"order": 69, "questionNumber": 14, "topic": "Topic 2", "title": "69. Question #14 - Topic 2", "text": "You receive a security alert in Microsoft Defender for Cloud as shown in the exhibit. (Click the Exhibit tab.)\n\nAfter remediating the threat, which policy definition should you assign to prevent the threat from reoccurring?", "options": [{"letter": "A", "text": "Storage account public access should be disallowed"}, {"letter": "B", "text": "Azure Key Vault Managed HSM should have purge protection enabled"}, {"letter": "C", "text": "Storage accounts should prevent shared key access"}, {"letter": "D", "text": "Storage account keys should not be expired"}], "answer": ["C"], "multi": false}, {"order": 70, "questionNumber": 15, "topic": "Topic 2", "title": "70. Question #15 - Topic 2", "text": "You have 50 Azure subscriptions.\nYou need to monitor the resource in the subscriptions for compliance with the ISO 27001:2013 standards. The solution must minimize the effort required to modify the list of monitored policy definitions for the subscriptions.\nWhat are two ways to achieve the goal? Each correct answer presents a complete solution.\nNOTE: Each correct selection is worth one point.\n\nAF (74%)\n\nPage8", "options": [{"letter": "A", "text": "Assign an initiative to a management group."}, {"letter": "B", "text": "Assign a policy to each subscription."}, {"letter": "C", "text": "Assign a policy to a management group."}, {"letter": "D", "text": "Assign an initiative to each subscription."}, {"letter": "E", "text": "Assign a blueprint to each subscription."}, {"letter": "F", "text": "Assign a blueprint to a management group."}], "answer": ["A"], "multi": false}, {"order": 72, "questionNumber": 17, "topic": "Topic 2", "title": "72. Question #17 - Topic 2", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYou have an Azure subscription that has Microsoft Defender for Cloud enabled.\nYou are evaluating the Azure Security Benchmark V3 report.\nIn the Secure management ports controls, you discover that you have 0 out of a potential 8 points.\nYou need to recommend configurations to increase the score of the Secure management ports controls.\nSolution: You recommend enabling the VMAccess extension on all virtual machines.\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["B"], "multi": false}, {"order": 73, "questionNumber": 18, "topic": "Topic 2", "title": "73. Question #18 - Topic 2", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYou have an Azure subscription that has Microsoft Defender for Cloud enabled.\nYou are evaluating the Azure Security Benchmark V3 report.\nIn the Secure management ports controls, you discover that you have 0 out of a potential 8 points.\nYou need to recommend configurations to increase the score of the Secure management ports controls.\nSolution: You recommend enabling adaptive network hardening.\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["B"], "multi": false}, {"order": 74, "questionNumber": 19, "topic": "Topic 2", "title": "74. Question #19 - Topic 2", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYou have an Azure subscription that has Microsoft Defender for Cloud enabled.\nYou are evaluating the Azure Security Benchmark V3 report.\nIn the Secure management ports controls, you discover that you have 0 out of a potential 8 points.\nYou need to recommend configurations to increase the score of the Secure management ports controls.\nSolution: You recommend enabling just-in-time (JIT) VM access on all virtual machines.\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["A"], "multi": false}, {"order": 75, "questionNumber": 20, "topic": "Topic 2", "title": "75. Question #20 - Topic 2", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYour on-premises network contains an e-commerce web app that was developed in Angular and Node,js. The web app uses a MongoDB database.\nYou plan to migrate the web app to Azure. The solution architecture team proposes the following architecture as an Azure landing zone.\n\nYou need to provide recommendations to secure the connection between the web app and the database. The solution must follow the Zero Trust model.\nSolution: You recommend creating private endpoints for the web app and the database layer.\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["A"], "multi": false}, {"order": 76, "questionNumber": 21, "topic": "Topic 2", "title": "76. Question #21 - Topic 2", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYour on-premises network contains an e-commerce web app that was developed in Angular and Node,js. The web app uses a MongoDB database.\nYou plan to migrate the web app to Azure. The solution architecture team proposes the following architecture as an Azure landing zone.\n\nYou need to provide recommendations to secure the connection between the web app and the database. The solution must follow the Zero Trust model.\nSolution: You recommend implementing Azure Key Vault to store credentials.\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["B"], "multi": false}, {"order": 77, "questionNumber": 22, "topic": "Topic 2", "title": "77. Question #22 - Topic 2", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYour on-premises network contains an e-commerce web app that was developed in Angular and Node,js. The web app uses a MongoDB database.\nYou plan to migrate the web app to Azure. The solution architecture team proposes the following architecture as an Azure landing zone.\n\nYou need to provide recommendations to secure the connection between the web app and the database. The solution must follow the Zero Trust model.\nSolution: You recommend implementing Azure Application Gateway with Azure Web Application Firewall (WAF).\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["B"], "multi": false}, {"order": 78, "questionNumber": 23, "topic": "Topic 2", "title": "78. Question #23 - Topic 2", "text": "You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.\nThe Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.\nYou need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.\nWhich security control should you recommend?", "options": [{"letter": "A", "text": "adaptive application controls in Defender for Cloud"}, {"letter": "B", "text": "app protection policies in Microsoft Endpoint Manager"}, {"letter": "C", "text": "app discovery anomaly detection policies in Microsoft Defender for Cloud Apps"}, {"letter": "D", "text": "Azure Security Benchmark compliance controls in Defender for Cloud"}], "answer": ["A"], "multi": false}, {"order": 79, "questionNumber": 24, "topic": "Topic 2", "title": "79. Question #24 - Topic 2", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYour on-premises network contains an e-commerce web app that was developed in Angular and Node,js. The web app uses a MongoDB database.\nYou plan to migrate the web app to Azure. The solution architecture team proposes the following architecture as an Azure landing zone.\n\nYou need to provide recommendations to secure the connection between the web app and the database. The solution must follow the Zero Trust model.\nSolution: You recommend implementing Azure Front Door with Azure Web Application Firewall (WAF).\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["B"], "multi": false}, {"order": 80, "questionNumber": 25, "topic": "Topic 2", "title": "80. Question #25 - Topic 2", "text": "You have a customer that has a Microsoft 365 subscription and an Azure subscription.\nThe customer has devices that run either Windows, iOS, Android, or macOS. The Windows devices are deployed on-premises and in Azure.\nYou need to design a security solution to assess whether all the devices meet the customer's compliance rules.\nWhat should you include in the solution?\n\nPage9", "options": [{"letter": "A", "text": "Microsoft Defender for Endpoint"}, {"letter": "B", "text": "Microsoft Endpoint Manager"}, {"letter": "C", "text": "Microsoft Information Protection"}, {"letter": "D", "text": "Microsoft Sentinel"}], "answer": ["B"], "multi": false}, {"order": 81, "questionNumber": 26, "topic": "Topic 2", "title": "81. Question #26 - Topic 2", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYou have an Azure subscription that has Microsoft Defender for Cloud enabled.\nYou are evaluating the Azure Security Benchmark V3 report.\nIn the Secure management ports controls, you discover that you have 0 out of a potential 8 points.\nYou need to recommend configurations to increase the score of the Secure management ports controls.\nSolution: You recommend onboarding all virtual machines to Microsoft Defender for Endpoint.\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["B"], "multi": false}, {"order": 82, "questionNumber": 27, "topic": "Topic 2", "title": "82. Question #27 - Topic 2", "text": "Your company has an Azure subscription that has enhanced security enabled for Microsoft Defender for Cloud.\nThe company signs a contract with the United States government.\nYou need to review the current subscription for NIST 800-53 compliance.\nWhat should you do first?", "options": [{"letter": "A", "text": "From Defender for Cloud, review the secure score recommendations."}, {"letter": "B", "text": "From Microsoft Sentinel, configure the Microsoft Defender for Cloud data connector."}, {"letter": "C", "text": "From Defender for Cloud, review the Azure security baseline for audit report."}, {"letter": "D", "text": "From Defender for Cloud, add a regulatory compliance standard."}], "answer": ["D"], "multi": false}, {"order": 83, "questionNumber": 28, "topic": "Topic 2", "title": "83. Question #28 - Topic 2", "text": "Your company has devices that run either Windows 10, Windows 11, or Windows Server.\nYou are in the process of improving the security posture of the devices.\nYou plan to use security baselines from the Microsoft Security Compliance Toolkit.\nWhat should you recommend using to compare the baselines to the current device configurations?", "options": [{"letter": "A", "text": "Microsoft Intune"}, {"letter": "B", "text": "Local Group Policy Object (LGPO)"}, {"letter": "C", "text": "Windows Autopilot"}, {"letter": "D", "text": "Policy Analyzer"}], "answer": ["D"], "multi": false}, {"order": 84, "questionNumber": 29, "topic": "Topic 2", "title": "84. Question #29 - Topic 2", "text": "You have an Azure subscription that is used as an Azure landing zone for an application.\n\nYou need to evaluate the security posture of all the workloads in the landing zone.\n\nWhat should you do first?", "options": [{"letter": "A", "text": "Configure Continuous Integration/Continuous Deployment (CI/CD) vulnerability scanning."}, {"letter": "B", "text": "Obtain Azure AD Premium Plan 2 licenses."}, {"letter": "C", "text": "Add Microsoft Sentinel data connectors."}, {"letter": "D", "text": "Enable the Defender plan for all resource types in Microsoft Defender for Cloud."}], "answer": ["D"], "multi": false}, {"order": 85, "questionNumber": 30, "topic": "Topic 2", "title": "85. Question #30 - Topic 2", "text": "Your company has an Azure subscription that has enhanced security enabled for Microsoft Defender for Cloud.\n\nThe company signs a contract with the United States government.\n\nYou need to review the current subscription for NIST 800-53 compliance.\n\nWhat should you do first?", "options": [{"letter": "A", "text": "From Azure Policy, assign a built-in initiative that has a scope of the subscription."}, {"letter": "B", "text": "From Azure Policy, assign a built-in policy definition that has a scope of the subscription."}, {"letter": "C", "text": "From Defender for Cloud, review the Azure security baseline for audit report."}, {"letter": "D", "text": "From Microsoft Defender for Cloud Apps, create an access policy for cloud applications."}], "answer": ["A"], "multi": false}, {"order": 86, "questionNumber": 31, "topic": "Topic 2", "title": "86. Question #31 - Topic 2", "text": "Your company has an Azure subscription that uses Microsoft Defender for Cloud.\n\nThe company signs a contract with the United States government.\n\nYou need to review the current subscription for NIST 800-53 compliance.\n\nWhat should you do first?", "options": [{"letter": "A", "text": "From Defender for Cloud, review the Azure security baseline for audit report."}, {"letter": "B", "text": "From Microsoft Defender for Cloud Apps, create an access policy for cloud applications."}, {"letter": "C", "text": "From Defender for Cloud, enable Defender for Cloud plans."}, {"letter": "D", "text": "From Azure Policy, assign a built-in initiative that has a scope of the subscription."}], "answer": ["D"], "multi": false}, {"order": 89, "questionNumber": 34, "topic": "Topic 2", "title": "89. Question #34 - Topic 2", "text": "You have a Microsoft 365 subscription that contains 1,000 Microsoft Exchange Online mailboxes.\n\nIncoming email from the internet is scanned for security threats by using a third-party cloud service.\n\nYou are evaluating whether to replace the third-party service with Microsoft Defender for Office 365.\n\nWhat should you modify to ensure that all the incoming email is scanned by Defender for Office 365 only?", "options": [{"letter": "A", "text": "the accepted domains in Exchange Online"}, {"letter": "B", "text": "the DNS records"}, {"letter": "C", "text": "the Exchange Online transport rule"}, {"letter": "D", "text": "the Exchange Online connectors"}], "answer": ["B"], "multi": false}, {"order": 90, "questionNumber": 35, "topic": "Topic 2", "title": "90. Question #35 - Topic 2", "text": "You have a Microsoft 365 tenant that contains two groups named Group1 and Group2.\n\nYou use Microsoft Defender XDR to manage the tenants of your company’s customers.\n\nYou need to ensure that the users in Group1 can perform security tasks in the tenant of each customer. The solution must meet the following requirements:\n\n• The Group1 users must only be assigned the Security Operator role for the customer tenants.\n• The users in Group2 must be able to assign the Security Operators role to the Group1 users for the customer tenants.\n• The use of quest accounts must be minimized.\n• Administrative effort must be minimized.\n\nWhat should you include in the solution?\n\nPage10", "options": [{"letter": "A", "text": "multi-user authorization (MUA)"}, {"letter": "B", "text": "Azure Lighthouse"}, {"letter": "C", "text": "Privileged Identity Management (PIM)"}, {"letter": "D", "text": "Microsoft Entra B2B collaboration"}], "answer": ["B"], "multi": false}, {"order": 91, "questionNumber": 36, "topic": "Topic 2", "title": "91. Question #36 - Topic 2", "text": "You have an Azure subscription.\n\nYour company has a governance requirement that resources must be created in the West Europe or North Europe Azure regions.\n\nWhat should you recommend using to enforce the governance requirement?", "options": [{"letter": "A", "text": "Azure management groups"}, {"letter": "B", "text": "custom Azure roles"}, {"letter": "C", "text": "Azure Policy assignments"}, {"letter": "D", "text": "regulatory compliance standards in Microsoft Defender for Cloud"}], "answer": ["C"], "multi": false}, {"order": 93, "questionNumber": 38, "topic": "Topic 2", "title": "93. Question #38 - Topic 2", "text": "You have an Azure subscription that has Microsoft Defender for Cloud enabled.\n\nYou need to enforce ISO 27001:2013 standards for new resources deployed to the subscription. The solution must ensure that noncompliant resources are automatically detected.\n\nWhat should you use?", "options": [{"letter": "A", "text": "Azure Blueprints"}, {"letter": "B", "text": "the regulatory compliance dashboard in Defender for Cloud"}, {"letter": "C", "text": "Azure Policy"}, {"letter": "D", "text": "Azure role-based access control (Azure RBAC)"}], "answer": ["C"], "multi": false}, {"order": 99, "questionNumber": 44, "topic": "Topic 2", "title": "99. Question #44 - Topic 2", "text": "You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.\n\nThe Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.\n\nYou need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.\n\nWhich security control should you recommend?", "options": [{"letter": "A", "text": "app discovery anomaly detection policies in Microsoft Defender for Cloud Apps"}, {"letter": "B", "text": "Azure Security Benchmark compliance controls in Defender for Cloud"}, {"letter": "C", "text": "app registrations in Azure AD"}, {"letter": "D", "text": "application control policies in Microsoft Defender for Endpoint"}], "answer": ["D"], "multi": false}, {"order": 100, "questionNumber": 45, "topic": "Topic 2", "title": "100. Question #45 - Topic 2", "text": "You have a Microsoft Entra tenant. The tenant contains 500 Windows devices that have the Global Secure Access client deployed.\n\nYou have a third-party software as a service (SaaS) app named App1.\n\nYou plan to implement Global Secure Access to manage access to App1.\n\nYou need to recommend a solution to manage connections to App1. The solution must ensure that users authenticate by using their Microsoft Entra credentials before they can connect to App1.\n\nWhat should you include the recommendation?\n\nPage11", "options": [{"letter": "A", "text": "a Global Secure Access app"}, {"letter": "B", "text": "a private access traffic forwarding profile"}, {"letter": "C", "text": "an internet access traffic forwarding profile"}, {"letter": "D", "text": "a Quick Access app"}], "answer": ["A"], "multi": false}, {"order": 101, "questionNumber": 46, "topic": "Topic 2", "title": "101. Question #46 - Topic 2", "text": "You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.\n\nThe Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.\n\nYou need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.\n\nWhich security control should you recommend?", "options": [{"letter": "A", "text": "app registrations in Azure AD"}, {"letter": "B", "text": "Azure AD Conditional Access App Control policies"}, {"letter": "C", "text": "app discovery anomaly detection policies in Microsoft Defender for Cloud Apps"}, {"letter": "D", "text": "adaptive application controls in Defender for Cloud"}], "answer": ["D"], "multi": false}, {"order": 103, "questionNumber": 48, "topic": "Topic 2", "title": "103. Question #48 - Topic 2", "text": "You have a Microsoft 365 subscription.\n\nYou have an Azure subscription.\n\nYou need to implement a Microsoft Purview communication compliance solution for Microsoft Teams and Yammer. The solution must meet the following requirements:\n\n• Assign compliance policies to Microsoft 365 groups based on custom Microsoft Exchange Online attributes.\n• Minimize the number of compliance policies.\n• Minimize administrative effort.\n\nWhat should you include in the solution?", "options": [{"letter": "A", "text": "Microsoft Purview Information Protection"}, {"letter": "B", "text": "Microsoft 365 Defender user tags"}, {"letter": "C", "text": "adaptive scopes"}, {"letter": "D", "text": "administrative units"}], "answer": ["C"], "multi": false}, {"order": 111, "questionNumber": 56, "topic": "Topic 2", "title": "111. Question #56 - Topic 2", "text": "You have a Microsoft Entra tenant named contoso.com.\n\nYou have an external partner that has a Microsoft Entra tenant named fabnkam.com.\n\nYou need to recommend an identity governance solution for contoso.com that meets the following requirements:\n\n• Enables the users in contoso.com and fabrikam.com to communicate by using shared Microsoft Teams channels\n• Manages access to shared Teams channels in contoso.com by using groups in fabrikam.com\n• Supports single sign-on (SSO)\n• Minimizes administrative effort\n• Maximizes security\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Cross-tenant synchronization"}, {"letter": "B", "text": "Microsoft Entra B2B collaboration"}, {"letter": "C", "text": "B2B direct connect"}, {"letter": "D", "text": "Microsoft Entra Connect Sync"}], "answer": ["C"], "multi": false}, {"order": 112, "questionNumber": 57, "topic": "Topic 2", "title": "112. Question #57 - Topic 2", "text": "You have a multicloud environment that contains Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) subscriptions.\n\nYou need to discover and review role assignments across the subscriptions.\n\nWhat should you use?", "options": [{"letter": "A", "text": "Azure Lighthouse"}, {"letter": "B", "text": "Microsoft Defender for Identity"}, {"letter": "C", "text": "Microsoft Entra ID Governance"}, {"letter": "D", "text": "Microsoft Entra Permissions Management"}], "answer": ["D"], "multi": false}, {"order": 114, "questionNumber": 59, "topic": "Topic 2", "title": "114. Question #59 - Topic 2", "text": "You have multiple Azure subscriptions that each contains multiple resource groups.\n\nYou need to identify the privileged role assignments in each subscription and any associated security risks. The solution must minimize administrative effort.\n\nWhat should you use?", "options": [{"letter": "A", "text": "access reviews in Privileged Identity Management (PIM)"}, {"letter": "B", "text": "access reviews in Microsoft Entra ID Identity Governance"}, {"letter": "C", "text": "Microsoft Defender External Attack Surface Management (Defender EASM) discovery"}, {"letter": "D", "text": "the Analytics dashboard in Microsoft Entra Permissions Management"}], "answer": ["D"], "multi": false}, {"order": 115, "questionNumber": 60, "topic": "Topic 2", "title": "115. Question #60 - Topic 2", "text": "Your on-premises network contains an Active Directory Domain Services (AD DS) domain and a hybrid deployment between a Microsoft Exchange Server 2019 organization and an Exchange Online tenant. The AD DS domain contains a group named Group1. Group1 is a member of the Organization Management role group for the Exchange deployment.\n\nYou have a Microsoft 365 E5 subscription that uses Microsoft Defender.\n\nYou have an Azure subscription that uses Microsoft Sentinel.\n\nYou need to recommend a solution to ensure that Group1 is marked as a sensitive group and that any changes made to Group1 raises an alert in Microsoft Sentinel. The solution must minimize administrative effort.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Microsoft Defender for Identity"}, {"letter": "B", "text": "Microsoft Entra ID Protection"}, {"letter": "C", "text": "Microsoft Entra Privileged Identity Management (PIM)"}, {"letter": "D", "text": "Microsoft Defender for Office 365"}], "answer": ["A"], "multi": false}, {"order": 117, "questionNumber": 62, "topic": "Topic 2", "title": "117. Question #62 - Topic 2", "text": "You have a Microsoft 365 subscription that contains 1,000 users and a group named Group1. All the users have Windows 11 devices. The users sign in to their devices by using their Microsoft Entra account. The users do NOT have administrative rights to their devices.\n\nThe members of Group1 remotely assist the users by taking control of user sessions. The remote control sessions run in the security context of the users they are assisting.\n\nYou need to recommend a solution that will enable the Group1 members to run apps that require administrative rights to the users' devices. The solution must ensure that the apps are run in the context of each signed-in standard user.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Windows Local Administrator Password Solution (Windows LAPS)"}, {"letter": "B", "text": "Microsoft Entra Permissions Management"}, {"letter": "C", "text": "Microsoft Intune Endpoint Privilege Management"}, {"letter": "D", "text": "Privileged Identity Management (PIM) in Microsoft Entra ID"}], "answer": ["C"], "multi": false}, {"order": 119, "questionNumber": 64, "topic": "Topic 2", "title": "119. Question #64 - Topic 2", "text": "You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.\n\nThe Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.\n\nYou need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.\n\nWhich security control should you recommend?", "options": [{"letter": "A", "text": "app registrations in the Microsoft Entra tenant"}, {"letter": "B", "text": "OAuth app policies in Microsoft Defender for Cloud Apps"}, {"letter": "C", "text": "app protection policies in Microsoft Endpoint Manager"}, {"letter": "D", "text": "application control policies in Microsoft Defender for Endpoint"}], "answer": ["D"], "multi": false}, {"order": 120, "questionNumber": 65, "topic": "Topic 2", "title": "120. Question #65 - Topic 2", "text": "You have a Microsoft 365 subscription that contains 1,000 users. Each user is assigned a Microsoft 365 E5 license.\n\nThe subscription uses sensitivity labels to classify corporate documents. All the users have Windows 11 devices that are onboarded to Microsoft Defender for Endpoint and are configured to sync files to Microsoft OneDrive.\n\nYou need to prevent the users from uploading the documents from OneDrive to external websites.\n\nWhat should you include in the solution?\n\nPage13", "options": [{"letter": "A", "text": "Microsoft Purview Information Protection"}, {"letter": "B", "text": "Microsoft Purview data loss prevention (DLP)"}, {"letter": "C", "text": "web content filtering in Defender for Endpoint"}, {"letter": "D", "text": "an endpoint security policy"}], "answer": ["B"], "multi": false}, {"order": 122, "questionNumber": 67, "topic": "Topic 2", "title": "122. Question #67 - Topic 2", "text": "Your network contains an Active Directory Domain Services (AD DS) domain named Domain1.\n\nYou have a Microsoft Entra tenant.\n\nDomain1 syncs with the tenant by using Microsoft Entra Connect.\n\nYou need to monitor Domain1 for privilege escalation attacks.\n\nWhat should you use?", "options": [{"letter": "A", "text": "Microsoft Entra ID Protection"}, {"letter": "B", "text": "Microsoft Defender for Servers"}, {"letter": "C", "text": "Microsoft Defender for Identity"}, {"letter": "D", "text": "Privileged Identity Management (PIM)"}], "answer": ["C"], "multi": false}, {"order": 123, "questionNumber": 68, "topic": "Topic 2", "title": "123. Question #68 - Topic 2", "text": "You have an Azure subscription and an Azure DevOps organization.\n\nYou need to recommend a solution for connecting Azure DevOps pipelines to the resources in the subscription by using Azure Resource Manager (ARM) service connections. The solution must align with Microsoft Cloud Adoption Framework for Azure best practices, including the principle of least privilege.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "service principals and secrets"}, {"letter": "B", "text": "workload identity federation and service principals"}, {"letter": "C", "text": "workload identity federation and user-assigned managed identities"}, {"letter": "D", "text": "workload identity federation and system-assigned managed identities"}], "answer": ["B"], "multi": false}, {"order": 125, "questionNumber": 70, "topic": "Topic 2", "title": "125. Question #70 - Topic 2", "text": "You have a Microsoft 365 subscription.\n\nYou have an Azure subscription.\n\nYou need to implement a Microsoft Purview communication compliance solution for Microsoft Teams and Yammer. The solution must meet the following requirements:\n\n• Assign compliance policies to Microsoft 365 groups based on custom Microsoft Exchange Online attributes.\n• Minimize the number of compliance policies.\n• Minimize administrative effort.\n\nWhat should you include in the solution?", "options": [{"letter": "A", "text": "adaptive scopes"}, {"letter": "B", "text": "Microsoft 365 Defender user tags"}, {"letter": "C", "text": "administrative units"}, {"letter": "D", "text": "Microsoft Purview sensitivity labels"}], "answer": ["A"], "multi": false}, {"order": 127, "questionNumber": 72, "topic": "Topic 2", "title": "127. Question #72 - Topic 2", "text": "You have a Microsoft 365 subscription that uses Microsoft Defender XDR and Microsoft Purview.\n\nOn a Microsoft SharePoint Online site, you have a file named File1 that has a sensitivity label applied.\n\nYou need to recommend a solution that will reevaluate Conditional Access policies when a user downloads Filel from the SharePoint site.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Microsoft Defender for Cloud Apps"}, {"letter": "B", "text": "Microsoft Defender for Cloud"}, {"letter": "C", "text": "Microsoft Defender for Office 365"}, {"letter": "D", "text": "Microsoft Entra application proxy"}], "answer": ["A"], "multi": false}, {"order": 130, "questionNumber": 75, "topic": "Topic 2", "title": "130. Question #75 - Topic 2", "text": "You have a Microsoft 365 E5 subscription and an Azure subscription.\n\nYou need to recommend a solution to enforce the Zero Trust principle of explicit verification for the subscriptions. The solution must be based on Zero Trust guidance in the Microsoft Cybersecurity Reference Architectures (MCRA).\n\nWhat should you include in the recommendation?\n\nPage14", "options": [{"letter": "A", "text": "Conditional Access"}, {"letter": "B", "text": "Microsoft Defender for Identity"}, {"letter": "C", "text": "Microsoft Defender for Cloud"}, {"letter": "D", "text": "Microsoft Entra ID Identity Governance"}], "answer": ["A"], "multi": false}, {"order": 131, "questionNumber": 76, "topic": "Topic 2", "title": "131. Question #76 - Topic 2", "text": "Your network contains an Active Directory Domain Services (AD DS) domain.\n\nYou need to ensure that the built-in administrator account for the domain can be used only for interactive sign-ins to domain controllers.\n\nWhat should you configure?", "options": [{"letter": "A", "text": "the Protected Users group"}, {"letter": "B", "text": "authentication policies"}, {"letter": "C", "text": "the User Rights Assignment security policy settings"}, {"letter": "D", "text": "an authentication policy silo"}], "answer": ["D"], "multi": false}, {"order": 136, "questionNumber": 81, "topic": "Topic 2", "title": "136. Question #81 - Topic 2", "text": "You have an Azure subscription that is linked to a Microsoft Entra tenant.\n\nYou plan deploy an enterprise application named App1. App1 requires LDAP to look up attributes related to Microsoft Entra users.\n\nYou need to recommend a solution to support the LDAP requirement.\n\nWhat should you recommend?", "options": [{"letter": "A", "text": "Configure a Conditional Access policy that has a trusted network location."}, {"letter": "B", "text": "Deploy Microsoft Entra Private Access."}, {"letter": "C", "text": "Deploy Microsoft Entra Domain Services."}, {"letter": "D", "text": "Implement pass-through authentication."}], "answer": ["C"], "multi": false}, {"order": 137, "questionNumber": 82, "topic": "Topic 2", "title": "137. Question #82 - Topic 2", "text": "You have a Microsoft Entra tenant named contoso.onmicrosoft.com and an Azure subscription named Sub1.\n\nYou need to implement Microsoft Entra Verified ID by using Quick Verified ID setup.\n\nWhat should you create first?", "options": [{"letter": "A", "text": "a security principal in contoso.onmicrosoft.com"}, {"letter": "B", "text": "a custom domain in contoso.onmicrosoft.com"}, {"letter": "C", "text": "a user-assigned managed identity in Sub1"}, {"letter": "D", "text": "an Azure key vault in Sub1"}], "answer": ["B"], "multi": false}, {"order": 139, "questionNumber": 84, "topic": "Topic 2", "title": "139. Question #84 - Topic 2", "text": "You have a Microsoft 365 subscription that contains a group named Group1. The subscription is linked to a Microsoft Entra ID P1 tenant.\n\nYou have an external software as a service (SaaS) application named App1. App1 is managed by using a web-based admin portal and supports the use of Microsoft Entra ID credentials.\n\nYou need to ensure that only the members of Group1 who sign in from Microsoft Entra joined devices can access the admin portal of App1.\n\nWhat should you create first in Microsoft Entra?", "options": [{"letter": "A", "text": "an enterprise application"}, {"letter": "B", "text": "a Microsoft Entra application proxy connector group"}, {"letter": "C", "text": "a Conditional Access policy"}, {"letter": "D", "text": "an access package"}], "answer": ["A"], "multi": false}, {"order": 142, "questionNumber": 87, "topic": "Topic 2", "title": "142. Question #87 - Topic 2", "text": "You have an Azure subscription that contains 15 custom apps. The source files for the apps are stored in Git repositories. The apps are deployed by using Azure DevOps.\n\nYou need to recommend a DevSecOps solution to implement static application security testing (SAST) of the app code to identify hard-coded secrets.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "GitHub Advanced Security"}, {"letter": "B", "text": "Microsoft Defender for Key Vault"}, {"letter": "C", "text": "Microsoft Dev Box"}, {"letter": "D", "text": "Microsoft Defender for Cloud DevOps security"}], "answer": ["D"], "multi": false}, {"order": 143, "questionNumber": 88, "topic": "Topic 2", "title": "143. Question #88 - Topic 2", "text": "You have an on-premises server named Server1. Server1 is an FTP server that can be accessed by only the users at your company.\n\nYou have an Azure subscription.\n\nYou need to recommend a Zero Trust Network Access (ZTNA) solution to enforce Conditional Access policies when users access Server1 from the internet.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Microsoft Entra application proxy"}, {"letter": "B", "text": "Microsoft Entra Internet Access"}, {"letter": "C", "text": "Microsoft Entra Private Access"}, {"letter": "D", "text": "Azure Application Gateway"}, {"letter": "E", "text": "Azure Bastion"}], "answer": ["C"], "multi": false}, {"order": 144, "questionNumber": 89, "topic": "Topic 2", "title": "144. Question #89 - Topic 2", "text": "Your network contains an on-premises Active Directory Domain Services (AD DS) domain named Domain1. Domain1 contains 10 domain controllers.\n\nYou have an Azure subscription named Sub1 that contains a Microsoft Sentinel workspace named WS1.\n\nYou have a Microsoft 365 subscription that contains 5,000 users. Each user is assigned a Microsoft 365 E3 license.\n\nYou need to recommend a solution to ingest security logs from all the domain controllers into WS1. The solution must meet the following requirements:\n\n• The cost of ingesting data into WS1 must be minimized.\n• WS1 must ingest all the Windows Security event logs generated by the domain controllers.\n• The solution must support the generation of approximately 350 MB of logs per day from each domain controller.\n\nWhat should you recommend?", "options": [{"letter": "A", "text": "Upgrade the user licenses to Microsoft 365 E5."}, {"letter": "B", "text": "Onboard each domain controller to Microsoft Defender for Servers Plan 2."}, {"letter": "C", "text": "Configure Auxiliary logs in WS1."}, {"letter": "D", "text": "Configure a volume cap for WS1."}, {"letter": "E", "text": "Only ingest data from one domain controller into WS1."}], "answer": ["A"], "multi": false}, {"order": 149, "questionNumber": 94, "topic": "Topic 2", "title": "149. Question #94 - Topic 2", "text": "You have a Microsoft 365 subscription that uses Microsoft Purview.\n\nYou need to recommend a solution that will provide guidance on how to ensure that Personally Identifiable Information (PII) in the subscription adheres to local privacy regulations. The solution must minimize administrative effort.\n\nWhich Microsoft Purview solution should you include in the recommendation?", "options": [{"letter": "A", "text": "Data Loss Prevention"}, {"letter": "B", "text": "Information Protection"}, {"letter": "C", "text": "Insider Risk Management"}, {"letter": "D", "text": "Compliance Manager"}], "answer": ["D"], "multi": false}, {"order": 150, "questionNumber": 95, "topic": "Topic 2", "title": "150. Question #95 - Topic 2", "text": "Your on-premises network contains an Active Directory Domain Services (AD DS) domain. The domain contains 500 Windows 11 devices.\n\nYou have a Microsoft 365 subscription and an Azure subscription.\n\nYou have a Microsoft Entra tenant that syncs with the domain and is linked to the subscriptions. The devices are Microsoft Entra hybrid joined.\n\nYou plan to deploy a solution to mitigate attacks against privileged accounts. The solution will include Microsoft Sentinel rules that will detect attempts to use fake cached credentials.\n\nYou need to recommend a solution to create the fake cached credentials on client computers.\n\nWhat should you recommend?\n\nPage16", "options": [{"letter": "A", "text": "User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel"}, {"letter": "B", "text": "a deception rule in Microsoft Defender for Endpoint"}, {"letter": "C", "text": "a user risk policy in Microsoft Entra ID Protection"}, {"letter": "D", "text": "a Honeytoken tag in Microsoft Defender for Identity"}], "answer": ["D"], "multi": false}, {"order": 151, "questionNumber": 96, "topic": "Topic 2", "title": "151. Question #96 - Topic 2", "text": "You have an Azure subscription and a Microsoft 365 subscription. All users are assigned Microsoft 365 E5 licenses. All computers run Windows 11 and are Microsoft Entra joined.\n\nYou need to recommend a solution to prevent computers that run early builds of Windows 11 from connecting to Microsoft 365 services.\n\nWhich two types of policies should you include in the recommendation? Each correct answer presents part of the solution.\n\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Microsoft Defender for Endpoint endpoint security policy"}, {"letter": "B", "text": "Microsoft Defender for Cloud regulatory compliance policy"}, {"letter": "C", "text": "Microsoft Intune compliance policy"}, {"letter": "D", "text": "Microsoft Entra ID Protection sign-in risk policy"}, {"letter": "E", "text": "Microsoft Entra Conditional Access policy"}], "answer": ["C", "E"], "multi": true}, {"order": 153, "questionNumber": 1, "topic": "Topic 3", "title": "153. Question #1 - Topic 3", "text": "You have Microsoft Defender for Cloud assigned to Azure management groups.\nYou have a Microsoft Sentinel deployment.\nDuring the triage of alerts, you require additional information about the security events, including suggestions for remediation.\nWhich two components can you use to achieve the goal? Each correct answer presents a complete solution.\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Microsoft Sentinel threat intelligence workbooks"}, {"letter": "B", "text": "Microsoft Sentinel notebooks"}, {"letter": "C", "text": "threat intelligence reports in Defender for Cloud"}, {"letter": "D", "text": "workload protections in Defender for Cloud"}], "answer": ["A", "C"], "multi": true}, {"order": 154, "questionNumber": 2, "topic": "Topic 3", "title": "154. Question #2 - Topic 3", "text": "A customer is deploying Docker images to 10 Azure Kubernetes Service (AKS) resources across four Azure subscriptions.\nYou are evaluating the security posture of the customer.\nYou discover that the AKS resources are excluded from the secure score recommendations.\nYou need to produce accurate recommendations and update the secure score.\nWhich two actions should you recommend in Microsoft Defender for Cloud? Each correct answer presents part of the solution.\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Enable Defender plans."}, {"letter": "B", "text": "Configure auto provisioning."}, {"letter": "C", "text": "Add a workflow automation."}, {"letter": "D", "text": "Assign regulatory compliance policies."}, {"letter": "E", "text": "Review the inventory."}], "answer": ["A", "B"], "multi": true}, {"order": 155, "questionNumber": 3, "topic": "Topic 3", "title": "155. Question #3 - Topic 3", "text": "Your company has an office in Seattle.\nThe company has two Azure virtual machine scale sets hosted on different virtual networks.\nThe company plans to contract developers in India.\nYou need to recommend a solution provide the developers with the ability to connect to the virtual machines over SSL from the Azure portal. The solution must meet the following requirements:\n✑ Prevent exposing the public IP addresses of the virtual machines.\n✑ Provide the ability to connect without using a VPN.\n✑ Minimize costs.\nWhich two actions should you perform? Each correct answer presents part of the solution.\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Create a hub and spoke network by using virtual network peering."}, {"letter": "B", "text": "Deploy Azure Bastion to each virtual network."}, {"letter": "C", "text": "Deploy Azure Bastion to one virtual network."}, {"letter": "D", "text": "Create NAT rules and network rules in Azure Firewall."}, {"letter": "E", "text": "Enable just-in-time VM access on the virtual machines."}], "answer": ["A", "C"], "multi": true}, {"order": 157, "questionNumber": 5, "topic": "Topic 3", "title": "157. Question #5 - Topic 3", "text": "You have Windows 11 devices and Microsoft 365 E5 licenses.\nYou need to recommend a solution to prevent users from accessing websites that contain adult content such as gambling sites.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Compliance Manager"}, {"letter": "B", "text": "Microsoft Defender for Cloud Apps"}, {"letter": "C", "text": "Microsoft Endpoint Manager"}, {"letter": "D", "text": "Microsoft Defender for Endpoint"}], "answer": ["D"], "multi": false}, {"order": 158, "questionNumber": 6, "topic": "Topic 3", "title": "158. Question #6 - Topic 3", "text": "Your company has a Microsoft 365 E5 subscription.\nThe company plans to deploy 45 mobile self-service kiosks that will run Windows 10.\nYou need to provide recommendations to secure the kiosks. The solution must meet the following requirements:\n✑ Ensure that only authorized applications can run on the kiosks.\n✑ Regularly harden the kiosks against new threats.\nWhich two actions should you include in the recommendations? Each correct answer presents part of the solution.\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Implement Automated investigation and Remediation (AIR) in Microsoft Defender for Endpoint."}, {"letter": "B", "text": "Onboard the kiosks to Microsoft intune and Microsoft Defender for Endpoint."}, {"letter": "C", "text": "Implement threat and vulnerability management in Microsoft Defender for Endpoint."}, {"letter": "D", "text": "Onboard the kiosks to Azure Monitor."}, {"letter": "E", "text": "Implement Privileged Access Workstation (PAW) for the kiosks."}], "answer": ["B", "C"], "multi": true}, {"order": 159, "questionNumber": 7, "topic": "Topic 3", "title": "159. Question #7 - Topic 3", "text": "You have a Microsoft 365 E5 subscription.\nYou need to recommend a solution to add a watermark to email attachments that contain sensitive data.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Microsoft Defender for Cloud Apps"}, {"letter": "B", "text": "Microsoft Information Protection"}, {"letter": "C", "text": "insider risk management"}, {"letter": "D", "text": "Azure Purview"}], "answer": ["B"], "multi": false}, {"order": 160, "questionNumber": 8, "topic": "Topic 3", "title": "160. Question #8 - Topic 3", "text": "Your company plans to deploy several Azure App Service web apps. The web apps will be deployed to the West Europe Azure region. The web apps will be accessed only by customers in Europe and the United States.\nYou need to recommend a solution to prevent malicious bots from scanning the web apps for vulnerabilities. The solution must minimize the attack surface.\nWhat should you include in the recommendation?\n\nPage17", "options": [{"letter": "A", "text": "Azure Firewall Premium"}, {"letter": "B", "text": "Azure Traffic Manager and application security groups"}, {"letter": "C", "text": "Azure Application Gateway Web Application Firewall (WAF)"}, {"letter": "D", "text": "network security groups (NSGs)"}], "answer": ["C"], "multi": false}, {"order": 161, "questionNumber": 9, "topic": "Topic 3", "title": "161. Question #9 - Topic 3", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYou are designing the encryption standards for data at rest for an Azure resource.\nYou need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.\nSolution: For blob containers in Azure Storage, you recommend encryption that uses Microsoft-managed keys within an encryption scope.\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["B"], "multi": false}, {"order": 162, "questionNumber": 10, "topic": "Topic 3", "title": "162. Question #10 - Topic 3", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYou are designing the encryption standards for data at rest for an Azure resource.\nYou need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.\nSolution: For Azure SQL databases, you recommend Transparent Data Encryption (TDE) that uses Microsoft-managed keys.\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["B"], "multi": false}, {"order": 163, "questionNumber": 11, "topic": "Topic 3", "title": "163. Question #11 - Topic 3", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYou are designing the encryption standards for data at rest for an Azure resource.\nYou need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.\nSolution: For blob containers in Azure Storage, you recommend encryption that uses customer-managed keys (CMKs).\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["A"], "multi": false}, {"order": 164, "questionNumber": 12, "topic": "Topic 3", "title": "164. Question #12 - Topic 3", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYou are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.\nYou need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.\nSolution: You recommend access restrictions to allow traffic from the backend IP address of the Front Door instance.\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["B"], "multi": false}, {"order": 165, "questionNumber": 13, "topic": "Topic 3", "title": "165. Question #13 - Topic 3", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYou are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.\nYou need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.\nSolution: You recommend access restrictions that allow traffic from the Front Door service tags.\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["A"], "multi": false}, {"order": 166, "questionNumber": 14, "topic": "Topic 3", "title": "166. Question #14 - Topic 3", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYou are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.\nYou need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.\nSolution: You recommend access restrictions based on HTTP headers that have the Front Door ID.\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["A"], "multi": false}, {"order": 167, "questionNumber": 15, "topic": "Topic 3", "title": "167. Question #15 - Topic 3", "text": "Your company is designing an application architecture for Azure App Service Environment (ASE) web apps as shown in the exhibit. (Click the Exhibit tab.)\n\nCommunication between the on-premises network and Azure uses an ExpressRoute connection.\nYou need to recommend a solution to ensure that the web apps can communicate with the on-premises application server. The solution must minimize the number of public IP addresses that are allowed to access the on-premises network.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Azure Traffic Manager with priority traffic-routing methods"}, {"letter": "B", "text": "Azure Firewall with policy rule sets"}, {"letter": "C", "text": "Azure Front Door with Azure Web Application Firewall (WAF)"}, {"letter": "D", "text": "Azure Application Gateway v2 with user-defined routes (UDRs)"}], "answer": ["B"], "multi": false}, {"order": 168, "questionNumber": 16, "topic": "Topic 3", "title": "168. Question #16 - Topic 3", "text": "You are planning the security requirements for Azure Cosmos DB Core (SQL) API accounts.\nYou need to recommend a solution to audit all users that access the data in the Azure Cosmos DB accounts.\nWhich two configurations should you include in the recommendation? Each correct answer presents part of the solution.\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Send the Azure Active Directory (Azure AD) sign-in logs to a Log Analytics workspace."}, {"letter": "B", "text": "Enable Microsoft Defender for Identity."}, {"letter": "C", "text": "Send the Azure Cosmos DB logs to a Log Analytics workspace."}, {"letter": "D", "text": "Disable local authentication for Azure Cosmos DB."}, {"letter": "E", "text": "Enable Microsoft Defender for Cosmos DB."}], "answer": ["A", "C"], "multi": true}, {"order": 169, "questionNumber": 17, "topic": "Topic 3", "title": "169. Question #17 - Topic 3", "text": "You have an Azure subscription that contains several storage accounts. The storage accounts are accessed by legacy applications that are authenticated by using access keys.\nYou need to recommend a solution to prevent new applications from obtaining the access keys of the storage accounts. The solution must minimize the impact on the legacy applications.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Set the AllowSharedKeyAccess property to false."}, {"letter": "B", "text": "Apply read-only locks on the storage accounts."}, {"letter": "C", "text": "Set the AllowBlobPublicAccess property to false."}, {"letter": "D", "text": "Configure automated key rotation."}], "answer": ["B"], "multi": false}, {"order": 170, "questionNumber": 18, "topic": "Topic 3", "title": "170. Question #18 - Topic 3", "text": "You are designing the security standards for containerized applications onboarded to Azure.\nYou are evaluating the use of Microsoft Defender for Containers.\nIn which two environments can you use Defender for Containers to scan for known vulnerabilities? Each correct answer presents a complete solution.\nNOTE: Each correct selection is worth one point.\n\nPage18", "options": [{"letter": "A", "text": "Linux containers deployed to Azure Container Instances"}, {"letter": "B", "text": "Windows containers deployed to Azure Kubernetes Service (AKS)"}, {"letter": "C", "text": "Windows containers deployed to Azure Container Registry"}, {"letter": "D", "text": "Linux containers deployed to Azure Container Registry"}, {"letter": "E", "text": "Linux containers deployed to Azure Kubernetes Service (AKS)"}], "answer": ["D", "E"], "multi": true}, {"order": 171, "questionNumber": 19, "topic": "Topic 3", "title": "171. Question #19 - Topic 3", "text": "Your company has a hybrid cloud infrastructure that contains an on-premises Active Directory Domain Services (AD DS) forest, a Microsoft 365 subscription, and an Azure subscription.\nThe company's on-premises network contains internal web apps that use Kerberos authentication. Currently, the web apps are accessible only from the network.\nYou have remote users who have personal devices that run Windows 11.\nYou need to recommend a solution to provide the remote users with the ability to access the web apps. The solution must meet the following requirements:\n✑ Prevent the remote users from accessing any other resources on the network.\n✑ Support Azure Active Directory (Azure AD) Conditional Access.\n✑ Simplify the end-user experience.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Azure AD Application Proxy"}, {"letter": "B", "text": "web content filtering in Microsoft Defender for Endpoint"}, {"letter": "C", "text": "Microsoft Tunnel"}, {"letter": "D", "text": "Azure Virtual WAN"}], "answer": ["A"], "multi": false}, {"order": 172, "questionNumber": 20, "topic": "Topic 3", "title": "172. Question #20 - Topic 3", "text": "Your company has a main office and a branch office.\n\nThe main office contains 20 on-premises servers that run Windows Server and host apps that are published by using Microsoft Entra application proxy. The main office contains 500 on-premises computers that run Windows 11. The branch office contains 100 on-premises computers that run Windows 11.\n\nAll the main office computers are enrolled in Microsoft Intune. The branch office computers are NOT enrolled in Intune.\n\nYou have a Microsoft 365 ES subscription.\n\nYou have a Microsoft Entra tenant. You have a third-party software as a service (SaaS) app that is registered in the Microsoft Entra tenant.\n\nYou plan to implement Global Secure Access.\n\nYou are evaluating the use of compliant network check and Conditional Access.\n\nWhich two scenarios are supported by compliant network check? Each correct answer presents a complete solution.\n\nNOTE: Each correct selection is worth one point", "options": [{"letter": "A", "text": "connections to the third-party SaaS app"}, {"letter": "B", "text": "connections from the branch office computers"}, {"letter": "C", "text": "Continuous Access Evaluation for Microsoft Exchange Online"}, {"letter": "D", "text": "connections to the on-premises apps"}], "answer": ["A", "D"], "multi": true}, {"order": 174, "questionNumber": 22, "topic": "Topic 3", "title": "174. Question #22 - Topic 3", "text": "You have an Azure subscription that contains virtual machines.\nPort 3389 and port 22 are disabled for outside access.\nYou need to design a solution to provide administrators with secure remote access to the virtual machines. The solution must meet the following requirements:\n✑ Prevent the need to enable ports 3389 and 22 from the internet.\n✑ Only provide permission to connect the virtual machines when required.\n✑ Ensure that administrators use the Azure portal to connect to the virtual machines.\nWhich two actions should you include in the solution? Each correct answer presents part of the solution.\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Configure Azure VPN Gateway."}, {"letter": "B", "text": "Enable Just Enough Administration (JEA)."}, {"letter": "C", "text": "Configure Azure Bastion."}, {"letter": "D", "text": "Enable just-in-time (JIT) VM access."}, {"letter": "E", "text": "Enable Azure Active Directory (Azure AD) Privileged Identity Management (PIM) roles as virtual machine contributors."}], "answer": ["C", "D"], "multi": true}, {"order": 175, "questionNumber": 23, "topic": "Topic 3", "title": "175. Question #23 - Topic 3", "text": "Your company has on-premises Microsoft SQL Server databases.\nThe company plans to move the databases to Azure.\nYou need to recommend a secure architecture for the databases that will minimize operational requirements for patching and protect sensitive data by using dynamic data masking. The solution must minimize costs.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Azure SQL Managed Instance"}, {"letter": "B", "text": "Azure Synapse Analytics dedicated SQL pools"}, {"letter": "C", "text": "Azure SQL Database"}, {"letter": "D", "text": "SQL Server on Azure Virtual Machines"}], "answer": ["C"], "multi": false}, {"order": 176, "questionNumber": 24, "topic": "Topic 3", "title": "176. Question #24 - Topic 3", "text": "Your company plans to move all on-premises virtual machines to Azure.\nA network engineer proposes the Azure virtual network design shown in the following table.\n\nYou need to recommend an Azure Bastion deployment to provide secure remote access to all the virtual machines.\nBased on the virtual network design, how many Azure Bastion subnets are required?", "options": [{"letter": "A", "text": "1"}, {"letter": "B", "text": "2"}, {"letter": "C", "text": "3"}, {"letter": "D", "text": "4"}, {"letter": "E", "text": "5"}], "answer": ["B"], "multi": false}, {"order": 178, "questionNumber": 26, "topic": "Topic 3", "title": "178. Question #26 - Topic 3", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYou are designing the encryption standards for data at rest for an Azure resource.\nYou need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.\nSolution: For Azure SQL databases, you recommend Transparent Data Encryption (TDE) that uses customer-managed keys (CMKs).\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["A"], "multi": false}, {"order": 179, "questionNumber": 27, "topic": "Topic 3", "title": "179. Question #27 - Topic 3", "text": "A customer uses Azure to develop a mobile app that will be consumed by external users as shown in the following exhibit.\n\nYou need to design an identity strategy for the app. The solution must meet the following requirements:\n✑ Enable the usage of external IDs such as Google, Facebook, and Microsoft accounts.\n✑ Use a customer identity store.\n✑ Support fully customizable branding for the app.\nWhich service should you recommend to complete the design?", "options": [{"letter": "A", "text": "Azure Active Directory (Azure AD) B2B"}, {"letter": "B", "text": "Azure Active Directory Domain Services (Azure AD DS)"}, {"letter": "C", "text": "Azure Active Directory (Azure AD) B2C"}, {"letter": "D", "text": "Azure AD Connect"}], "answer": ["C"], "multi": false}, {"order": 180, "questionNumber": 28, "topic": "Topic 3", "title": "180. Question #28 - Topic 3", "text": "Your company has a hybrid cloud infrastructure.\nData and applications are moved regularly between cloud environments.\nThe company's on-premises network is managed as shown in the following exhibit.\n\nYou are designing security operations to support the hybrid cloud infrastructure. The solution must meet the following requirements:\n✑ Govern virtual machines and servers across multiple environments.\n✑ Enforce standards for all the resources across all the environments by using Azure Policy.\nWhich two components should you recommend for the on-premises network? Each correct answer presents part of the solution.\nNOTE: Each correct selection is worth one point.\n\nPage19", "options": [{"letter": "A", "text": "on-premises data gateway"}, {"letter": "B", "text": "Azure VPN Gateway"}, {"letter": "C", "text": "guest configuration in Azure Policy"}, {"letter": "D", "text": "Azure Arc"}, {"letter": "E", "text": "Azure Bastion"}], "answer": ["C", "D"], "multi": true}, {"order": 181, "questionNumber": 29, "topic": "Topic 3", "title": "181. Question #29 - Topic 3", "text": "A customer has a Microsoft 365 E5 subscription and an Azure subscription.\nThe customer wants to centrally manage security incidents, analyze logs, audit activities, and search for potential threats across all deployed services\nYou need to recommend a solution for the customer.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Microsoft Defender for Cloud"}, {"letter": "B", "text": "Microsoft Defender for Cloud Apps"}, {"letter": "C", "text": "Microsoft 365 Defender"}, {"letter": "D", "text": "Microsoft Sentinel"}], "answer": ["D"], "multi": false}, {"order": 183, "questionNumber": 31, "topic": "Topic 3", "title": "183. Question #31 - Topic 3", "text": "For a Microsoft cloud environment, you are designing a security architecture based on the Microsoft Cloud Security Benchmark.\n\nWhat are three best practices for identity management based on the Azure Security Benchmark? Each correct answer presents a complete solution.\n\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Manage application identities securely and automatically."}, {"letter": "B", "text": "Manage the lifecycle of identities and entitlements."}, {"letter": "C", "text": "Protect identity and authentication systems."}, {"letter": "D", "text": "Enable threat detection for identity and access management."}, {"letter": "E", "text": "Use a centralized identity and authentication system."}], "answer": ["A", "C", "E"], "multi": true}, {"order": 184, "questionNumber": 32, "topic": "Topic 3", "title": "184. Question #32 - Topic 3", "text": "Your company plans to follow DevSecOps best practices of the Microsoft Cloud Adoption Framework for Azure.\n\nYou need to perform threat modeling by using a top-down approach based on the Microsoft Cloud Adoption Framework for Azure.\n\nWhat should you use to start the threat modeling process?", "options": [{"letter": "A", "text": "the STRIDE model"}, {"letter": "B", "text": "the DREAD model"}, {"letter": "C", "text": "OWASP threat modeling"}], "answer": ["A"], "multi": false}, {"order": 185, "questionNumber": 33, "topic": "Topic 3", "title": "185. Question #33 - Topic 3", "text": "Your company has on-premises Microsoft SQL Server databases.\n\nThe company plans to move the databases to Azure.\n\nYou need to recommend a secure architecture for the databases that will minimize operational requirements for patching and protect sensitive data by using dynamic data masking. The solution must minimize costs.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "SQL Server on Azure Virtual Machines"}, {"letter": "B", "text": "Azure Synapse Analytics dedicated SQL pools"}, {"letter": "C", "text": "Azure SQL Database"}], "answer": ["C"], "multi": false}, {"order": 186, "questionNumber": 34, "topic": "Topic 3", "title": "186. Question #34 - Topic 3", "text": "You are designing a new Azure environment based on the security best practices of the Microsoft Cloud Adoption Framework for Azure. The environment will contain one subscription for shared infrastructure components and three separate subscriptions for applications.\n\nYou need to recommend a deployment solution that includes network security groups (NSGs), Azure Firewall, Azure Key Vault, and Azure Bastion. The solution must minimize deployment effort and follow security best practices of the Microsoft Cloud Adoption Framework for Azure.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "the Azure landing zone accelerator"}, {"letter": "B", "text": "the Azure Well-Architected Framework"}, {"letter": "C", "text": "Azure Security Benchmark v3"}, {"letter": "D", "text": "Azure Advisor"}], "answer": ["A"], "multi": false}, {"order": 187, "questionNumber": 35, "topic": "Topic 3", "title": "187. Question #35 - Topic 3", "text": "Your company uses Azure Pipelines and Azure Repos to implement continuous integration and continuous deployment (CI/CD) workflows for the deployment of applications to Azure.\n\nYou are updating the deployment process to align with DevSecOps controls guidance in the Microsoft Cloud Adoption Framework for Azure.\n\nYou need to recommend a solution to ensure that all code changes are submitted by using pull requests before being deployed by the CI/CD workflow.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "custom roles in Azure Pipelines"}, {"letter": "B", "text": "branch policies in Azure Repos"}, {"letter": "C", "text": "Azure policies"}, {"letter": "D", "text": "custom Azure roles"}], "answer": ["B"], "multi": false}, {"order": 188, "questionNumber": 36, "topic": "Topic 3", "title": "188. Question #36 - Topic 3", "text": "You have an Azure subscription that contains a Microsoft Sentinel workspace.\n\nYour on-premises network contains firewalls that support forwarding event logs in the Common Event Format (CEF). There is no built-in Microsoft Sentinel connector for the firewalls.\n\nYou need to recommend a solution to ingest events from the firewalls into Microsoft Sentinel.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "an Azure logic app"}, {"letter": "B", "text": "an on-premises Syslog server"}, {"letter": "C", "text": "an on-premises data gateway"}, {"letter": "D", "text": "Azure Data Factory"}], "answer": ["B"], "multi": false}, {"order": 189, "questionNumber": 37, "topic": "Topic 3", "title": "189. Question #37 - Topic 3", "text": "You have an on-premises datacenter and an Azure Kubernetes Service (AKS) cluster named AKS1.\n\nYou need to restrict internet access to the public endpoint of AKS1. The solution must ensure that AKS1 can be accessed only from the public IP addresses associated with the on-premises datacenter.\n\nWhat should you use?", "options": [{"letter": "A", "text": "a private endpoint"}, {"letter": "B", "text": "a network security group (NSG)"}, {"letter": "C", "text": "a service endpoint"}, {"letter": "D", "text": "an authorized IP range"}], "answer": ["D"], "multi": false}, {"order": 191, "questionNumber": 39, "topic": "Topic 3", "title": "191. Question #39 - Topic 3", "text": "You have an Azure subscription. The subscription contains 50 virtual machines that run Windows Server and 50 virtual machines that run Linux.\n\nYou need to perform vulnerability assessments on the virtual machines. The solution must meet the following requirements:\n\n• Identify missing updates and insecure configurations.\n• Use the Qualys engine.\n\nWhat should you use?", "options": [{"letter": "A", "text": "Microsoft Defender for Servers"}, {"letter": "B", "text": "Microsoft Defender Threat Intelligence (Defender TI)"}, {"letter": "C", "text": "Microsoft Defender for Endpoint"}, {"letter": "D", "text": "Microsoft Defender External Attack Surface Management (Defender EASM)"}], "answer": ["A"], "multi": false}, {"order": 192, "questionNumber": 40, "topic": "Topic 3", "title": "192. Question #40 - Topic 3", "text": "You have an Azure subscription that contains 100 virtual machines, a virtual network named VNet1, and 20 users. The virtual machines run Windows Server and are connected to VNet1. The users work remotely and access Azure resources from Linux workstations.\n\nYou need to ensure that the users can connect to the virtual machines from the workstations by using Secure Shell (SSH). The solution must meet the following requirements:\n\n• Ensure that the users authenticate by using their Microsoft Entra credentials.\n• Prevent the users from transferring files from the virtual machines by using SSH.\n• Prevent the users from directly accessing the virtual machines by using the public IP address of the virtual machines.\n\nWhat should you include in the solution?", "options": [{"letter": "A", "text": "Azure NAT Gateway"}, {"letter": "B", "text": "just-in-time (JIT) VM access"}, {"letter": "C", "text": "Azure Bastion"}, {"letter": "D", "text": "Point-to-Site (P2S) VPN"}], "answer": ["C"], "multi": false}, {"order": 193, "questionNumber": 41, "topic": "Topic 3", "title": "193. Question #41 - Topic 3", "text": "You have an on-premises network that has several legacy applications. The applications perform LDAP queries against an existing directory service.\n\nYou are migrating the on-premises infrastructure to a cloud-only infrastructure.\n\nYou need to recommend an identity solution for the infrastructure that supports the legacy applications. The solution must minimize the administrative effort to maintain the infrastructure.\n\nWhich identity service should you include in the recommendation?", "options": [{"letter": "A", "text": "Microsoft Entra External ID"}, {"letter": "B", "text": "Microsoft Entra Domain Services"}, {"letter": "C", "text": "Microsoft Entra ID"}, {"letter": "D", "text": "Active Directory Domain Services (AD DS)"}], "answer": ["B"], "multi": false}, {"order": 194, "questionNumber": 42, "topic": "Topic 3", "title": "194. Question #42 - Topic 3", "text": "You have a Microsoft 365 tenant that contains 5,000 users and 5,000 Windows 11 devices. All users are assigned Microsoft 365 E5 licenses and the Microsoft Defender Vulnerability Management add-on. The Windows 11 devices are managed by using Microsoft Intune and Microsoft Defender for Endpoint. The Windows 11 devices are configured during deployment to comply with Center for Internet Security (CIS) benchmarks for Windows 11.\n\nYou need to recommend a compliance solution for the Windows 11 devices. The solution must identify devices that were modified and no longer comply with the CIS benchmarks.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Authenticated scan for Windows in Microsoft Defender Vulnerability Management"}, {"letter": "B", "text": "Microsoft Secure Score for Devices in Defender for Endpoint"}, {"letter": "C", "text": "attack surface reduction (ASR) rules in Defender for Endpoint"}, {"letter": "D", "text": "security baselines assessments in Microsoft Defender Vulnerability Management"}], "answer": ["D"], "multi": false}, {"order": 195, "questionNumber": 43, "topic": "Topic 3", "title": "195. Question #43 - Topic 3", "text": "You plan to deploy 20 Azure Kubernetes Service (AKS) clusters. The cluster configuration will be managed declaratively by using Kubernetes manifest files stored in Azure Repos.\n\nYou need to recommend a solution to ensure that the configuration of all the clusters remains consistent by using the manifest files stored in Azure Repos.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Gatekeeper"}, {"letter": "B", "text": "Dependency Tracker"}, {"letter": "C", "text": "Dependabot"}, {"letter": "D", "text": "Flux"}], "answer": ["D"], "multi": false}, {"order": 198, "questionNumber": 46, "topic": "Topic 3", "title": "198. Question #46 - Topic 3", "text": "You have a Microsoft 365 tenant named contoso.com.\n\nYou need to ensure that users can authenticate only to contoso.com. The solution must meet the following requirements:\n\n• Prevent the users from authenticating to other Microsoft 365 tenants.\n• Minimize administrative effort.\n\nWhat should you use?", "options": [{"letter": "A", "text": "Microsoft Entra Private Access"}, {"letter": "B", "text": "Microsoft Defender for Endpoint"}, {"letter": "C", "text": "Microsoft Entra Internet Access"}, {"letter": "D", "text": "Microsoft Defender for Cloud Apps"}], "answer": ["C"], "multi": false}, {"order": 199, "questionNumber": 47, "topic": "Topic 3", "title": "199. Question #47 - Topic 3", "text": "You have on-premises Windows 11 devices that have the Global Secure Access client deployed.\n\nYou have a Microsoft 365 subscription that uses Microsoft SharePoint Online and Exchange Online.\n\nYou deploy Microsoft Entra Internet Access from the on-premises network to Microsoft 365. The deployment has the Microsoft 365 profile enabled and contains the following:\n\n• Default traffic policies for Microsoft 365 services\n• A linked Conditional Access policy that performs compliant network checks with continuous access evaluation and is applied to all users\n• An assignment to all the devices\n• An assignment to a remote network associated with the on-premises network\n\nWhich Microsoft 365 resources are protected by using continuous access evaluation?", "options": [{"letter": "A", "text": "SharePoint Online only"}, {"letter": "B", "text": "Exchange Online only"}, {"letter": "C", "text": "both SharePoint Online and Exchange Online"}], "answer": ["C"], "multi": false}, {"order": 200, "questionNumber": 48, "topic": "Topic 3", "title": "200. Question #48 - Topic 3", "text": "You have an Azure subscription that contains multiple network security groups (NSGs), multiple virtual machines, and an Azure Bastion host named bastion1.\n\nSeveral NSGs contain rules that allow direct RDP access to the virtual machines by bypassing bastion1.\n\nYou need to ensure that the virtual machines can be accessed only by using bastion1. The solution must prevent the use of NSG rules to bypass bastion1.\n\nWhat should you include in the solution?\n\nPage21", "options": [{"letter": "A", "text": "Azure Virtual Network Manager security admin rules"}, {"letter": "B", "text": "Azure Virtual Network Manager connectivity configurations"}, {"letter": "C", "text": "Azure Firewall application rules"}, {"letter": "D", "text": "Azure Firewall network rules"}], "answer": ["A"], "multi": false}, {"order": 201, "questionNumber": 49, "topic": "Topic 3", "title": "201. Question #49 - Topic 3", "text": "Your company has 10 branch offices. Each office has a local internet connection that uses a static IP address.\n\nYou have an Azure subscription. The subscription contains a storage account named storage1 that stores blobs.\n\nUsers in the branch offices access the blobs via the internet.\n\nYou need to recommend a solution to ensure that the data in storage1 is accessible only from the branch office static IP addresses. The solution must minimize costs.\n\nWhat should include in the recommendation?", "options": [{"letter": "A", "text": "Azure Private Link"}, {"letter": "B", "text": "an Azure Firewall policy"}, {"letter": "C", "text": "Azure Storage firewall rules"}, {"letter": "D", "text": "a network security group (NSG)"}], "answer": ["C"], "multi": false}, {"order": 203, "questionNumber": 51, "topic": "Topic 3", "title": "203. Question #51 - Topic 3", "text": "Your company has a main office and 10 branch offices. Each branch office contains an on-premises file server that runs Windows Server and multiple devices that run either Windows 11 or macOS. The devices are enrolled in Microsoft Intune.\n\nYou have a Microsoft Entra tenant.\n\nYou need to deploy Global Secure Access to implement web filtering for device traffic to the internet. The solution must ensure that all the web traffic from the devices in the branch offices is controlled by using Global Secure Access.\n\nWhat should you do first in each branch office?", "options": [{"letter": "A", "text": "Configure an Intune policy to onboard Microsoft Defender for Endpoint to each device."}, {"letter": "B", "text": "Configure an IPsec tunnel on the router."}, {"letter": "C", "text": "Install the Microsoft Entra private network connector on the file server."}, {"letter": "D", "text": "Configure an Intune policy to deploy the Global Secure Access client to each device."}], "answer": ["D"], "multi": false}, {"order": 204, "questionNumber": 52, "topic": "Topic 3", "title": "204. Question #52 - Topic 3", "text": "You have an Azure subscription that contains SQL Server on Azure virtual machines located in the West US Azure region. The virtual machines are only accessible by using private IP addresses.\n\nYou plan to deploy a Windows-based Azure App Service web apps in the East US Azure region.\n\nYou need to recommend a solution to provide the web apps access to the SQL Server databases.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "an Azure VPN gateway"}, {"letter": "B", "text": "a private endpoint"}, {"letter": "C", "text": "a service endpoint"}, {"letter": "D", "text": "an Azure Bastion host"}], "answer": ["A"], "multi": false}, {"order": 208, "questionNumber": 56, "topic": "Topic 3", "title": "208. Question #56 - Topic 3", "text": "Your on-premises network contains an Active Directory Domain Services (AD DS) domain named corp.contoso.com and an AD DS-integrated application named App1.\n\nYour perimeter network contains a server named Server1that runs Windows Server.\n\nYou have a Microsoft Entra tenant named contoso.com that syncs with corp.contoso.com.\n\nYou plan to implement a security solution that will include the following configurations:\n• Manage access to App1 by using Microsoft Entra Private Access.\n• Deploy a Microsoft Entra application proxy connector to Server1.\n• Implement single sign-on (SSO) for App1 by using Kerberos constrained delegation.\n• For Server1, configure the following rules in Windows Defender Firewall with Advanced Security: o Rule1: Allow TCP 443 inbound from a designated set of Azure URLs, o Rule2: Allow TCP 443 outbound to a designated set of Azure URLs, o Rule3: Allow TCP 80 outbound to a designated set of Azure URLs, o Rule4: Allow TCP 389 outbound to the domain controllers on corp.contoso.com.\n\nYou need to maximize security for the planned implementation. The solution must minimize the impact on the connector.\n\nWhich rule should you remove?", "options": [{"letter": "A", "text": "Rule1"}, {"letter": "B", "text": "Rule2"}, {"letter": "C", "text": "Rule3"}, {"letter": "D", "text": "Rule4"}], "answer": ["A"], "multi": false}, {"order": 209, "questionNumber": 57, "topic": "Topic 3", "title": "209. Question #57 - Topic 3", "text": "You have a Microsoft Entra tenant named contoso.com and use Microsoft Intune. Each user in contoso.com has a Microsoft Entra ID P1 license and a Windows 11 device that has the Global Secure Access client deployed.\n\nYou plan to deploy the following configuration of Microsoft Entra Internet Access:\n\n• Enable a baseline profile.\n• Create a security profile named Profile1 that has a priority of 300 and contains a single web content filtering policy named\nWCFPolicy1. Configure WCFPolicy1 as follows:\no Set Action to allow.\no Include a single rule that has a fully qualified domain name (FQDN) destination of *.adatum.com.\n• Link Profile1 to a Conditional Access policy named CAPolicy1, apply CAPolicy1 to all users, and grant access unless a user's device is noncompliant.\n\nYou need to evaluate the impact of the planned deployment on traffic to the following resources:\n\n• https://www.adatum.com:8433\n• https://www.fabrikam.com\n\nWhich two traffic scenarios will occur? Each correct answer presents a complete solution.\n\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Traffic to https://www.fabrikam.com will be allowed from all the devices."}, {"letter": "B", "text": "Traffic to https://www.adatum.com:8433 will be blocked from all the devices."}, {"letter": "C", "text": "Traffic to https://www.adatum.com:8433 will be allowed from all the devices."}, {"letter": "D", "text": "Traffic to https://www.fabrikam.com will be allowed from compliant devices only."}, {"letter": "E", "text": "Traffic to https://www.adatum.com:8433 will be allowed from compliant devices only."}, {"letter": "F", "text": "Traffic to https://www.fabrikam.com will be blocked from noncompliant devices only."}], "answer": ["D", "E"], "multi": true}, {"order": 211, "questionNumber": 59, "topic": "Topic 3", "title": "211. Question #59 - Topic 3", "text": "You have a multicloud environment that contains an Azure subscription, an Amazon Web Services (AWS) subscription, and a Google Cloud Platform (GCP) subscription.\n\nYou plan to assess data security and compliance.\n\nYou need to design a Compliance Manager solution that meets the following requirements:\n\n• Provides recommended improvement actions that include detailed implementation guidance\n• Automatically monitors regulatory compliance\n• Minimizes administrative effort\n\nWhat should you include in the solution?", "options": [{"letter": "A", "text": "Microsoft Defender for Cloud"}, {"letter": "B", "text": "Compliance Manager connectors"}, {"letter": "C", "text": "Microsoft Defender for Cloud Apps"}, {"letter": "D", "text": "Microsoft Sentinel"}], "answer": ["A"], "multi": false}, {"order": 213, "questionNumber": 61, "topic": "Topic 3", "title": "213. Question #61 - Topic 3", "text": "Your on-premises network contains an Active Directory Domain Services (AD DS) domain. The domain contains a server named Serve1 that runs Windows Server 2022.\n\nYou have an Azure subscription that is linked to a hybrid Microsoft Entra tenant and contains a user named User1. User1 works remotely.\n\nYou need to ensure that User1 can establish RDP connections to Server1 via the internet. The solution must ensure that User1 authenticates by using multifactor authentication (MFA).\n\nWhat should you include in the solution?", "options": [{"letter": "A", "text": "Windows Admin Center"}, {"letter": "B", "text": "Microsoft Entra Internet Access"}, {"letter": "C", "text": "Azure Bastion"}, {"letter": "D", "text": "Microsoft Entra Private Access"}], "answer": ["D"], "multi": false}, {"order": 214, "questionNumber": 62, "topic": "Topic 3", "title": "214. Question #62 - Topic 3", "text": "You have a multicloud environment that contains an Azure subscription, an Amazon Web Services (AWS) subscription, and a Google Cloud Platform (GCP) subscription.\n\nYou plan to implement Cloud Security Posture Management (CSPM) by using Microsoft Defender for Cloud.\n\nYou need to design a solution that will provide attack path analysis functionality for each subscription.\n\nWhat should you include in the solution?", "options": [{"letter": "A", "text": "regulatory compliance"}, {"letter": "B", "text": "Microsoft Defender External Attack Surface Management (Defender EASM)"}, {"letter": "C", "text": "agentless scanning"}, {"letter": "D", "text": "Microsoft Cloud Security Benchmark (MCSB)"}], "answer": ["C"], "multi": false}, {"order": 215, "questionNumber": 63, "topic": "Topic 3", "title": "215. Question #63 - Topic 3", "text": "You have an Azure subscription. The subscription contains 200 virtual machines that run Windows Server 2022 and are protected by using Microsoft Defender for Servers Plan 1. You have an Amazon Web Services (AWS) subscription.\n\nTo the AWS subscription, you plan to deploy 100 virtual machines that run Windows Server 2022.\n\nYou need to recommend which agent to deploy to the virtual machines in the AWS subscription. The solution must meet the following requirements:\n\n• Provide consistent workload protection across all cloud platforms.\n• Minimize the number of agents deployed to each virtual machine.\n\nWhat should you recommend?", "options": [{"letter": "A", "text": "the log Analytics agent"}, {"letter": "B", "text": "the Azure Connected Machine agent"}, {"letter": "C", "text": "the Microsoft Defender for Endpoint agent"}, {"letter": "D", "text": "the Azure Monitor Agent"}], "answer": ["C"], "multi": false}, {"order": 216, "questionNumber": 64, "topic": "Topic 3", "title": "216. Question #64 - Topic 3", "text": "You have an Azure subscription. The subscription contains 100 virtual machines that run Linux on Windows Server. The subscription uses Microsoft Defender for Servers Plan 1.\n\nYou need to recommend a solution to identify and remediate virtual machines that have the following characteristics:\n\n• Are NOT onboarded to Defender for Servers\n• Are missing critical updates\n• Have risky apps installed\n\nThe solution must minimize administrative effort.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Microsoft Defender External Attack Surface Management (Defender EASM)"}, {"letter": "B", "text": "Microsoft Defender Vulnerability Management"}, {"letter": "C", "text": "Microsoft Defender Threat Intelligence (Defender TI)"}, {"letter": "D", "text": "Microsoft Intune Advanced Analytics"}], "answer": ["B"], "multi": false}, {"order": 217, "questionNumber": 65, "topic": "Topic 3", "title": "217. Question #65 - Topic 3", "text": "You have a Microsoft 365 E5 subscription. The subscription contains 500 devices that run Windows 11 Pro and are enrolled in Microsoft Intune.\n\nYou need to evaluate the use of Microsoft Defender Vulnerability Management to provide recommended configuration changes for the devices.\n\nWhich Endpoint security settings should you use to review the recommended changes?", "options": [{"letter": "A", "text": "Security tasks"}, {"letter": "B", "text": "Attack surface reduction"}, {"letter": "C", "text": "End point detection and response"}, {"letter": "D", "text": "Device compliance"}], "answer": ["A"], "multi": false}, {"order": 218, "questionNumber": 66, "topic": "Topic 3", "title": "218. Question #66 - Topic 3", "text": "You have an Azure subscription that contains the Azure Virtual Machine Scale Sets shown in the following table.\n\nYou are evaluating Azure Update Manager and automatic virtual machine guest patching.\n\nWhich virtual machine scale sets will automatic guest patching support?", "options": [{"letter": "A", "text": "VMSS1 only"}, {"letter": "B", "text": "VMSS2 only"}, {"letter": "C", "text": "VMSS1 and VMSS3 only"}, {"letter": "D", "text": "VMSS2 and VMSS4 only"}, {"letter": "E", "text": "VMSS1, VMSS2, VMSS3, and VMSS4"}], "answer": ["C"], "multi": false}, {"order": 221, "questionNumber": 69, "topic": "Topic 3", "title": "221. Question #69 - Topic 3", "text": "You have an Azure subscription named Sub1 that is linked to a Microsoft Entra tenant named contoso.com. Sub1 contains 20 virtual networks named Sub1_VNet1 through Sub1_VNet20.\n\nYou have an Azure subscription named Sub2 that is linked to a Microsoft Entra tenant named fabrikam.com. Sub2 contains 20 virtual networks named Sub2_VNet1 through Sub2_VNet20.\n\nYou need to deploy an Azure Virtual Network Manager solution that meets the following requirements:\n• Blocks SSH traffic on Sub1_VNet20 and Sub2_VNet20 by using network security groups (NSGs)\n• Blocks SSH traffic on Sub1_VNet1 through Sub1_VNet19 and Sub2_VNet1 through Sub2_VNet19\n• Allows SSH traffic on Sub1_VNet20 and Sub2_VNet20\n• Blocks FTP traffic on all the virtual networks\n• Minimizes administrative effort\n\nWhat is minimum number of components required for the deployment?", "options": [{"letter": "A", "text": "• 1 Virtual Network Manager instance\n• 1 rule collection\n• 2 NSGs"}, {"letter": "B", "text": "• 2 Virtual Network Manager instances that each contains:\no 1 NSG\no 1 rule collection"}, {"letter": "C", "text": "• 2 Virtual Network Manager instances that each contains:\no 2 NSGs\no 2 rule collections"}, {"letter": "D", "text": "• 1 Virtual Network Manager instance\n• 2 rule collections\n• 2 NSGs"}], "answer": ["A"], "multi": false}, {"order": 222, "questionNumber": 70, "topic": "Topic 3", "title": "222. Question #70 - Topic 3", "text": "You have an Azure subscription.\n\nYou have a subscription to a third-party cloud provider. The subscription contains 100 virtual machines.\n\nYou manage cloud security for both subscriptions from the Azure subscription.\n\nYou need to recommend a solution to validate the security posture of the virtual machines.\n\nWhich two services should you include in the recommendation? Each correct answer presents part of the solution.\n\nNOTE: Each correct answer is worth one point.", "options": [{"letter": "A", "text": "Microsoft Sentinel"}, {"letter": "B", "text": "Azure Arc"}, {"letter": "C", "text": "Microsoft Defender for Cloud"}, {"letter": "D", "text": "Azure Lighthouse"}, {"letter": "E", "text": "Microsoft Defender for Endpoint"}], "answer": ["B", "C"], "multi": true}, {"order": 223, "questionNumber": 71, "topic": "Topic 3", "title": "223. Question #71 - Topic 3", "text": "You have an Azure subscription that uses Microsoft Defender for Cloud.\n\nYou have Amazon Web Services (AWS), Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI) subscriptions.\n\nYou create a custom security standard in Defender for Cloud.\n\nTo which subscriptions can the Defender for Cloud standard be applied?", "options": [{"letter": "A", "text": "Azure and AWS only"}, {"letter": "B", "text": "Azure and GCP only"}, {"letter": "C", "text": "Azure, AWS, and GCP only"}, {"letter": "D", "text": "Azure, AWS, and OCI only"}, {"letter": "E", "text": "Azure, AWS, GCP, and OCI"}], "answer": ["C"], "multi": false}, {"order": 225, "questionNumber": 73, "topic": "Topic 3", "title": "225. Question #73 - Topic 3", "text": "You have a Microsoft 365 subscription.\n\nYou have a Conditional Access policy that has the following settings:\n\n• Name: Policy 1\n• Assignments\no Users:\n- Include: All users\no Target resources\n- Include: Select apps; Office 365\no Network\n- Include: Any network or location\n- Exclude: Selected networks and locations; Site1\no Access controls\n- Grant: Require multifactor authentication, Require Hybrid Microsoft Entra joined device\n\nYou plan to implement Zero Trust Rapid Modernization Plan (RaMP).\n\nYou need to ensure that Policy1 aligns with best practice recommendations in RaMP.\n\nWhich setting should you change?", "options": [{"letter": "A", "text": "Include: Any network or location"}, {"letter": "B", "text": "Exclude: Selected networks and locations; Site1"}, {"letter": "C", "text": "Grant Require Hybrid Microsoft Entra joined device"}, {"letter": "D", "text": "Grant: Require multifactor authentication"}], "answer": ["B"], "multi": false}, {"order": 226, "questionNumber": 1, "topic": "Topic 4", "title": "226. Question #1 - Topic 4", "text": "You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.\nThe Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.\nYou need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.\nWhich security control should you recommend?", "options": [{"letter": "A", "text": "app registrations in Azure Active Directory (Azure AD)"}, {"letter": "B", "text": "OAuth app policies in Microsoft Defender for Cloud Apps"}, {"letter": "C", "text": "Azure Security Benchmark compliance controls in Defender for Cloud"}, {"letter": "D", "text": "application control policies in Microsoft Defender for Endpoint"}], "answer": ["D"], "multi": false}, {"order": 227, "questionNumber": 2, "topic": "Topic 4", "title": "227. Question #2 - Topic 4", "text": "Your company plans to provision blob storage by using an Azure Storage account. The blob storage will be accessible from 20 application servers on the internet.\nYou need to recommend a solution to ensure that only the application servers can access the storage account.\nWhat should you recommend using to secure the blob storage?", "options": [{"letter": "A", "text": "managed rule sets in Azure Web Application Firewall (WAF) policies"}, {"letter": "B", "text": "inbound rules in network security groups (NSGs)"}, {"letter": "C", "text": "firewall rules for the storage account"}, {"letter": "D", "text": "inbound rules in Azure Firewall"}, {"letter": "E", "text": "service tags in network security groups (NSGs)"}], "answer": ["C"], "multi": false}, {"order": 228, "questionNumber": 3, "topic": "Topic 4", "title": "228. Question #3 - Topic 4", "text": "Your company is developing a modern application that will un as an Azure App Service web app.\nYou plan to perform threat modeling to identity potential security issues by using the Microsoft Threat Modeling Tool.\nWhich type of diagram should you create?", "options": [{"letter": "A", "text": "system flow"}, {"letter": "B", "text": "data flow"}, {"letter": "C", "text": "process flow"}, {"letter": "D", "text": "network flow"}], "answer": ["B"], "multi": false}, {"order": 229, "questionNumber": 4, "topic": "Topic 4", "title": "229. Question #4 - Topic 4", "text": "Your company has an on-premises network and an Azure subscription.\nThe company does NOT have a Site-to-Site VPN or an ExpressRoute connection to Azure.\nYou are designing the security standards for Azure App Service web apps. The web apps will access Microsoft SQL Server databases on the network.\nYou need to recommend security standards that will allow the web apps to access the databases. The solution must minimize the number of open internet- accessible endpoints to the on-premises network.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "virtual network NAT gateway integration"}, {"letter": "B", "text": "hybrid connections"}, {"letter": "C", "text": "virtual network integration"}, {"letter": "D", "text": "a private endpoint"}], "answer": ["B"], "multi": false}, {"order": 230, "questionNumber": 5, "topic": "Topic 4", "title": "230. Question #5 - Topic 4", "text": "You are creating an application lifecycle management process based on the Microsoft Security Development Lifecycle (SDL).\nYou need to recommend a security standard for onboarding applications to Azure. The standard will include recommendations for application design, development, and deployment.\nWhat should you include during the application design phase?\n\nPage24", "options": [{"letter": "A", "text": "software decomposition by using Microsoft Visual Studio Enterprise"}, {"letter": "B", "text": "dynamic application security testing (DAST) by using Veracode"}, {"letter": "C", "text": "threat modeling by using the Microsoft Threat Modeling Tool"}, {"letter": "D", "text": "static application security testing (SAST) by using SonarQube"}], "answer": ["C"], "multi": false}, {"order": 232, "questionNumber": 7, "topic": "Topic 4", "title": "232. Question #7 - Topic 4", "text": "Your company is developing a new Azure App Service web app.\nYou are providing design assistance to verify the security of the web app.\nYou need to recommend a solution to test the web app for vulnerabilities such as insecure server configurations, cross-site scripting (XSS), and SQL injection.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "dynamic application security testing (DAST)"}, {"letter": "B", "text": "static application security testing (SAST)"}, {"letter": "C", "text": "interactive application security testing (IAST)"}, {"letter": "D", "text": "runtime application self-protection (RASP)"}], "answer": ["A"], "multi": false}, {"order": 233, "questionNumber": 8, "topic": "Topic 4", "title": "233. Question #8 - Topic 4", "text": "Your company develops several applications that are accessed as custom enterprise applications in Azure Active Directory (Azure AD).\nYou need to recommend a solution to prevent users on a specific list of countries from connecting to the applications.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "activity policies in Microsoft Defender for Cloud Apps"}, {"letter": "B", "text": "sign-in risk policies in Azure AD Identity Protection"}, {"letter": "C", "text": "Azure AD Conditional Access policies"}, {"letter": "D", "text": "device compliance policies in Microsoft Endpoint Manager"}, {"letter": "E", "text": "user risk poticies in Azure AD Identity Protection"}], "answer": ["C"], "multi": false}, {"order": 234, "questionNumber": 9, "topic": "Topic 4", "title": "234. Question #9 - Topic 4", "text": "Your company has an Azure subscription that uses Azure Storage.\nThe company plans to share specific blobs with vendors.\nYou need to recommend a solution to provide the vendors with secure access to specific blobs without exposing the blobs publicly. The access must be time- limited.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Configure private link connections."}, {"letter": "B", "text": "Configure encryption by using customer-managed keys (CMKs)."}, {"letter": "C", "text": "Share the connection string of the access key."}, {"letter": "D", "text": "Create shared access signatures (SAS)."}], "answer": ["D"], "multi": false}, {"order": 235, "questionNumber": 10, "topic": "Topic 4", "title": "235. Question #10 - Topic 4", "text": "Your company is developing an invoicing application that will use Azure Active Directory (Azure AD) B2C. The application will be deployed as an App Service web app.\nYou need to recommend a solution to the application development team to secure the application from identity-related attacks.\nWhich two configurations should you recommend? Each correct answer presents part of the solution.\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Azure AD workbooks to monitor risk detections"}, {"letter": "B", "text": "Azure AD Conditional Access integration with user flows and custom policies"}, {"letter": "C", "text": "smart account lockout in Azure AD B2C"}, {"letter": "D", "text": "access packages in Identity Governance"}, {"letter": "E", "text": "custom resource owner password credentials (ROPC) flows in Azure AD B2C"}], "answer": ["B", "C"], "multi": true}, {"order": 236, "questionNumber": 11, "topic": "Topic 4", "title": "236. Question #11 - Topic 4", "text": "Your company has a Microsoft 365 E5 subscription.\nUsers use Microsoft Teams, Exchange Online, SharePoint Online, and OneDrive for sharing and collaborating.\nThe company identifies protected health information (PHI) within stored documents and communications.\nWhat should you recommend using to prevent the PHI from being shared outside the company?", "options": [{"letter": "A", "text": "sensitivity label policies"}, {"letter": "B", "text": "data loss prevention (DLP) policies"}, {"letter": "C", "text": "insider risk management policies"}, {"letter": "D", "text": "retention policies"}], "answer": ["B"], "multi": false}, {"order": 237, "questionNumber": 12, "topic": "Topic 4", "title": "237. Question #12 - Topic 4", "text": "Your company has a Microsoft 365 E5 subscription.\nThe company wants to identify and classify data in Microsoft Teams, SharePoint Online, and Exchange Online.\nYou need to recommend a solution to identify documents that contain sensitive information.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "data classification content explorer"}, {"letter": "B", "text": "data loss prevention (DLP)"}, {"letter": "C", "text": "eDiscovery"}, {"letter": "D", "text": "Information Governance"}], "answer": ["A"], "multi": false}, {"order": 238, "questionNumber": 13, "topic": "Topic 4", "title": "238. Question #13 - Topic 4", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYou are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.\nYou need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.\nSolution: You recommend configuring gateway-required virtual network integration.\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["B"], "multi": false}, {"order": 239, "questionNumber": 14, "topic": "Topic 4", "title": "239. Question #14 - Topic 4", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYou are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.\nYou need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.\nSolution: You recommend access restrictions that allow traffic from the Front Door service tags.\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["B"], "multi": false}, {"order": 240, "questionNumber": 15, "topic": "Topic 4", "title": "240. Question #15 - Topic 4", "text": "Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.\nAfter you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.\nYou are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.\nYou need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.\nSolution: You recommend access restrictions based on HTTP headers that have the Front Door ID.\nDoes this meet the goal?\n\nPage25", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["A"], "multi": false}, {"order": 241, "questionNumber": 16, "topic": "Topic 4", "title": "241. Question #16 - Topic 4", "text": "Your company has an on-premises network, an Azure subscription, and a Microsoft 365 E5 subscription.\nThe company uses the following devices:\n✑ Computers that run either Windows 10 or Windows 11\n✑ Tablets and phones that run either Android or iOS\nYou need to recommend a solution to classify and encrypt sensitive Microsoft Office 365 data regardless of where the data is stored.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "eDiscovery"}, {"letter": "B", "text": "Microsoft Information Protection"}, {"letter": "C", "text": "Compliance Manager"}, {"letter": "D", "text": "retention policies"}], "answer": ["B"], "multi": false}, {"order": 242, "questionNumber": 17, "topic": "Topic 4", "title": "242. Question #17 - Topic 4", "text": "You have a Microsoft 365 E5 subscription.\nYou are designing a solution to protect confidential data in Microsoft SharePoint Online sites that contain more than one million documents.\nYou need to recommend a solution to prevent Personally Identifiable Information (PII) from being shared.\nWhich two components should you include in the recommendation? Each correct answer presents part of the solution.\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "data loss prevention (DLP) policies"}, {"letter": "B", "text": "retention label policies"}, {"letter": "C", "text": "eDiscovery cases"}, {"letter": "D", "text": "sensitivity label policies"}], "answer": ["A", "D"], "multi": true}, {"order": 243, "questionNumber": 18, "topic": "Topic 4", "title": "243. Question #18 - Topic 4", "text": "Your company has the virtual machine infrastructure shown in the following table.\n\nThe company plans to use Microsoft Azure Backup Server (MABS) to back up the virtual machines to Azure.\nYou need to provide recommendations to increase the resiliency of the backup strategy to mitigate attacks such as ransomware.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Use geo-redundant storage (GRS)."}, {"letter": "B", "text": "Maintain multiple copies of the virtual machines."}, {"letter": "C", "text": "Encrypt the backups by using customer-managed keys (CMKS)."}, {"letter": "D", "text": "Require PINs to disable backups."}], "answer": ["D"], "multi": false}, {"order": 244, "questionNumber": 19, "topic": "Topic 4", "title": "244. Question #19 - Topic 4", "text": "You have a Microsoft 365 tenant that uses Microsoft SharePoint Online and Microsoft Purview. Microsoft Purview has a sensitivity\n\nlabel named Label1 that is applied to the files stored on SharePoint Online sites.\n\nYou need to recommend a Microsoft Purview Data Loss Prevention (DLP) policy that meets the following requirements:\n\n• Prevents users from uploading the files to third-party external websites\n• Allows users to upload the files to Microsoft OneDrive for Business\n\nTo which location should you apply the DLP policy?", "options": [{"letter": "A", "text": "Devices"}, {"letter": "B", "text": "OneDrive accounts"}, {"letter": "C", "text": "SharePoint sites"}, {"letter": "D", "text": "Microsoft Defender for Cloud Apps"}], "answer": ["D"], "multi": false}, {"order": 247, "questionNumber": 22, "topic": "Topic 4", "title": "247. Question #22 - Topic 4", "text": "You have a Microsoft 365 subscription that syncs with Active Directory Domain Services (AD DS).\n\nYou need to define the recovery steps for a ransomware attack that encrypted data in the subscription. The solution must follow Microsoft Security Best Practices.\n\nWhat is the first step in the recovery plan?", "options": [{"letter": "A", "text": "From Microsoft Defender for Endpoint, perform a security scan."}, {"letter": "B", "text": "Recover files to a cleaned computer or device."}, {"letter": "C", "text": "Contact law enforcement."}, {"letter": "D", "text": "Disable Microsoft OneDrive sync and Exchange ActiveSync."}], "answer": ["D"], "multi": false}, {"order": 249, "questionNumber": 24, "topic": "Topic 4", "title": "249. Question #24 - Topic 4", "text": "Your company is developing an invoicing application that will use Azure AD B2C. The application will be deployed as an App Service web app.\n\nYou need to recommend a solution to the application development team to secure the application from identity-related attacks.\n\nWhich two configurations should you recommend? Each correct answer presents part of the solution.\n\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Azure AD Conditional Access integration with user flows and custom policies"}, {"letter": "B", "text": "smart account lockout in Azure AD B2C"}, {"letter": "C", "text": "access packages in Identity Governance"}, {"letter": "D", "text": "custom resource owner password credentials (ROPC) flows in Azure AD B2C"}], "answer": ["A", "B"], "multi": true}, {"order": 250, "questionNumber": 25, "topic": "Topic 4", "title": "250. Question #25 - Topic 4", "text": "Your company plans to evaluate the security of its Azure environment based on the principles of the Microsoft Cloud Adoption Framework for Azure.\n\nYou need to recommend a cloud-based service to evaluate whether the Azure resources comply with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).\n\nWhat should you recommend?\n\nPage26", "options": [{"letter": "A", "text": "Compliance Manager in Microsoft Purview"}, {"letter": "B", "text": "Microsoft Defender for Cloud"}, {"letter": "C", "text": "Microsoft Sentinel"}, {"letter": "D", "text": "Microsoft Defender for Cloud Apps"}], "answer": ["B"], "multi": false}, {"order": 253, "questionNumber": 28, "topic": "Topic 4", "title": "253. Question #28 - Topic 4", "text": "You have an on-premises app named App1.\n\nRemote users access App1 by using VPN connections.\n\nYou have a third-party software as a service (SaaS) app named App2.\n\nYou need to deploy Global Secure Access to manage access to App1 and App2.\n\nWhat should you use for each app?", "options": [{"letter": "A", "text": "Microsoft Entra Private Access for App2 and Microsoft Entra Internet Access for App1"}, {"letter": "B", "text": "Microsoft Entra Private Access for App1 and Microsoft Entra Internet Access for App2"}, {"letter": "C", "text": "Microsoft Entra Internet Access for App1 and App2"}, {"letter": "D", "text": "Microsoft Entra Private Access for App1 and App2"}], "answer": ["B"], "multi": false}, {"order": 254, "questionNumber": 29, "topic": "Topic 4", "title": "254. Question #29 - Topic 4", "text": "You have a Microsoft 365 subscription.\n\nYou need to design a solution to block file downloads from Microsoft SharePoint Online by authenticated users on unmanaged devices.\n\nWhich two services should you include in the solution? Each correct answer presents part of the solution.\n\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Azure AD Conditional Access"}, {"letter": "B", "text": "Azure Data Catalog"}, {"letter": "C", "text": "Microsoft Purview Information Protection"}, {"letter": "D", "text": "Azure AD Application Proxy"}, {"letter": "E", "text": "Microsoft Defender for Cloud Apps"}], "answer": ["A", "E"], "multi": true}, {"order": 256, "questionNumber": 31, "topic": "Topic 4", "title": "256. Question #31 - Topic 4", "text": "You have a Microsoft 365 tenant. Your company uses a third-party software as a service (SaaS) app named App1. App1 supports authenticating users by using Azure AD credentials.\n\nYou need to recommend a solution to enable users to authenticate to App1 by using their Azure AD credentials.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Azure AD Application Proxy"}, {"letter": "B", "text": "Azure AD B2C"}, {"letter": "C", "text": "an Azure AD enterprise application"}, {"letter": "D", "text": "a relying party trust in Active Directory Federation Services (AD FS)"}], "answer": ["C"], "multi": false}, {"order": 257, "questionNumber": 32, "topic": "Topic 4", "title": "257. Question #32 - Topic 4", "text": "You have a Microsoft 365 tenant.\n\nYour company uses a third-party software as a service (SaaS) app named App1 that is integrated with an Azure AD tenant.\n\nYou need to design a security strategy to meet the following requirements:\n\n• Users must be able to request access to App1 by using a self-service request.\n• When users request access to App1, they must be prompted to provide additional information about their request.\n• Every three months, managers must verify that the users still require access to App1.\n\nWhat should you include in the design?", "options": [{"letter": "A", "text": "Microsoft Entra Identity Governance"}, {"letter": "B", "text": "connected apps in Microsoft Defender for Cloud Apps"}, {"letter": "C", "text": "access policies in Microsoft Defender for Cloud Apps"}, {"letter": "D", "text": "Azure AD Application Proxy"}], "answer": ["A"], "multi": false}, {"order": 258, "questionNumber": 33, "topic": "Topic 4", "title": "258. Question #33 - Topic 4", "text": "You have an Azure subscription.\n\nYou have a DNS domain named contoso.com that is hosted by a third-party DNS registrar.\n\nDevelopers use Azure DevOps to deploy web apps to App Service Environments. When a new app is deployed, a CNAME record for the app is registered in contoso.com.\n\nYou need to recommend a solution to secure the DNS record for each web app. The solution must meet the following requirements:\n\n• Ensure that when an app is deleted, the CNAME record for the app is removed also.\n• Minimize administrative effort.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Microsoft Defender for Cloud Apps"}, {"letter": "B", "text": "Microsoft Defender for DevOps"}, {"letter": "C", "text": "Microsoft Defender for App Service"}, {"letter": "D", "text": "Microsoft Defender for DNS"}], "answer": ["C"], "multi": false}, {"order": 263, "questionNumber": 38, "topic": "Topic 4", "title": "263. Question #38 - Topic 4", "text": "You have an Azure subscription. The subscription contains 100 virtual machines that run Windows Server. The virtual machines are managed by using Azure Policy and Microsoft Defender for Servers.\n\nYou need to enhance security on the virtual machines. The solution must meet the following requirements:\n\n• Ensure that only apps on an allowlist can be run.\n• Require administrators to confirm each app added to the allowlist.\n• Automatically add unauthorized apps to a blocklist when an attempt is made to launch the app.\n• Require administrators to approve an app before the app can be moved from the blocklist to the allowlist.\n\nWhat should you include in the solution?", "options": [{"letter": "A", "text": "a compute policy in Azure Policy"}, {"letter": "B", "text": "app governance in Microsoft Defender for Cloud Apps"}, {"letter": "C", "text": "admin consent settings for enterprise applications in Microsoft Entra ID"}, {"letter": "D", "text": "adaptive application controls in Defender for Servers"}], "answer": ["D"], "multi": false}, {"order": 265, "questionNumber": 40, "topic": "Topic 4", "title": "265. Question #40 - Topic 4", "text": "You have an on-premises server that runs Windows Server and contains a Microsoft SQL Server database named DB1.\n\nYou plan to migrate DB1 to Azure.\n\nYou need to recommend an encrypted Azure database solution that meets the following requirements:\n\n• Minimizes the risks of malware that uses elevated privileges to access sensitive data\n• Prevents database administrators from accessing sensitive data\n• Enables pattern matching for server-side database operations\n• Supports Microsoft Azure Attestation\n• Uses hardware-based encryption\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "SQL Server on Azure Virtual Machines with virtualization-based security (VBS) enclaves"}, {"letter": "B", "text": "Azure SQL Database with virtualization-based security (VBS) enclaves"}, {"letter": "C", "text": "Azure SQL Managed Instance that has Always Encrypted configured"}, {"letter": "D", "text": "Azure SQL Database with Intel Software Guard Extensions (Intel SGX) enclaves"}], "answer": ["D"], "multi": false}, {"order": 266, "questionNumber": 41, "topic": "Topic 4", "title": "266. Question #41 - Topic 4", "text": "Your company has a Microsoft 365 E5 subscription.\n\nThe company wants to identify and classify data in Microsoft Teams, SharePoint Online, and Exchange Online.\n\nYou need to recommend a solution to identify documents that contain sensitive information.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "content explorer"}, {"letter": "B", "text": "data loss prevention (DLP)"}, {"letter": "C", "text": "eDiscovery"}, {"letter": "D", "text": "data lifecycle management"}], "answer": ["A"], "multi": false}, {"order": 267, "questionNumber": 42, "topic": "Topic 4", "title": "267. Question #42 - Topic 4", "text": "You have an Azure subscription that contains multiple Azure Data Lake Storage accounts.\n\nYou need to recommend a solution to encrypt the content of the accounts by using service-side encryption and customer-managed keys. The solution must ensure that individual encryption keys are applied at the most granular level.\n\nAt which level should you recommend the encryption be applied?", "options": [{"letter": "A", "text": "file"}, {"letter": "B", "text": "container"}, {"letter": "C", "text": "folder"}, {"letter": "D", "text": "account"}], "answer": ["A"], "multi": false}, {"order": 268, "questionNumber": 43, "topic": "Topic 4", "title": "268. Question #43 - Topic 4", "text": "You have an Azure subscription.\n\nYou plan to deploy multiple containerized microservice-based apps to Azure Kubernetes Service (AKS).\n\nYou need to recommend a solution that meets the following requirements:\n\n• Manages secrets\n• Provides encryption\n• Secures service-to-service communication by using mTLS encryption\n• Minimizes administrative effort\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Flux"}, {"letter": "B", "text": "Envoy"}, {"letter": "C", "text": "Dapr"}, {"letter": "D", "text": "Istio"}], "answer": ["C"], "multi": false}, {"order": 269, "questionNumber": 44, "topic": "Topic 4", "title": "269. Question #44 - Topic 4", "text": "You have an Azure subscription that contains multiple Azure Blob Storage accounts.\n\nYou need to recommend a solution to detect threats in files after the files are uploaded to a blob container.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "sensitive data threat detection in Microsoft Defender for Storage"}, {"letter": "B", "text": "runtime threat protection in Microsoft Defender for Containers"}, {"letter": "C", "text": "vulnerability assessment in Microsoft Defender for Containers"}, {"letter": "D", "text": "malware scanning in Microsoft Defender for Storage"}], "answer": ["D"], "multi": false}, {"order": 270, "questionNumber": 45, "topic": "Topic 4", "title": "270. Question #45 - Topic 4", "text": "You have an Azure subscription.\n\nYou plan to deploy Azure App Services apps by using Azure DevOps.\n\nYou need to recommend a solution to ensure that deployed apps maintain compliance with Microsoft cloud security benchmark (MCSB) recommendations.\n\nWhat should you include in the recommendation?\n\nPage28", "options": [{"letter": "A", "text": "DevOps security in Microsoft Defender for Cloud"}, {"letter": "B", "text": "Microsoft Defender for App Service"}, {"letter": "C", "text": "Azure Policy"}, {"letter": "D", "text": "a branch policy in Azure DevOps"}], "answer": ["C"], "multi": false}, {"order": 279, "questionNumber": 54, "topic": "Topic 4", "title": "279. Question #54 - Topic 4", "text": "You have two Azure subscriptions named Sub1 and Sub2 that contain the vaults shown in the following table.\n\nYou need to design a multi-user authorization (MUA) solution for security operations on the vaults. The solution must meet the following requirements:\n\n• RSVault1 and RSVault2 must require MUA for disabling soft delete, removing MUA protection, and disabling immutability.\n• BackupVault1 and BackupVault2 must require MUA for disabling soft delete and removing MUA protection.\n\nWhat is the minimum number of Resource Guard resources required?", "options": [{"letter": "A", "text": "1"}, {"letter": "B", "text": "2"}, {"letter": "C", "text": "3"}, {"letter": "D", "text": "4"}], "answer": ["B"], "multi": false}, {"order": 281, "questionNumber": 56, "topic": "Topic 4", "title": "281. Question #56 - Topic 4", "text": "You have a Microsoft 365 tenant. Your company uses a third-party software as a service (SaaS) app named App1. App1 supports authenticating users by using Microsoft Entra credentials.\n\nYou need to recommend a solution to enable users to authenticate to App1 by using their Microsoft Entra credentials.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "a relying party trust in Active Directory Federation Services (AD FS)"}, {"letter": "B", "text": "a Microsoft Entra enterprise application"}, {"letter": "C", "text": "Microsoft Entra Application Proxy"}, {"letter": "D", "text": "Microsoft Entra External ID"}], "answer": ["B"], "multi": false}, {"order": 284, "questionNumber": 59, "topic": "Topic 4", "title": "284. Question #59 - Topic 4", "text": "Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.\n\nAfter you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.\n\nYou have a Microsoft 365 subscription that uses Microsoft Defender XDR. The subscription contains 500 devices that are enrolled in Microsoft Intune. The subscription contains 500 users that connect to external software as a service (SaaS) apps by using the devices.\n\nYou need to implement a solution that meets the following requirements:\n\n• Allows user access to SaaS apps that Microsoft has identified as low risk\n• Blocks user access to Saas apps that Microsoft has identified as high risk\n\nSolution: From the Microsoft Defender portal, you set Web content filtering to On and create a web content filtering policy.\n\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["B"], "multi": false}, {"order": 285, "questionNumber": 60, "topic": "Topic 4", "title": "285. Question #60 - Topic 4", "text": "Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.\n\nAfter you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.\n\nYou have a Microsoft 365 subscription that uses Microsoft Defender XDR. The subscription contains 500 devices that are enrolled in Microsoft Intune. The subscription contains 500 users that connect to external software as a service (SaaS) apps by using the devices.\n\nYou need to implement a solution that meets the following requirements:\n\n• Allows user access to SaaS apps that Microsoft has identified as low risk\n• Blocks user access to Saas apps that Microsoft has identified as high risk\n\nSolution: From Microsoft Defender for Cloud Apps, you configure a cloud discovery policy and unsanction risky apps.\n\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["A"], "multi": false}, {"order": 286, "questionNumber": 61, "topic": "Topic 4", "title": "286. Question #61 - Topic 4", "text": "Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.\n\nAfter you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.\n\nYou have a Microsoft 365 subscription that uses Microsoft Defender XDR. The subscription contains 500 devices that are enrolled in Microsoft Intune. The subscription contains 500 users that connect to external software as a service (SaaS) apps by using the devices.\n\nYou need to implement a solution that meets the following requirements:\n\n• Allows user access to SaaS apps that Microsoft has identified as low risk\n• Blocks user access to Saas apps that Microsoft has identified as high risk\n\nSolution: From Microsoft Defender for Cloud Apps, you configure SaaS security posture management (SSPM) and create an access policy.\n\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["B"], "multi": false}, {"order": 287, "questionNumber": 62, "topic": "Topic 4", "title": "287. Question #62 - Topic 4", "text": "Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.\n\nAfter you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.\n\nYou have a Microsoft 365 subscription that uses Microsoft Defender XDR. The subscription contains 500 devices that are enrolled in Microsoft Intune. The subscription contains 500 users that connect to external software as a service (SaaS) apps by using the devices.\n\nYou need to implement a solution that meets the following requirements:\n\n• Allows user access to SaaS apps that Microsoft has identified as low risk\n• Blocks user access to SaaS apps that Microsoft has identified as high risk\n\nSolution: You configure app protection policies in Intune, and you create a Conditional Access policy.\n\nDoes this meet the goal?", "options": [{"letter": "A", "text": "Yes"}, {"letter": "B", "text": "No"}], "answer": ["B"], "multi": false}, {"order": 291, "questionNumber": 66, "topic": "Topic 4", "title": "291. Question #66 - Topic 4", "text": "You have a Microsoft Entra tenant named contoso.com.\n\nYou have a partner company that has a multi-tenant application named App1. App1 is registered to a Microsoft Entra tenant named fabrikam.com.\n\nYou need to ensure that the users in contoso.com can authenticate to App1.\n\nWhat should you recommend creating in contoso.com?", "options": [{"letter": "A", "text": "a service principal"}, {"letter": "B", "text": "a system-assigned managed identity"}, {"letter": "C", "text": "an application object"}, {"letter": "D", "text": "a user-assigned managed identity"}], "answer": ["A"], "multi": false}, {"order": 293, "questionNumber": 68, "topic": "Topic 4", "title": "293. Question #68 - Topic 4", "text": "You have a Microsoft 365 tenant.\n\nYou have an Azure subscription that contains Azure App Service web apps. The apps have the following characteristics:\n\n• The apps use third-party and open-source components.\n• The apps were developed by using C#, Python, and Java.\n• The app deployment process is managed by using Azure DevOps.\n• The source code for the apps is stored in GitHub Enterprise Cloud repositories and protected by using GitHub Advanced Security.\n\nYou need to reduce the risk of supply chain attacks during the application lifecycle.\n\nWhat should you implement?", "options": [{"letter": "A", "text": "secret scanning"}, {"letter": "B", "text": "Dependabot alerts"}, {"letter": "C", "text": "app governance in Microsoft Defender for Cloud Apps"}, {"letter": "D", "text": "NuGet Audit"}], "answer": ["B"], "multi": false}, {"order": 294, "questionNumber": 69, "topic": "Topic 4", "title": "294. Question #69 - Topic 4", "text": "You have an Azure subscription and a Microsoft 365 subscription.\n\nYour company uses several software as a service (SaaS) applications.\n\nTo align with Microsoft cloud security benchmark (MCSB) and Microsoft Cybersecurity Reference Architectures (MCRA), you plan to design a solution to provide visibility into user activity across the applications and detect potentially risky behavior in real time.\n\nWhich service should you recommend?", "options": [{"letter": "A", "text": "Microsoft Defender for Cloud Apps"}, {"letter": "B", "text": "Microsoft Purview Information Protection"}, {"letter": "C", "text": "Microsoft Sentinel"}, {"letter": "D", "text": "Microsoft Defender for Endpoint"}], "answer": ["A"], "multi": false}, {"order": 297, "questionNumber": 72, "topic": "Topic 4", "title": "297. Question #72 - Topic 4", "text": "You have an Azure subscription that contains a web app named App1. App1 uses a Microsoft Entra user account named SRV1 as a service account to authenticate to an Azure SQL database named DB1.\n\nYou discover that a developer accessed DB1 directly by using SRV1.\n\nYou need to recommend a secure authentication method that will prevent credential misuse outside of App1. The solution must minimize administrative effort.\n\nWhat should you recommend?", "options": [{"letter": "A", "text": "a managed identity"}, {"letter": "B", "text": "a group managed service account (gMSA)"}, {"letter": "C", "text": "a delegated managed service account (dMSA)"}, {"letter": "D", "text": "a federated identity credential"}], "answer": ["A"], "multi": false}, {"order": 299, "questionNumber": 74, "topic": "Topic 4", "title": "299. Question #74 - Topic 4", "text": "You have an Azure subscription.\n\nYou have an on-premises datacenter that contains Microsoft SQL Server instances. Each instance contains multiple databases.\n\nYou have a Microsoft 365 subscription.\n\nYou plan to implement a solution to scan the databases for vulnerabilities that compromise data security.\n\nYou need to recommend what to configure before the databases can be scanned.\n\nWhat should you recommend?", "options": [{"letter": "A", "text": "Microsoft Purview data loss prevention (DLP)"}, {"letter": "B", "text": "Microsoft Purview data governance"}, {"letter": "C", "text": "Microsoft Defender for Cloud"}, {"letter": "D", "text": "Microsoft Defender Vulnerability Management"}], "answer": ["C"], "multi": false}, {"order": 300, "questionNumber": 75, "topic": "Topic 4", "title": "300. Question #75 - Topic 4", "text": "You have an Azure subscription.\n\nYou have an on-premises datacenter. The datacenter contains 20 servers that run Windows Server. Each server is onboarded to Azure Arc and is protected by using Microsoft Defender for Servers Plan 1.\n\nYou have a Microsoft 365 subscription.\n\nYou need to recommend a solution to identify which servers have outdated hardware drivers or firmware.\n\nWhat should you include in the recommendation?\n\nPage31", "options": [{"letter": "A", "text": "Change all the servers to Microsoft Defender for Servers Plan 2."}, {"letter": "B", "text": "Add the Microsoft Intune Suite add-on."}, {"letter": "C", "text": "Onboard all the servers to Azure Update Manager."}, {"letter": "D", "text": "Add Microsoft Defender Vulnerability Management add-ons."}], "answer": ["D"], "multi": false}, {"order": 303, "questionNumber": 78, "topic": "Topic 4", "title": "303. Question #78 - Topic 4", "text": "You have a Microsoft 365 subscription that contains 500 users. Each user is assigned a Microsoft 365 E5 license and uses a Windows device.\n\nMicrosoft Purview data loss prevention (DLP) policies are applied to Microsoft Exchange Online email and SharePoint Online sites.\n\nYou plan to monitor the usage of third-party generative AI apps by using Microsoft Purview Data Security Posture Management for AI (DSPM for AI).\n\nWhat should you do first?", "options": [{"letter": "A", "text": "Enable Microsoft Purview insider risk management for all the users."}, {"letter": "B", "text": "Onboard all endpoint devices to Microsoft Purview."}, {"letter": "C", "text": "Configure Microsoft Purview data connectors for the generative AI apps."}, {"letter": "D", "text": "License all the users for Microsoft 365 Copilot."}], "answer": ["B"], "multi": false}, {"order": 304, "questionNumber": 79, "topic": "Topic 4", "title": "304. Question #79 - Topic 4", "text": "You have an Azure subscription. The subscription contains multiple Azure App Service web apps that are distributed across multiple Azure regions and are accessed via the internet.\n\nYou need to ensure that all incoming requests to the apps are inspected for threats based on the Core Rule Set (CRS) from the Open Web Application Security Project (OWASP). The solution must meet the following requirements:\n\n• Support the use of Microsoft-managed X.509 certificates.\n• Route users to the geographically closest app.\n• Minimize administrative effort.\n\nWhat should you use?", "options": [{"letter": "A", "text": "Azure Firewall Premium"}, {"letter": "B", "text": "Azure Front Door with a web application firewall (WAF)"}, {"letter": "C", "text": "Azure Firewall Standard"}, {"letter": "D", "text": "Azure Application Gateway with a web application firewall (WAF)"}], "answer": ["B"], "multi": false}, {"order": 306, "questionNumber": 1, "topic": "Topic 5", "title": "306. Question #1 - Topic 5", "text": "Your company wants to optimize using Microsoft Defender for Endpoint to protect its resources against ransomware based on Microsoft Security Best Practices.\n\nYou need to prepare a post-breach response plan for compromised computers based on the Microsoft Detection and Response Team (DART) approach in Microsoft Security Best Practices.\n\nWhat should you include in the response plan?", "options": [{"letter": "A", "text": "controlled folder access"}, {"letter": "B", "text": "application isolation"}, {"letter": "C", "text": "memory scanning"}, {"letter": "D", "text": "machine isolation"}, {"letter": "E", "text": "user isolation"}], "answer": ["D"], "multi": false}, {"order": 307, "questionNumber": 2, "topic": "Topic 5", "title": "307. Question #2 - Topic 5", "text": "You have an operational model based on the Microsoft Cloud Adoption Framework for Azure.\n\nYou need to recommend a solution that focuses on cloud-centric control areas to protect resources such as endpoints, databases, files, and storage accounts.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "business resilience"}, {"letter": "B", "text": "modem access control"}, {"letter": "C", "text": "network isolation"}, {"letter": "D", "text": "security baselines in the Microsoft Cloud Security Benchmark"}], "answer": ["D"], "multi": false}, {"order": 310, "questionNumber": 5, "topic": "Topic 5", "title": "310. Question #5 - Topic 5", "text": "You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain.\n\nYou have an on-premises datacenter that contains 100 servers. The servers run Windows Server and are backed up by using Microsoft Azure Backup Server (MABS).\n\nYou are designing a recovery solution for ransomware attacks. The solution follows Microsoft Security Best Practices.\n\nYou need to ensure that a compromised administrator account cannot be used to delete the backups.\n\nWhat should you do?\n\nPage32", "options": [{"letter": "A", "text": "From Azure Backup, configure multi-user authorization by using Resource Guard."}, {"letter": "B", "text": "From Microsoft Azure Backup Setup, register MABS with a Recovery Services vault."}, {"letter": "C", "text": "From a Recovery Services vault, generate a security PIN for critical operations."}, {"letter": "D", "text": "From Azure AD Privileged Identity Management (PIM), create a role assignment for the Backup Contributor role."}], "answer": ["A"], "multi": false}, {"order": 311, "questionNumber": 6, "topic": "Topic 5", "title": "311. Question #6 - Topic 5", "text": "You are designing a ransomware response plan that follows Microsoft Security Best Practices.\n\nYou need to recommend a solution to limit the scope of damage of ransomware attacks without being locked out.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "device compliance policies"}, {"letter": "B", "text": "Privileged Access Workstations (PAWs)"}, {"letter": "C", "text": "Customer Lockbox for Microsoft Azure"}, {"letter": "D", "text": "emergency access accounts"}], "answer": ["B"], "multi": false}, {"order": 312, "questionNumber": 7, "topic": "Topic 5", "title": "312. Question #7 - Topic 5", "text": "You design cloud-based software as a service (SaaS) solutions.\n\nYou need to recommend a recovery solution for ransomware attacks. The solution must follow Microsoft Security Best Practices.\n\nWhat should you recommend doing first?", "options": [{"letter": "A", "text": "Develop a privileged identity strategy."}, {"letter": "B", "text": "Implement data protection."}, {"letter": "C", "text": "Develop a privileged access strategy."}, {"letter": "D", "text": "Prepare a recovery plan."}], "answer": ["D"], "multi": false}, {"order": 314, "questionNumber": 9, "topic": "Topic 5", "title": "314. Question #9 - Topic 5", "text": "You use Azure Pipelines with Azure Repos to implement continuous integration and continuous deployment (CI/CD) workflows for the deployment of applications to Azure.\n\nYou need to recommend what to include in dynamic application security testing (DAST) based on the principles of the Microsoft Cloud Adoption Framework for Azure.\n\nWhat should you recommend?", "options": [{"letter": "A", "text": "unit testing"}, {"letter": "B", "text": "penetration testing"}, {"letter": "C", "text": "dependency checks"}, {"letter": "D", "text": "threat modeling"}], "answer": ["B"], "multi": false}, {"order": 315, "questionNumber": 10, "topic": "Topic 5", "title": "315. Question #10 - Topic 5", "text": "You have a Microsoft 365 subscription.\n\nYou are designing a user access solution that follows the Zero Trust principles of the Microsoft Cybersecurity Reference Architectures (MCRA).\n\nYou need to recommend a solution that automatically restricts access to Microsoft Exchange Online, SharePoint Online, and Teams in near-real-time (NRT) in response to the following Azure AD events:\n\n• A user account is disabled or deleted.\n• The password of a user is changed or reset.\n• All the refresh tokens for a user are revoked.\n• Multi-factor authentication (MFA) is enabled for a user.\n\nWhich two features should you include in the recommendation? Each correct answer presents part of the solution.\n\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "continuous access evaluation"}, {"letter": "B", "text": "Azure AD Application Proxy"}, {"letter": "C", "text": "a sign-in risk policy"}, {"letter": "D", "text": "Azure AD Privileged Identity Management (PIM)"}, {"letter": "E", "text": "Conditional Access"}], "answer": ["A", "E"], "multi": true}, {"order": 317, "questionNumber": 12, "topic": "Topic 5", "title": "317. Question #12 - Topic 5", "text": "You have an Azure subscription.\n\nYou plan to deploy Azure Kubernetes Service (AKS) clusters that will be used to host web services.\n\nYou need to recommend an ingress controller solution that will protect the hosted web services.\n\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Azure Load Balancer"}, {"letter": "B", "text": "Azure Application Gateway"}, {"letter": "C", "text": "Azure Front Door"}, {"letter": "D", "text": "Azure Firewall"}], "answer": ["B"], "multi": false}, {"order": 318, "questionNumber": 13, "topic": "Topic 5", "title": "318. Question #13 - Topic 5", "text": "Your company has an Azure subscription that uses Microsoft Defender for Cloud.\n\nThe company signs a contract with the United States government.\n\nYou need to review the current subscription for NIST 800-53 compliance.\n\nWhat should you do first?", "options": [{"letter": "A", "text": "From Azure Policy, assign a built-in initiative that has a scope of the subscription."}, {"letter": "B", "text": "From Azure Policy, assign a built-in policy definition that has a scope of the subscription."}, {"letter": "C", "text": "From Defender for Cloud, review the Azure security baseline for audit report."}, {"letter": "D", "text": "From Defender for Cloud, enable Defender for Cloud plans."}], "answer": ["A"], "multi": false}, {"order": 319, "questionNumber": 14, "topic": "Topic 5", "title": "319. Question #14 - Topic 5", "text": "Your company has on-premises datacenters in Seattle, Chicago, and New York City.\n\nYou plan to migrate the on-premises workloads to the East US Azure region.\n\nYou need to design a governance solution for the management group hierarchy. The solution must be based on Microsoft Cloud Adoption Framework for Azure principles and must ensure that the hierarchy aligns with the Azure landing conceptual architecture.\n\nWhat should you use to identify which archetype-aligned management groups to create beneath the landing zones management group?\n\nTopic 6 - Testlet 1", "options": [{"letter": "A", "text": "geographical locations"}, {"letter": "B", "text": "the internal billing chargeback structure"}, {"letter": "C", "text": "the hybrid connectivity requirements"}, {"letter": "D", "text": "software development lifecycle (SDLC) environments"}], "answer": ["D"], "multi": false}, {"order": 323, "questionNumber": 4, "topic": "Topic 6", "title": "323. Question #4 - Topic 6", "text": "Introductory InfoCase Study -\nThis is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.\nTo answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.\nAt the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.\n\nTo start the case study -\nTo display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.\n\nOverview -\nLitware, Inc. is a financial services company that has main offices in New York and San Francisco. Litware has 30 branch offices and remote employees across the United States. The remote employees connect to the main offices by using a VPN.\nLitware has grown significantly during the last two years due to mergers and acquisitions. The acquisitions include several companies based in France.\n\nExisting Environment -\nLitware has an Azure Active Directory (Azure AD) tenant that syncs with an Active Directory Domain Services (AD DS) forest named litware.com and is linked to\n20 Azure subscriptions. Azure AD Connect is used to implement pass-through authentication. Password hash synchronization is disabled, and password writeback is enabled. All Litware users have Microsoft 365 E5 licenses.\nThe environment also includes several AD DS forests, Azure AD tenants, and hundreds of Azure subscriptions that belong to the subsidiaries of Litware.\n\nRequirements. Planned Changes -\nLitware plans to implement the following changes:\nCreate a management group hierarchy for each Azure AD tenant.\nDesign a landing zone strategy to refactor the existing Azure environment of Litware and deploy all future Azure workloads.\n\nImplement Azure AD Application Proxy to provide secure access to internal applications that are currently accessed by using the VPN.\nRequirements. Business Requirements\nLitware identifies the following business requirements:\nMinimize any additional on-premises infrastructure.\nMinimize the operational costs associated with administrative overhead.\nRequirements. Hybrid Requirements\nLitware identifies the following hybrid cloud requirements:\nEnable the management of on-premises resources from Azure, including the following:\n- Use Azure Policy for enforcement and compliance evaluation.\n- Provide change tracking and asset inventory.\n- Implement patch management.\nProvide centralized, cross-tenant subscription management without the overhead of maintaining guest accounts.\nRequirements. Microsoft Sentinel Requirements\nLitware plans to leverage the security information and event management (SIEM) and security orchestration automated response (SOAR) capabilities of Microsoft\nSentinel. The company wants to centralize Security Operations Center (SOC) by using Microsoft Sentinel.\nRequirements. Identity Requirements\nLitware identifies the following identity requirements:\nDetect brute force attacks that directly target AD DS user accounts.\nImplement leaked credential detection in the Azure AD tenant of Litware.\nPrevent AD DS user accounts from being locked out by brute force attacks that target Azure AD user accounts.\nImplement delegated management of users and groups in the Azure AD tenant of Litware, including support for:\n- The management of group properties, membership, and licensing\n- The management of user properties, passwords, and licensing\n- The delegation of user management based on business units\nRequirements. Regulatory Compliance Requirements\nLitware identifies the following regulatory compliance requirements:\nEnsure data residency compliance when collecting logs, telemetry, and data owned by each United States- and France-based subsidiary.\nLeverage built-in Azure Policy definitions to evaluate regulatory compliance across the entire managed environment.\n\nUse the principle of least privilege.\nRequirements. Azure Landing Zone Requirements\nLitware identifies the following landing zone requirements:\nRoute all internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription.\nProvide a secure score scoped to the landing zone.\nEnsure that the Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network, rather than over public endpoints.\nMinimize the possibility of data exfiltration.\nMaximize network bandwidth.\nThe landing zone architecture will include the dedicated subscription, which will serve as the hub for internet and hybrid connectivity. Each landing zone will have the following characteristics:\nBe created in a dedicated subscription.\nUse a DNS namespace of litware.com.\nRequirements. Application Security Requirements\nLitware identifies the following application security requirements:\nIdentify internal applications that will support single sign-on (SSO) by using Azure AD Application Proxy.\nMonitor and control access to Microsoft SharePoint Online and Exchange Online data in real time.QuestionYou need to recommend a solution for securing the landing zones. The solution must meet the landing zone requirements and the business requirements.\nWhat should you configure for each landing zone?\n\nTopic 7 - Testlet 2", "options": [{"letter": "A", "text": "an ExpressRoute gateway"}, {"letter": "B", "text": "Microsoft Defender for Cloud"}, {"letter": "C", "text": "an Azure Private DNS zone"}, {"letter": "D", "text": "Azure DDoS Protection Standard"}], "answer": ["B"], "multi": false}, {"order": 325, "questionNumber": 2, "topic": "Topic 7", "title": "325. Question #2 - Topic 7", "text": "Introductory InfoCase Study -\nThis is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.\nTo answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.\nAt the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.\n\nTo start the case study -\nTo display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.\n\nOverview -\nFabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.\nExisting Environment. On-premises Environment\nThe on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.\nExisting Environment. Azure Environment\nFabrikam has the following Azure resources:\nAn Azure Active Directory (Azure AD) tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com\nA single Azure subscription named Sub1\nA virtual network named Vnet1 in the East US Azure region\nA virtual network named Vnet2 in the West Europe Azure region\nAn instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled\nA Microsoft Sentinel workspace\nAn Azure SQL database named ClaimsDB that contains a table named ClaimDetails\n20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud\nA resource group named TestRG that is used for testing purposes only\n\nAn Azure Virtual Desktop host pool that contains personal assigned session hosts\nAll the resources in Sub1 are in either the East US or the West Europe region.\n\nExisting Environment. Partners -\nFabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:\nAn Azure AD tenant named contoso.onmicrosoft.com\nAn Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of\n\nFabrikam -\nDevelopers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named\nContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.\nThe ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.\nExisting Environment. Compliance Environment\nFabrikam deploys the following compliance environment:\nDefender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.\nCurrently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.\nQualys is used as the standard vulnerability assessment tool for servers.\nExisting Environment. Problem Statements\nThe secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.\nAll the virtual machines must be compliant in Defender for Cloud.\nRequirements. ClaimsApp Deployment\nFabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:\nClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.\nUsers will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.\nClaimsApp will access data in ClaimsDB.\nClaimsDB must be accessible only from Azure virtual networks.\nThe app services permission for ClaimsApp must be assigned to ClaimsDB.\n\nRequirements. Application Development Requirements\nFabrikam identifies the following requirements for application development:\nAzure DevTest labs will be used by developers for testing.\nAll the application code must be stored in GitHub Enterprise.\nAzure Pipelines will be used to manage application deployments.\nAll application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text.\nScanning must be done at the time the code is pushed to a repository.\nRequirements. Security Requirements\nFabrikam identifies the following security requirements:\nInternet-accessible applications must prevent connections that originate in North Korea.\nOnly members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.\nAdministrators must connect to a secure host to perform any remote administration of the virtual machines. The secure host must be provisioned from a custom operating system image.\n\nRequirements. AWS Requirements -\nFabrikam identifies the following security requirements for the data hosted in ContosoAWS1:\nNotify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.\nEnsure that the security administrators can query AWS service logs directly from the Azure environment.\nRequirements. Contoso Developers Requirements\nFabrikam identifies the following requirements for the Contoso developers:\nEvery month, the membership of the ContosoDevelopers group must be verified.\nThe Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.\nThe Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.\nRequirements. Compliance Requirements\nFabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.QuestionYou need to recommend a solution to meet the security requirements for the InfraSec group.\nWhat should you use to delegate the access?\n\nTopic 8 - Testlet 3", "options": [{"letter": "A", "text": "a subscription"}, {"letter": "B", "text": "a custom role-based access control (RBAC) role"}, {"letter": "C", "text": "a resource group"}, {"letter": "D", "text": "a management group"}], "answer": ["B"], "multi": false}, {"order": 327, "questionNumber": 2, "topic": "Topic 8", "title": "327. Question #2 - Topic 8", "text": "Introductory InfoCase Study -\nThis is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.\nTo answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.\nAt the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.\n\nTo start the case study -\nTo display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.\n\nOverview -\nFabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.\nExisting Environment. On-premises Environment\nThe on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.\nExisting Environment. Azure Environment\nFabrikam has the following Azure resources:\nAn Azure Active Directory (Azure AD) tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com\nA single Azure subscription named Sub1\nA virtual network named Vnet1 in the East US Azure region\nA virtual network named Vnet2 in the West Europe Azure region\nAn instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled\nA Microsoft Sentinel workspace\nAn Azure SQL database named ClaimsDB that contains a table named ClaimDetails\n20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud\nA resource group named TestRG that is used for testing purposes only\n\nAn Azure Virtual Desktop host pool that contains personal assigned session hosts\nAll the resources in Sub1 are in either the East US or the West Europe region.\n\nExisting Environment. Partners -\nFabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:\nAn Azure AD tenant named contoso.onmicrosoft.com\nAn Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of\n\nFabrikam -\nDevelopers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named\nContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.\nThe ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.\nExisting Environment. Compliance Environment\nFabrikam deploys the following compliance environment:\nDefender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.\nCurrently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.\nQualys is used as the standard vulnerability assessment tool for servers.\nExisting Environment. Problem Statements\nThe secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.\nAll the virtual machines must be compliant in Defender for Cloud.\nRequirements. ClaimsApp Deployment\nFabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:\nClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.\nUsers will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.\nClaimsApp will access data in ClaimsDB.\nClaimsDB must be accessible only from Azure virtual networks.\nThe app services permission for ClaimsApp must be assigned to ClaimsDB.\n\nRequirements. Application Development Requirements\nFabrikam identifies the following requirements for application development:\nAzure DevTest labs will be used by developers for testing.\nAll the application code must be stored in GitHub Enterprise.\nAzure Pipelines will be used to manage application deployments.\nAll application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text.\nScanning must be done at the time the code is pushed to a repository.\nRequirements. Security Requirements\nFabrikam identifies the following security requirements:\nInternet-accessible applications must prevent connections that originate in North Korea.\nOnly members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.\nAdministrators must connect to a secure host to perform any remote administration of the virtual machines. The secure host must be provisioned from a custom operating system image.\n\nRequirements. AWS Requirements -\nFabrikam identifies the following security requirements for the data hosted in ContosoAWS1:\nNotify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.\nEnsure that the security administrators can query AWS service logs directly from the Azure environment.\nRequirements. Contoso Developers Requirements\nFabrikam identifies the following requirements for the Contoso developers:\nEvery month, the membership of the ContosoDevelopers group must be verified.\nThe Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.\nThe Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.\nRequirements. Compliance Requirements\nFabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.QuestionYou need to recommend a solution to resolve the virtual machine issue.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "Enable the Qualys scanner in Defender for Cloud."}, {"letter": "B", "text": "Onboard the virtual machines to Microsoft Defender for Endpoint."}, {"letter": "C", "text": "Create a device compliance policy in Microsoft Endpoint Manager."}, {"letter": "D", "text": "Onboard the virtual machines to Azure Arc."}], "answer": ["A"], "multi": false}, {"order": 328, "questionNumber": 3, "topic": "Topic 8", "title": "328. Question #3 - Topic 8", "text": "Introductory InfoCase Study -\nThis is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.\nTo answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.\nAt the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.\n\nTo start the case study -\nTo display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.\n\nOverview -\nFabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.\nExisting Environment. On-premises Environment\nThe on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.\nExisting Environment. Azure Environment\nFabrikam has the following Azure resources:\nAn Azure Active Directory (Azure AD) tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com\nA single Azure subscription named Sub1\nA virtual network named Vnet1 in the East US Azure region\nA virtual network named Vnet2 in the West Europe Azure region\nAn instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled\nA Microsoft Sentinel workspace\nAn Azure SQL database named ClaimsDB that contains a table named ClaimDetails\n20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud\nA resource group named TestRG that is used for testing purposes only\n\nAn Azure Virtual Desktop host pool that contains personal assigned session hosts\nAll the resources in Sub1 are in either the East US or the West Europe region.\n\nExisting Environment. Partners -\nFabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:\nAn Azure AD tenant named contoso.onmicrosoft.com\nAn Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of\n\nFabrikam -\nDevelopers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named\nContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.\nThe ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.\nExisting Environment. Compliance Environment\nFabrikam deploys the following compliance environment:\nDefender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.\nCurrently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.\nQualys is used as the standard vulnerability assessment tool for servers.\nExisting Environment. Problem Statements\nThe secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.\nAll the virtual machines must be compliant in Defender for Cloud.\nRequirements. ClaimsApp Deployment\nFabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:\nClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.\nUsers will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.\nClaimsApp will access data in ClaimsDB.\nClaimsDB must be accessible only from Azure virtual networks.\nThe app services permission for ClaimsApp must be assigned to ClaimsDB.\n\nRequirements. Application Development Requirements\nFabrikam identifies the following requirements for application development:\nAzure DevTest labs will be used by developers for testing.\nAll the application code must be stored in GitHub Enterprise.\nAzure Pipelines will be used to manage application deployments.\nAll application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text.\nScanning must be done at the time the code is pushed to a repository.\nRequirements. Security Requirements\nFabrikam identifies the following security requirements:\nInternet-accessible applications must prevent connections that originate in North Korea.\nOnly members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.\nAdministrators must connect to a secure host to perform any remote administration of the virtual machines. The secure host must be provisioned from a custom operating system image.\n\nRequirements. AWS Requirements -\nFabrikam identifies the following security requirements for the data hosted in ContosoAWS1:\nNotify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.\nEnsure that the security administrators can query AWS service logs directly from the Azure environment.\nRequirements. Contoso Developers Requirements\nFabrikam identifies the following requirements for the Contoso developers:\nEvery month, the membership of the ContosoDevelopers group must be verified.\nThe Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.\nThe Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.\nRequirements. Compliance Requirements\nFabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.QuestionYou need to recommend a solution to meet the security requirements for the virtual machines.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "just-in-time (JIT) VM access"}, {"letter": "B", "text": "an Azure Bastion host"}, {"letter": "C", "text": "Azure Virtual Desktop"}, {"letter": "D", "text": "a network security group (NSG)"}], "answer": ["C"], "multi": false}, {"order": 331, "questionNumber": 1, "topic": "Topic 10", "title": "331. Question #1 - Topic 10", "text": "Introductory InfoCase Study -\nThis is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.\nTo answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.\nAt the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.\n\nTo start the case study -\nTo display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.\n\nOverview -\nLitware, Inc. is a financial services company that has main offices in New York and San Francisco. Litware has 30 branch offices and remote employees across the United States. The remote employees connect to the main offices by using a VPN.\nLitware has grown significantly during the last two years due to mergers and acquisitions. The acquisitions include several companies based in France.\n\nExisting Environment -\nLitware has an Azure Active Directory (Azure AD) tenant that syncs with an Active Directory Domain Services (AD DS) forest named litware.com and is linked to\n20 Azure subscriptions. Azure AD Connect is used to implement pass-through authentication. Password hash synchronization is disabled, and password writeback is enabled. All Litware users have Microsoft 365 E5 licenses.\nThe environment also includes several AD DS forests, Azure AD tenants, and hundreds of Azure subscriptions that belong to the subsidiaries of Litware.\n\nRequirements. Planned Changes -\nLitware plans to implement the following changes:\nCreate a management group hierarchy for each Azure AD tenant.\nDesign a landing zone strategy to refactor the existing Azure environment of Litware and deploy all future Azure workloads.\n\nImplement Azure AD Application Proxy to provide secure access to internal applications that are currently accessed by using the VPN.\nRequirements. Business Requirements\nLitware identifies the following business requirements:\nMinimize any additional on-premises infrastructure.\nMinimize the operational costs associated with administrative overhead.\nRequirements. Hybrid Requirements\nLitware identifies the following hybrid cloud requirements:\nEnable the management of on-premises resources from Azure, including the following:\n- Use Azure Policy for enforcement and compliance evaluation.\n- Provide change tracking and asset inventory.\n- Implement patch management.\nProvide centralized, cross-tenant subscription management without the overhead of maintaining guest accounts.\nRequirements. Microsoft Sentinel Requirements\nLitware plans to leverage the security information and event management (SIEM) and security orchestration automated response (SOAR) capabilities of Microsoft\nSentinel. The company wants to centralize Security Operations Center (SOC) by using Microsoft Sentinel.\nRequirements. Identity Requirements\nLitware identifies the following identity requirements:\nDetect brute force attacks that directly target AD DS user accounts.\nImplement leaked credential detection in the Azure AD tenant of Litware.\nPrevent AD DS user accounts from being locked out by brute force attacks that target Azure AD user accounts.\nImplement delegated management of users and groups in the Azure AD tenant of Litware, including support for:\n- The management of group properties, membership, and licensing\n- The management of user properties, passwords, and licensing\n- The delegation of user management based on business units\nRequirements. Regulatory Compliance Requirements\nLitware identifies the following regulatory compliance requirements:\nEnsure data residency compliance when collecting logs, telemetry, and data owned by each United States- and France-based subsidiary.\nLeverage built-in Azure Policy definitions to evaluate regulatory compliance across the entire managed environment.\n\nUse the principle of least privilege.\nRequirements. Azure Landing Zone Requirements\nLitware identifies the following landing zone requirements:\nRoute all internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription.\nProvide a secure score scoped to the landing zone.\nEnsure that the Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network, rather than over public endpoints.\nMinimize the possibility of data exfiltration.\nMaximize network bandwidth.\nThe landing zone architecture will include the dedicated subscription, which will serve as the hub for internet and hybrid connectivity. Each landing zone will have the following characteristics:\nBe created in a dedicated subscription.\nUse a DNS namespace of litware.com.\nRequirements. Application Security Requirements\nLitware identifies the following application security requirements:\nIdentify internal applications that will support single sign-on (SSO) by using Azure AD Application Proxy.\nMonitor and control access to Microsoft SharePoint Online and Exchange Online data in real time.QuestionYou need to recommend a strategy for routing internet-bound traffic from the landing zones. The solution must meet the landing zone requirements.\nWhat should you recommend as part of the landing zone deployment?", "options": [{"letter": "A", "text": "local network gateways"}, {"letter": "B", "text": "forced tunneling"}, {"letter": "C", "text": "service chaining"}], "answer": ["C"], "multi": false}, {"order": 335, "questionNumber": 2, "topic": "Topic 11", "title": "335. Question #2 - Topic 11", "text": "Introductory InfoCase Study -\nThis is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.\nTo answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.\nAt the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.\n\nTo start the case study -\nTo display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.\n\nOverview -\nFabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.\nExisting Environment. On-premises Environment\nThe on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.\nExisting Environment. Azure Environment\nFabrikam has the following Azure resources:\nAn Azure Active Directory (Azure AD) tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com\nA single Azure subscription named Sub1\nA virtual network named Vnet1 in the East US Azure region\nA virtual network named Vnet2 in the West Europe Azure region\nAn instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled\nA Microsoft Sentinel workspace\nAn Azure SQL database named ClaimsDB that contains a table named ClaimDetails\n20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud\nA resource group named TestRG that is used for testing purposes only\n\nAn Azure Virtual Desktop host pool that contains personal assigned session hosts\nAll the resources in Sub1 are in either the East US or the West Europe region.\n\nExisting Environment. Partners -\nFabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:\nAn Azure AD tenant named contoso.onmicrosoft.com\nAn Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of\n\nFabrikam -\nDevelopers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named\nContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.\nThe ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.\nExisting Environment. Compliance Environment\nFabrikam deploys the following compliance environment:\nDefender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.\nCurrently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.\nQualys is used as the standard vulnerability assessment tool for servers.\nExisting Environment. Problem Statements\nThe secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.\nAll the virtual machines must be compliant in Defender for Cloud.\nRequirements. ClaimsApp Deployment\nFabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:\nClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.\nUsers will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.\nClaimsApp will access data in ClaimsDB.\nClaimsDB must be accessible only from Azure virtual networks.\nThe app services permission for ClaimsApp must be assigned to ClaimsDB.\n\nRequirements. Application Development Requirements\nFabrikam identifies the following requirements for application development:\nAzure DevTest labs will be used by developers for testing.\nAll the application code must be stored in GitHub Enterprise.\nAzure Pipelines will be used to manage application deployments.\nAll application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text.\nScanning must be done at the time the code is pushed to a repository.\nRequirements. Security Requirements\nFabrikam identifies the following security requirements:\nInternet-accessible applications must prevent connections that originate in North Korea.\nOnly members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.\nAdministrators must connect to a secure host to perform any remote administration of the virtual machines. The secure host must be provisioned from a custom operating system image.\n\nRequirements. AWS Requirements -\nFabrikam identifies the following security requirements for the data hosted in ContosoAWS1:\nNotify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.\nEnsure that the security administrators can query AWS service logs directly from the Azure environment.\nRequirements. Contoso Developers Requirements\nFabrikam identifies the following requirements for the Contoso developers:\nEvery month, the membership of the ContosoDevelopers group must be verified.\nThe Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.\nThe Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.\nRequirements. Compliance Requirements\nFabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.QuestionYou need to recommend a solution to scan the application code. The solution must meet the application development requirements.\nWhat should you include in the recommendation?\n\nTopic 12 - Testlet 7", "options": [{"letter": "A", "text": "GitHub Advanced Security"}, {"letter": "B", "text": "Azure Key Vault"}, {"letter": "C", "text": "Azure DevTest Labs"}, {"letter": "D", "text": "Application Insights in Azure Monitor"}], "answer": ["A"], "multi": false}, {"order": 336, "questionNumber": 1, "topic": "Topic 12", "title": "336. Question #1 - Topic 12", "text": "Introductory InfoCase Study -\nThis is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.\nTo answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.\nAt the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.\n\nTo start the case study -\nTo display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.\n\nOverview -\nLitware, Inc. is a financial services company that has main offices in New York and San Francisco. Litware has 30 branch offices and remote employees across the United States. The remote employees connect to the main offices by using a VPN.\nLitware has grown significantly during the last two years due to mergers and acquisitions. The acquisitions include several companies based in France.\n\nExisting Environment -\nLitware has an Azure Active Directory (Azure AD) tenant that syncs with an Active Directory Domain Services (AD DS) forest named litware.com and is linked to\n20 Azure subscriptions. Azure AD Connect is used to implement pass-through authentication. Password hash synchronization is disabled, and password writeback is enabled. All Litware users have Microsoft 365 E5 licenses.\nThe environment also includes several AD DS forests, Azure AD tenants, and hundreds of Azure subscriptions that belong to the subsidiaries of Litware.\n\nRequirements. Planned Changes -\nLitware plans to implement the following changes:\nCreate a management group hierarchy for each Azure AD tenant.\nDesign a landing zone strategy to refactor the existing Azure environment of Litware and deploy all future Azure workloads.\n\nImplement Azure AD Application Proxy to provide secure access to internal applications that are currently accessed by using the VPN.\nRequirements. Business Requirements\nLitware identifies the following business requirements:\nMinimize any additional on-premises infrastructure.\nMinimize the operational costs associated with administrative overhead.\nRequirements. Hybrid Requirements\nLitware identifies the following hybrid cloud requirements:\nEnable the management of on-premises resources from Azure, including the following:\n- Use Azure Policy for enforcement and compliance evaluation.\n- Provide change tracking and asset inventory.\n- Implement patch management.\nProvide centralized, cross-tenant subscription management without the overhead of maintaining guest accounts.\nRequirements. Microsoft Sentinel Requirements\nLitware plans to leverage the security information and event management (SIEM) and security orchestration automated response (SOAR) capabilities of Microsoft\nSentinel. The company wants to centralize Security Operations Center (SOC) by using Microsoft Sentinel.\nRequirements. Identity Requirements\nLitware identifies the following identity requirements:\nDetect brute force attacks that directly target AD DS user accounts.\nImplement leaked credential detection in the Azure AD tenant of Litware.\nPrevent AD DS user accounts from being locked out by brute force attacks that target Azure AD user accounts.\nImplement delegated management of users and groups in the Azure AD tenant of Litware, including support for:\n- The management of group properties, membership, and licensing\n- The management of user properties, passwords, and licensing\n- The delegation of user management based on business units\nRequirements. Regulatory Compliance Requirements\nLitware identifies the following regulatory compliance requirements:\nEnsure data residency compliance when collecting logs, telemetry, and data owned by each United States- and France-based subsidiary.\nLeverage built-in Azure Policy definitions to evaluate regulatory compliance across the entire managed environment.\n\nUse the principle of least privilege.\nRequirements. Azure Landing Zone Requirements\nLitware identifies the following landing zone requirements:\nRoute all internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription.\nProvide a secure score scoped to the landing zone.\nEnsure that the Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network, rather than over public endpoints.\nMinimize the possibility of data exfiltration.\nMaximize network bandwidth.\nThe landing zone architecture will include the dedicated subscription, which will serve as the hub for internet and hybrid connectivity. Each landing zone will have the following characteristics:\nBe created in a dedicated subscription.\nUse a DNS namespace of litware.com.\nRequirements. Application Security Requirements\nLitware identifies the following application security requirements:\nIdentify internal applications that will support single sign-on (SSO) by using Azure AD Application Proxy.\nMonitor and control access to Microsoft SharePoint Online and Exchange Online data in real time.QuestionYou need to design a strategy for securing the SharePoint Online and Exchange Online data. The solution must meet the application security requirements.\nWhich two services should you leverage in the strategy? Each correct answer presents part of the solution.\nNOTE: Each correct selection is worth one point.", "options": [{"letter": "A", "text": "Azure AD Conditional Access"}, {"letter": "B", "text": "access reviews in Azure AD"}, {"letter": "C", "text": "Microsoft Defender for Cloud"}, {"letter": "D", "text": "Microsoft Defender for Cloud Apps"}, {"letter": "E", "text": "Microsoft Defender for Endpoint"}], "answer": ["A", "D"], "multi": true}, {"order": 337, "questionNumber": 2, "topic": "Topic 12", "title": "337. Question #2 - Topic 12", "text": "Introductory InfoCase Study -\nThis is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.\nTo answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.\nAt the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.\n\nTo start the case study -\nTo display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.\n\nOverview -\nLitware, Inc. is a financial services company that has main offices in New York and San Francisco. Litware has 30 branch offices and remote employees across the United States. The remote employees connect to the main offices by using a VPN.\nLitware has grown significantly during the last two years due to mergers and acquisitions. The acquisitions include several companies based in France.\n\nExisting Environment -\nLitware has an Azure Active Directory (Azure AD) tenant that syncs with an Active Directory Domain Services (AD DS) forest named litware.com and is linked to\n20 Azure subscriptions. Azure AD Connect is used to implement pass-through authentication. Password hash synchronization is disabled, and password writeback is enabled. All Litware users have Microsoft 365 E5 licenses.\nThe environment also includes several AD DS forests, Azure AD tenants, and hundreds of Azure subscriptions that belong to the subsidiaries of Litware.\n\nRequirements. Planned Changes -\nLitware plans to implement the following changes:\nCreate a management group hierarchy for each Azure AD tenant.\nDesign a landing zone strategy to refactor the existing Azure environment of Litware and deploy all future Azure workloads.\n\nImplement Azure AD Application Proxy to provide secure access to internal applications that are currently accessed by using the VPN.\nRequirements. Business Requirements\nLitware identifies the following business requirements:\nMinimize any additional on-premises infrastructure.\nMinimize the operational costs associated with administrative overhead.\nRequirements. Hybrid Requirements\nLitware identifies the following hybrid cloud requirements:\nEnable the management of on-premises resources from Azure, including the following:\n- Use Azure Policy for enforcement and compliance evaluation.\n- Provide change tracking and asset inventory.\n- Implement patch management.\nProvide centralized, cross-tenant subscription management without the overhead of maintaining guest accounts.\nRequirements. Microsoft Sentinel Requirements\nLitware plans to leverage the security information and event management (SIEM) and security orchestration automated response (SOAR) capabilities of Microsoft\nSentinel. The company wants to centralize Security Operations Center (SOC) by using Microsoft Sentinel.\nRequirements. Identity Requirements\nLitware identifies the following identity requirements:\nDetect brute force attacks that directly target AD DS user accounts.\nImplement leaked credential detection in the Azure AD tenant of Litware.\nPrevent AD DS user accounts from being locked out by brute force attacks that target Azure AD user accounts.\nImplement delegated management of users and groups in the Azure AD tenant of Litware, including support for:\n- The management of group properties, membership, and licensing\n- The management of user properties, passwords, and licensing\n- The delegation of user management based on business units\nRequirements. Regulatory Compliance Requirements\nLitware identifies the following regulatory compliance requirements:\nEnsure data residency compliance when collecting logs, telemetry, and data owned by each United States- and France-based subsidiary.\nLeverage built-in Azure Policy definitions to evaluate regulatory compliance across the entire managed environment.\n\nUse the principle of least privilege.\nRequirements. Azure Landing Zone Requirements\nLitware identifies the following landing zone requirements:\nRoute all internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription.\nProvide a secure score scoped to the landing zone.\nEnsure that the Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network, rather than over public endpoints.\nMinimize the possibility of data exfiltration.\nMaximize network bandwidth.\nThe landing zone architecture will include the dedicated subscription, which will serve as the hub for internet and hybrid connectivity. Each landing zone will have the following characteristics:\nBe created in a dedicated subscription.\nUse a DNS namespace of litware.com.\nRequirements. Application Security Requirements\nLitware identifies the following application security requirements:\nIdentify internal applications that will support single sign-on (SSO) by using Azure AD Application Proxy.\nMonitor and control access to Microsoft SharePoint Online and Exchange Online data in real time.QuestionTo meet the application security requirements, which two authentication methods must the applications support? Each correct answer presents a complete solution.\nNOTE: Each correct selection is worth one point.\n\nTopic 13 - Testlet 8", "options": [{"letter": "A", "text": "Security Assertion Markup Language (SAML)"}, {"letter": "B", "text": "NTLMv2"}, {"letter": "C", "text": "certificate-based authentication"}, {"letter": "D", "text": "Kerberos"}], "answer": ["A", "D"], "multi": true}, {"order": 338, "questionNumber": 1, "topic": "Topic 13", "title": "338. Question #1 - Topic 13", "text": "Introductory InfoCase Study -\nThis is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.\nTo answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other question in this case study.\nAt the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.\n\nTo start the case study -\nTo display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.\n\nOverview -\nFabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.\nExisting Environment. On-premises Environment\nThe on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.\nExisting Environment. Azure Environment\nFabrikam has the following Azure resources:\nAn Azure Active Directory (Azure AD) tenant named fabrikam.onmicrosoft.com that syncs with corp.fabrikam.com\nA single Azure subscription named Sub1\nA virtual network named Vnet1 in the East US Azure region\nA virtual network named Vnet2 in the West Europe Azure region\nAn instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAF) enabled\nA Microsoft Sentinel workspace\nAn Azure SQL database named ClaimsDB that contains a table named ClaimDetails\n20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud\nA resource group named TestRG that is used for testing purposes only\n\nAn Azure Virtual Desktop host pool that contains personal assigned session hosts\nAll the resources in Sub1 are in either the East US or the West Europe region.\n\nExisting Environment. Partners -\nFabrikam has contracted a company named Contoso, Ltd. to develop applications. Contoso has the following infrastructure:\nAn Azure AD tenant named contoso.onmicrosoft.com\nAn Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of\n\nFabrikam -\nDevelopers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security group named\nContosoDevelopers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.\nThe ContosoDevelopers group is assigned the db_owner role for the ClaimsDB database.\nExisting Environment. Compliance Environment\nFabrikam deploys the following compliance environment:\nDefender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.\nCurrently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.\nQualys is used as the standard vulnerability assessment tool for servers.\nExisting Environment. Problem Statements\nThe secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation: Machines should have a vulnerability assessment solution.\nAll the virtual machines must be compliant in Defender for Cloud.\nRequirements. ClaimsApp Deployment\nFabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specifications:\nClaimsApp will be deployed to Azure App Service instances that connect to Vnet1 and Vnet2.\nUsers will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.\nClaimsApp will access data in ClaimsDB.\nClaimsDB must be accessible only from Azure virtual networks.\nThe app services permission for ClaimsApp must be assigned to ClaimsDB.\n\nRequirements. Application Development Requirements\nFabrikam identifies the following requirements for application development:\nAzure DevTest labs will be used by developers for testing.\nAll the application code must be stored in GitHub Enterprise.\nAzure Pipelines will be used to manage application deployments.\nAll application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text.\nScanning must be done at the time the code is pushed to a repository.\nRequirements. Security Requirements\nFabrikam identifies the following security requirements:\nInternet-accessible applications must prevent connections that originate in North Korea.\nOnly members of a group named InfraSec must be allowed to configure network security groups (NSGs) and instances of Azure Firewall, WAF, and Front Door in Sub1.\nAdministrators must connect to a secure host to perform any remote administration of the virtual machines. The secure host must be provisioned from a custom operating system image.\n\nRequirements. AWS Requirements -\nFabrikam identifies the following security requirements for the data hosted in ContosoAWS1:\nNotify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.\nEnsure that the security administrators can query AWS service logs directly from the Azure environment.\nRequirements. Contoso Developers Requirements\nFabrikam identifies the following requirements for the Contoso developers:\nEvery month, the membership of the ContosoDevelopers group must be verified.\nThe Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.\nThe Contoso developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.\nRequirements. Compliance Requirements\nFabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.QuestionYou need to recommend a solution to secure the MedicalHistory data in the ClaimsDetail table. The solution must meet the Contoso developer requirements.\nWhat should you include in the recommendation?", "options": [{"letter": "A", "text": "row-level security (RLS)"}, {"letter": "B", "text": "Transparent Data Encryption (TDE)"}, {"letter": "C", "text": "Always Encrypted"}, {"letter": "D", "text": "data classification"}, {"letter": "E", "text": "dynamic data masking"}], "answer": ["C"], "multi": false}];
const CLASS_DATA = {
 architect: { name: "Cloud Architect", hpBonus: 20, xpMult: 1, extraScans: 0 },
 sentinel: { name: "Sentinel Mage", hpBonus: 0, xpMult: 1.25, extraScans: 0 },
 ranger: { name: "Zero Trust Ranger", hpBonus: 0, xpMult: 1, extraScans: 1 },
};
const ENEMIES = [
 { name: "Misconfiguration Goblin", avatar: "👺", flavor: "It hides in defaults and weak settings." },
 { name: "Phishing Specter", avatar: "👻", flavor: "It feeds on rushed clicks and weak verification." },
 { name: "Shadow Admin", avatar: "🕶️", flavor: "Privilege has drifted where it should never go." },
 { name: "Ransom Troll", avatar: "🪓", flavor: "It wants your files, your backups, and your patience." },
 { name: "Compliance Wraith", avatar: "☠️", flavor: "It emerges whenever governance is ignored." },
 { name: "Firewall Drake", avatar: "🐉", flavor: "A blazing perimeter beast guards the next gate." },
 { name: "Identity Hydra", avatar: "🐍", flavor: "Cut one risky sign-in down and two more appear." },
 { name: "Sentinel Revenant", avatar: "🧿", flavor: "It haunts weak detections and silent workspaces." },
 { name: "Zero Trust Titan", avatar: "🛡️", flavor: "Only disciplined access can bring it down." }
];
let selectedClass = null;
let state = null;
const $ = (id) => document.getElementById(id);
const audioState = {
 ctx: null,
 musicEnabled: true,
 sfxEnabled: true,
 musicTimer: null,
 musicStep: 0
};
const MUSIC_PATTERN = [
 { lead: 'A4', bass: 'A2' },
 { lead: 'C5', bass: 'A2' },
 { lead: 'E5', bass: 'E2' },
 { lead: 'G5', bass: 'E2' },
 { lead: 'D5', bass: 'F2' },
 { lead: 'E5', bass: 'F2' },
 { lead: 'C5', bass: 'G2' },
 { lead: 'B4', bass: 'G2' }
];
function updateAudioButtons() {
 const musicBtn = $('musicToggle');
 const sfxBtn = $('sfxToggle');
 musicBtn.textContent = `🎵 Music: ${audioState.musicEnabled ? 'On' : 'Off'}`;
 sfxBtn.textContent = `🔊 SFX: ${audioState.sfxEnabled ? 'On' : 'Off'}`;
 musicBtn.classList.toggle('off', !audioState.musicEnabled);
 sfxBtn.classList.toggle('off', !audioState.sfxEnabled);
}
function noteToFreq(note) {
 const map = { C: 0, 'C#': 1, Db: 1, D: 2, 'D#': 3, Eb: 3, E: 4, F: 5, 'F#': 6, Gb: 6, G: 7, 'G#': 8, Ab: 8, A: 9, 'A#': 10, Bb: 10, B: 11 };
 const match = /^([A-G](?:#|b)?)(\d)$/.exec(note);
 if (!match) return 440;
 const [, name, octaveRaw] = match;
 const octave = parseInt(octaveRaw, 10);
 const midi = 12 * (octave + 1) + map[name];
 return 440 * Math.pow(2, (midi - 69) / 12);
}
function ensureAudio(startMusic = true) {
 if (!audioState.ctx) {
 const AudioCtx = window.AudioContext || window.webkitAudioContext;
 if (!AudioCtx) return null;
 audioState.ctx = new AudioCtx();
 }
 if (audioState.ctx.state === 'suspended') {
 audioState.ctx.resume();
 }
 if (startMusic && audioState.musicEnabled && !audioState.musicTimer) {
 startMusicLoop();
 }
 updateAudioButtons();
 return audioState.ctx;
}
function playTone(freq, start, duration, type = 'triangle', volume = 0.03) {
 const ctx = ensureAudio(false);
 if (!ctx) return;
 const osc = ctx.createOscillator();
 const gain = ctx.createGain();
 osc.type = type;
 osc.frequency.setValueAtTime(freq, start);
 gain.gain.setValueAtTime(0.0001, start);
 gain.gain.exponentialRampToValueAtTime(volume, start + 0.02);
 gain.gain.exponentialRampToValueAtTime(0.0001, start + duration);
 osc.connect(gain);
 gain.connect(ctx.destination);
 osc.start(start);
 osc.stop(start + duration + 0.02);
}
function playDualTone(freqA, freqB, start, duration, volume = 0.022) {
 playTone(freqA, start, duration, 'triangle', volume);
 playTone(freqB, start, duration * 0.9, 'sine', volume * 0.8);
}
function startMusicLoop() {
 if (audioState.musicTimer || !audioState.musicEnabled) return;
 const stepMs = 520;
 const runStep = () => {
 if (!audioState.musicEnabled || !audioState.ctx) return;
 const ctx = ensureAudio(false);
 if (!ctx) return;
 const now = ctx.currentTime;
 const step = MUSIC_PATTERN[audioState.musicStep % MUSIC_PATTERN.length];
 playTone(noteToFreq(step.bass), now, 0.42, 'sine', 0.018);
 playDualTone(noteToFreq(step.lead), noteToFreq(step.lead) * 2, now + 0.02, 0.24, 0.012);
 if (audioState.musicStep % 4 === 3) {
 playTone(noteToFreq(step.lead) / 2, now + 0.22, 0.18, 'triangle', 0.01);
 }
 audioState.musicStep += 1;
 };
 audioState.musicTimer = setInterval(runStep, stepMs);
 runStep();
}
function stopMusicLoop() {
 if (audioState.musicTimer) {
 clearInterval(audioState.musicTimer);
 audioState.musicTimer = null;
 }
}
function playSfx(kind) {
 if (!audioState.sfxEnabled) return;
 const ctx = ensureAudio();
 if (!ctx) return;
 const now = ctx.currentTime;
 switch (kind) {
 case 'correct':
 playTone(noteToFreq('C5'), now, 0.12, 'triangle', 0.03);
 playTone(noteToFreq('E5'), now + 0.09, 0.12, 'triangle', 0.03);
 playTone(noteToFreq('G5'), now + 0.18, 0.18, 'triangle', 0.03);
 break;
 case 'wrong':
 playTone(noteToFreq('E4'), now, 0.16, 'sawtooth', 0.025);
 playTone(noteToFreq('C4'), now + 0.12, 0.22, 'sawtooth', 0.022);
 break;
 case 'potion':
 playTone(noteToFreq('A4'), now, 0.12, 'sine', 0.02);
 playTone(noteToFreq('D5'), now + 0.08, 0.16, 'triangle', 0.024);
 playTone(noteToFreq('A5'), now + 0.16, 0.2, 'triangle', 0.02);
 break;
 case 'scan':
 playTone(noteToFreq('B5'), now, 0.08, 'square', 0.014);
 playTone(noteToFreq('E6'), now + 0.08, 0.08, 'square', 0.012);
 playTone(noteToFreq('B5'), now + 0.16, 0.08, 'square', 0.012);
 break;
 case 'level':
 playTone(noteToFreq('C5'), now, 0.12, 'triangle', 0.03);
 playTone(noteToFreq('E5'), now + 0.08, 0.14, 'triangle', 0.03);
 playTone(noteToFreq('G5'), now + 0.16, 0.16, 'triangle', 0.03);
 playTone(noteToFreq('C6'), now + 0.24, 0.24, 'triangle', 0.032);
 break;
 case 'boss':
 playTone(noteToFreq('A2'), now, 0.24, 'sawtooth', 0.025);
 playTone(noteToFreq('E3'), now + 0.12, 0.28, 'sawtooth', 0.022);
 break;
 case 'next':
 playTone(noteToFreq('D5'), now, 0.08, 'triangle', 0.015);
 break;
 }
}
function shuffle(arr) {
 const copy = [...arr];
 for (let i = copy.length - 1; i > 0; i--) {
 const j = Math.floor(Math.random() * (i + 1));
 [copy[i], copy[j]] = [copy[j], copy[i]];
 }
 return copy;
}
function pickEnemy(index) {
 const boss = (index + 1) % 10 === 0;
 const enemy = { ...ENEMIES[index % ENEMIES.length] };
 const baseHp = boss ? 45 : 30;
 enemy.maxHp = baseHp + Math.min(20, Math.floor(index / 20) * 5);
 enemy.hp = enemy.maxHp;
 enemy.boss = boss;
 return enemy;
}
function addLog(text) {
 const entry = document.createElement("div");
 entry.className = "log-entry";
 entry.textContent = text;
 $("log").prepend(entry);
}
function showScreen(id) {
 ["startScreen", "gameScreen", "endScreen"].forEach(screenId => {
 $(screenId).classList.toggle("active", screenId === id);
 });
}
function initializeGame() {
 const classInfo = CLASS_DATA[selectedClass];
 const maxHp = 100 + classInfo.hpBonus;
 state = {
 classInfo,
 deck: shuffle(QUESTION_BANK),
 index: 0,
 hp: maxHp,
 maxHp,
 score: 0,
 gold: 0,
 potions: 2,
 scans: 2 + classInfo.extraScans,
 xp: 0,
 level: 1,
 correct: 0,
 answered: 0,
 currentEnemy: null,
 scanUsed: false,
 locked: false
 };
 $("log").innerHTML = "";
 addLog(`You enter the vaults as the ${classInfo.name}.`);
 updateHud();
 loadQuestion();
 showScreen("gameScreen");
 ensureAudio();
}
function gainXp(base) {
 const gain = Math.round(base * state.classInfo.xpMult);
 state.xp += gain;
 while (state.xp >= state.level * 40) {
 state.xp -= state.level * 40;
 state.level += 1;
 state.maxHp += 10;
 state.hp = Math.min(state.maxHp, state.hp + 10);
 addLog(`Level up! You are now level ${state.level}.`);
 playSfx('level');
 }
}
function updateHud() {
 $("heroClassName").innerHTML = `<strong>${state.classInfo.name}</strong>`;
 $("heroLevelLine").textContent = `Level ${state.level}`;
 $("scoreValue").textContent = state.score;
 $("goldValue").textContent = state.gold;
 $("potionsValue").textContent = state.potions;
 $("progressValue").textContent = `${Math.min(state.index + 1, state.deck.length)}/${state.deck.length}`;
 $("playerHpText").textContent = `HP ${state.hp} / ${state.maxHp}`;
 $("playerHpBar").style.width = `${Math.max(0, (state.hp / state.maxHp) * 100)}%`;
 $("scanBtn").textContent = `50/50 Scan (${state.scans})`;
 $("scanBtn").disabled = state.scans <= 0 || state.scanUsed || state.locked;
 $("potionBtn").disabled = state.potions <= 0 || state.hp >= state.maxHp || state.locked;
}
function loadQuestion() {
 if (state.index >= state.deck.length) {
 endGame(true);
 return;
 }
 state.locked = false;
 state.scanUsed = false;
 const q = state.deck[state.index];
 state.currentEnemy = pickEnemy(state.index);
 renderEncounter(q);
 if (state.currentEnemy.boss) playSfx('boss');
 updateHud();
}
function renderEncounter(q) {
 const enemy = state.currentEnemy;
 $("encounterTag").textContent = enemy.boss ? "Boss Encounter" : (q.multi ? "Multi-Select Encounter" : "Encounter");
 $("enemyAvatar").textContent = enemy.avatar;
 $("enemyName").textContent = enemy.boss ? `${enemy.name} Boss` : enemy.name;
 $("enemyFlavor").textContent = enemy.flavor;
 $("enemyHpText").textContent = `Threat ${enemy.hp} / ${enemy.maxHp}`;
 $("enemyHpBar").style.width = `${(enemy.hp / enemy.maxHp) * 100}%`;
 $("questionMeta").textContent = `${q.topic}${q.title}`;
 $("questionTitle").textContent = enemy.boss ? "Boss Trial" : "Knowledge Strike";
 $("questionText").textContent = q.text;
 $("instruction").textContent = q.multi ? "Select all correct answers." : "Select one answer.";
 $("feedback").className = "feedback";
 $("feedback").textContent = "";
 $("submitBtn").style.display = "inline-flex";
 $("nextBtn").style.display = "none";
 const form = $("optionsForm");
 form.innerHTML = "";
 const inputType = q.multi ? "checkbox" : "radio";
 q.options.forEach(opt => {
 const label = document.createElement("label");
 label.className = "option";
 label.dataset.letter = opt.letter;
 label.innerHTML = `
 <input type="${inputType}" name="answer" value="${opt.letter}">
 <span class="letter">${opt.letter}</span>
 <span>${opt.text}</span>
 `;
 form.appendChild(label);
 });
}
function getSelectedLetters() {
 return Array.from(document.querySelectorAll('#optionsForm input:checked')).map(i => i.value).sort();
}
function arraysEqual(a, b) {
 return a.length === b.length && a.every((x, i) => x === b[i]);
}
function revealAnswers(correctLetters, selected) {
 document.querySelectorAll('#optionsForm .option').forEach(el => {
 const letter = el.dataset.letter;
 if (correctLetters.includes(letter)) el.classList.add('correct');
 if (selected.includes(letter) && !correctLetters.includes(letter)) el.classList.add('wrong');
 });
}
function answerQuestion() {
 if (state.locked) return;
 const q = state.deck[state.index];
 const selected = getSelectedLetters();
 if (!selected.length) {
 alert(q.multi ? 'Pick all answers you believe are correct before attacking.' : 'Pick one answer before attacking.');
 return;
 }
 state.locked = true;
 state.answered += 1;
 const correct = [...q.answer].sort();
 const isCorrect = arraysEqual(selected, correct);
 revealAnswers(correct, selected);
 const feedback = $("feedback");
 const answerSummary = correct.map(letter => {
 const found = q.options.find(opt => opt.letter === letter);
 return `${letter}. ${found ? found.text : ''}`;
 }).join('\n');
 if (isCorrect) {
 state.correct += 1;
 state.currentEnemy.hp = 0;
 state.score += q.multi ? 15 : 10;
 state.gold += q.multi ? 8 : 5;
 if (state.correct % 5 === 0) state.potions += 1;
 gainXp(q.multi ? 18 : 12);
 feedback.className = 'feedback good show';
 feedback.textContent = `Critical hit. You defeated ${state.currentEnemy.boss ? 'the boss' : 'the threat'} and secured the path.\n\nCorrect answer:\n${answerSummary}`;
 addLog(`Correct on ${q.title}. Threat neutralized.`);
 playSfx('correct');
 } else {
 const damageTaken = state.currentEnemy.boss ? 22 : (q.multi ? 18 : 14);
 state.hp = Math.max(0, state.hp - damageTaken);
 state.score = Math.max(0, state.score - 3);
 feedback.className = 'feedback bad show';
 feedback.textContent = `The enemy counterattacked. You lost ${damageTaken} HP.\n\nCorrect answer:\n${answerSummary}`;
 addLog(`Missed ${q.title}. You took ${damageTaken} damage.`);
 playSfx('wrong');
 }
 $("enemyHpText").textContent = `Threat ${state.currentEnemy.hp} / ${state.currentEnemy.maxHp}`;
 $("enemyHpBar").style.width = `${(state.currentEnemy.hp / state.currentEnemy.maxHp) * 100}%`;
 $("submitBtn").style.display = 'none';
 $("nextBtn").style.display = 'inline-flex';
 updateHud();
 if (state.hp <= 0) {
 setTimeout(() => endGame(false), 180);
 }
}
function nextQuestion() {
 if (state.hp <= 0) {
 endGame(false);
 return;
 }
 state.index += 1;
 playSfx('next');
 loadQuestion();
}
function usePotion() {
 if (state.locked || state.potions <= 0 || state.hp >= state.maxHp) return;
 state.potions -= 1;
 state.hp = Math.min(state.maxHp, state.hp + 25);
 addLog('You drink a potion and recover 25 HP.');
 playSfx('potion');
 updateHud();
}
function useScan() {
 if (state.locked || state.scans <= 0 || state.scanUsed) return;
 const q = state.deck[state.index];
 const wrongOptions = q.options.filter(opt => !q.answer.includes(opt.letter));
 const toHideCount = Math.min(q.multi ? 1 : 2, wrongOptions.length);
 const toHide = shuffle(wrongOptions).slice(0, toHideCount).map(opt => opt.letter);
 document.querySelectorAll('#optionsForm .option').forEach(el => {
 if (toHide.includes(el.dataset.letter)) {
 el.style.opacity = '0.35';
 el.querySelector('input').disabled = true;
 }
 });
 state.scans -= 1;
 state.scanUsed = true;
 addLog('Scan used. Some wrong paths faded away.');
 playSfx('scan');
 updateHud();
}
function endGame(won) {
 const accuracy = state.answered ? Math.round((state.correct / state.answered) * 100) : 0;
 $("endTitle").textContent = won ? 'Adventure Complete' : 'You Were Defeated';
 $("endSubtitle").textContent = won ? 'You cleared the Security Quest and brought order to the cloud.' : 'The dungeon pushed back. Rest, review, and try another run.';
 $("finalScore").textContent = state.score;
 $("finalAccuracy").textContent = `${accuracy}%`;
 $("finalCleared").textContent = `${state.correct}/${state.answered}`;
 $("finalLevel").textContent = state.level;
 showScreen("endScreen");
}
Array.from(document.querySelectorAll('.class-card')).forEach(card => {
 card.addEventListener('click', () => {
 Array.from(document.querySelectorAll('.class-card')).forEach(c => c.classList.remove('selected'));
 card.classList.add('selected');
 selectedClass = card.dataset.class;
 $("startBtn").disabled = false;
 });
});
$("startBtn").addEventListener('click', () => { ensureAudio(); initializeGame(); });
$("submitBtn").addEventListener('click', answerQuestion);
$("nextBtn").addEventListener('click', nextQuestion);
$("potionBtn").addEventListener('click', usePotion);
$("scanBtn").addEventListener('click', useScan);
$("restartBtn").addEventListener('click', () => location.reload());
$("musicToggle").addEventListener('click', () => {
 ensureAudio();
 audioState.musicEnabled = !audioState.musicEnabled;
 if (audioState.musicEnabled) startMusicLoop();
 else stopMusicLoop();
 updateAudioButtons();
});
$("sfxToggle").addEventListener('click', () => {
 ensureAudio();
 audioState.sfxEnabled = !audioState.sfxEnabled;
 updateAudioButtons();
 if (audioState.sfxEnabled) playSfx('scan');
});
updateAudioButtons();
</script>
</body>
</html>
sc100_security_quest_rpg_fullscreen (1).html
Displaying sc100_security_quest_rpg_fullscreen (1).html.