SC-900 Cheat Sheet
Security, Compliance, and Identity Concepts
Security and Compliance Concepts
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
In every cloud model, including SaaS, three duties never transfer to Microsoft: your information and data, your devices (the phones, laptops, and PCs that reach your services), and your accounts and identities. Because identity stays yours, so does access management: multifactor authentication, role assignments, and conditional access. These are the most tested 'who is responsible' answers precisely because they never shift to the provider.
Trap Assuming a managed or SaaS service makes Microsoft responsible for your user identities or data; those stay with you no matter how managed the service is.
7 questions test this
- Your organization uses Microsoft Entra ID to manage identities. In the shared responsibility model, which task is Microsoft responsible for?
- Your organization uses sensitivity labels from Microsoft Purview Information Protection to classify documents stored in Azure. In the…
- According to the shared responsibility model, which responsibility always remains with the customer regardless of whether the cloud…
- Your organization uses Microsoft Entra ID (formerly Azure Active Directory) as its identity provider. In the shared responsibility model,…
- Your organization uses Microsoft Entra ID to manage user identities for accessing Azure resources. Which task is the customer's…
- In the Azure shared responsibility model, which security task always remains with the customer regardless of the cloud service type?
- According to the Azure shared responsibility model, which combination of security areas is always the customer's responsibility across all…
- The responsibility line rises from IaaS to PaaS to SaaS
On-premises you own the whole stack. With IaaS, Microsoft owns the physical hosts, network, and datacenter while you own the operating system, applications, and network controls. PaaS moves the operating system to Microsoft's side, leaving you the application and its data. SaaS hands almost everything to Microsoft. The more managed the service, the smaller your share.
Trap Putting operating-system patching on the customer for PaaS or SaaS; the OS is Microsoft's responsibility there, and only the customer's on IaaS.
3 questions test this
- Your organization uses Microsoft Entra ID to manage identities. In the shared responsibility model, which task is Microsoft responsible for?
- Your organization uses Microsoft 365 for email and collaboration. According to the shared responsibility model, which area is managed by…
- Your organization plans to migrate a web application from an Azure Virtual Machine to Azure App Service. How does the responsibility for…
- Physical hosts, network, and datacenter are always Microsoft's in the cloud
Once a workload runs in the cloud, the three physical layers, physical hosts, physical network, and physical datacenter, are Microsoft's responsibility in every service model. The customer never secures the datacenter building, the racks, or the cabling.
Trap Assigning physical datacenter or host security to the customer for IaaS; physical layers are always Microsoft's once you are in the cloud.
3 questions test this
- Your company uses both Azure Virtual Machines and Microsoft 365. In the shared responsibility model, which area is managed by Microsoft…
- Your organization migrates virtual machines from an on-premises datacenter to Azure IaaS and plans to use Microsoft Entra ID for identity…
- Select the answer that correctly completes the sentence. When an organization migrates from an on-premises datacenter to Azure, the…
- Defense in depth stacks independent layers so one breach is not fatal
Defense in depth uses overlapping controls from the outside in: physical, identity and access, perimeter, network, compute, application, and data at the core. Each layer is independent, so if an attacker gets past one, the next still stands between them and the data. It is the opposite of trusting a single perimeter wall.
- The CIA triad is confidentiality, integrity, and availability
Every security control ultimately serves one of three goals. Confidentiality keeps data readable only to authorized parties. Integrity keeps data accurate and unaltered except by authorized changes. Availability keeps systems reachable for legitimate users. Attacks map to these too: theft targets confidentiality, tampering targets integrity, and a denial-of-service targets availability.
Trap Confusing integrity with confidentiality; integrity is about unauthorized modification or tampering, while confidentiality is about unauthorized reading.
- A hash check verifies integrity, not confidentiality
Comparing a downloaded file's hash to the value the publisher lists confirms the file was not altered, which is an integrity control. It reveals nothing about who can read the file, so it gives no confidentiality. Hashing detects change; encryption hides content.
Trap Treating a hash or checksum as a way to keep data secret; it detects tampering but does not conceal the data.
- Zero Trust means never trust, always verify
Zero Trust drops the assumption that anything inside the corporate network is safe and verifies every request as if it came from an open network. It replaces the old perimeter model because modern attacks use stolen identities and phishing that do not depend on network location. Trust is earned per request, not granted by the network.
Trap Assuming traffic from inside the corporate network is automatically trusted; under Zero Trust, network location is never by itself proof of trust.
- Verify explicitly decides from many signals, not one factor
The verify-explicitly principle authenticates and authorizes from all available signals: user identity, sign-in location, the device and its compliance state, the app and data involved, and anomalies such as an unusual sign-in time. The more signals evaluated, the more confidence the right person is reaching the right resource. A single factor like a password is not enough.
Trap Treating a correct password alone as sufficient; verify explicitly weighs multiple signals, so a valid password from an unmanaged device or odd location can still be challenged.
- Least privilege grants just enough access, just in time
The least-privilege principle gives users and systems only the access a task needs, for only as long as it is needed. It is implemented with just-in-time (JIT) access, which grants then revokes, and just-enough-access (JEA), which scopes to the exact permissions required. Risk-based adaptive policies tighten access automatically when activity looks risky.
- Assume breach: segment, encrypt, and monitor as if already compromised
The assume-breach principle designs security as though an attacker is already inside. You segment access so a compromised account cannot roam freely, encrypt data end to end so intercepted data is unreadable, and monitor with analytics so a breach is detected and contained quickly. Effort shifts from only keeping attackers out to limiting what they can do once in.
1 question tests this
- Zero Trust spans six resource pillars plus a seventh that correlates signals
Microsoft enforces Zero Trust across six pillars that are the resources and signal sources to defend: identities, devices, applications, data, infrastructure, and networks. A seventh pillar, visibility, automation, and orchestration, aggregates the signals from the other six and coordinates the response, typically through SIEM and SOAR tooling. Identity is described as the primary control plane because most attacks eventually abuse one.
- Encryption is reversible with a key; hashing is one-way with no key
Encryption scrambles data so a holder of the correct key can read it back, so it protects data you must recover later. Hashing runs input through a one-way algorithm to a fixed-length digest, uses no key, and cannot be reversed, so it verifies data without storing the original. The choice turns on one question: do you need to read the value back?
Trap Calling hashing a form of encryption or claiming a hash can be decrypted; hashing has no key and is not reversible.
4 questions test this
- How does Microsoft Entra ID verify a user's password during sign-in when password hash synchronization is configured?
- What is a key property of a hash function that makes it suitable for verifying data integrity?
- Select the answer that correctly completes the sentence. Regardless of the size of the input data, a hash function always produces [answer…
- Azure Key Vault can store secrets such as passwords. Which statement correctly describes hashing as it relates to protecting password…
- Symmetric uses one shared key; asymmetric uses a public/private pair
Symmetric encryption uses the same secret key to encrypt and decrypt, which is fast for bulk data but creates the key distribution problem of sharing that key securely. Asymmetric encryption uses a mathematically linked public and private key pair, so the public key can be shared freely and only the matching private key decrypts. Asymmetric is what solves key distribution and underpins HTTPS.
Trap Thinking data encrypted with the public key can be decrypted with that same public key; only the matching private key can decrypt it.
- Public key encrypts and verifies; private key decrypts and signs
In asymmetric encryption the two directions do different jobs. Encrypting with the recipient's public key means only their private key can decrypt it, giving confidentiality. Signing with the sender's private key lets anyone with the public key verify it, giving a digital signature that proves authenticity and integrity. The private key is the one you never share.
Trap Swapping the directions, such as expecting the public key to decrypt or to create a signature; only the private key decrypts and only the private key signs.
- Encryption protects data at rest, in transit, and in use
Data at rest is stored on a disk, database, or storage account, and is encrypted so stolen media stays unreadable. Data in transit is moving across a network and is protected by TLS (as in HTTPS) or a VPN. Data in use is being processed in memory, and is protected by confidential computing that creates a protected execution environment. All three states need their own protection.
- Salt passwords before hashing to defeat rainbow tables
Systems store the hash of a password rather than the password, so a stolen database yields only hashes. Because hashing is deterministic, attackers can precompute hashes of common passwords into rainbow tables. Adding a unique random salt to each password before hashing makes two identical passwords produce different stored hashes, so precomputed tables no longer match.
Trap Relying on plain hashing for passwords with no salt; deterministic hashes let attackers match them against precomputed rainbow tables.
- Governance sets the rules, risk ranks the threats, compliance meets the law
Governance is the system of policies and processes that directs how an organization classifies, handles, and grants access to data. Risk management identifies, scores, and treats threats so the organization can make informed decisions. Compliance is adhering to the external laws, regulations, and standards that apply. Governance creates the structure that risk and compliance operate on.
- Compliance is a minimum bar, not the same as security
Compliance is the minimum a law or regulation demands, while security is the broader set of practices that actually protect data and systems. Because compliance defines a floor, an organization can pass every required audit and still carry serious vulnerabilities. Meeting a regulation and being secure are not the same claim.
Trap Treating a passed compliance audit as proof the environment is secure; compliance is a minimum standard, not evidence of strong security.
- Respond to risk by accepting, mitigating, transferring, or avoiding it
Risk management scores each risk by impact and likelihood, then chooses one of four responses: accept a low risk, mitigate it with controls, transfer it (for example through insurance), or avoid it by changing the process. The goal is not to eliminate all risk but to understand it well enough to decide, then monitor as the environment changes.
Trap Believing risk management aims to remove all risk; the goal is to understand and treat it, and accepting a low risk is a valid response.
- Data residency is where data is stored; sovereignty is whose laws apply
Data residency governs where data may be physically stored and how it may cross borders, and the rules vary by jurisdiction. Data sovereignty is the principle that data is subject to the laws of the country or region where it is collected, held, or processed. Because these differ, one dataset can satisfy a residency rule while still falling under another country's laws as it moves.
Trap Using data residency and data sovereignty interchangeably; residency is the physical storage location, sovereignty is which laws govern the data.
- Data privacy is the proper handling of personal data
Privacy covers personal data, meaning any information that identifies a person directly or indirectly, such as a name, an email address, or location history. Privacy rules require transparency about what is collected, appropriate consent, and honoring individual rights to access, correct, or delete their data. Organizations are subject to these laws wherever they operate and wherever their customers are located.
Identity Concepts
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Microsoft Entra
Entra ID and Identity Types
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Microsoft Entra ID is cloud identity, not Active Directory Domain Services
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service; it authenticates users, apps, and devices over internet protocols such as SAML, OAuth 2.0, and OpenID Connect. It is not on-premises AD DS relocated to the cloud, so it has no domain controllers, organizational units, or Group Policy. When a workload in Azure needs Kerberos, LDAP, NTLM, or Group Policy, that job belongs to Microsoft Entra Domain Services, a separate managed-domain product.
Trap Answering Microsoft Entra ID when a scenario requires LDAP, Kerberos, or Group Policy in Azure; those legacy directory features come from Microsoft Entra Domain Services, not from Entra ID.
- Microsoft Entra is the family; Entra ID is the directory inside it
Microsoft Entra is the umbrella name for a set of identity and network access products, and Entra ID is the foundational directory and access service at its center. Specialized siblings sit on top of it: Entra ID Protection for risk detection, Entra ID Governance for access reviews and lifecycle, Entra External ID for customer and partner identity, and Entra Workload ID for application identities. On the exam a described capability usually maps to one specific product rather than to Entra ID in general.
Trap Picking Entra ID Governance to detect risky sign-ins; risk detection is Entra ID Protection, while Governance handles access reviews and identity lifecycle.
- Entra ID identities are users, workload identities, and devices
Everything Entra ID authenticates is an identity, grouped as human identities (users) and machine identities (workload identities and devices). Users are members or guests; workload identities are applications, service principals, and managed identities; devices get an identity through registration or join. Knowing which bucket a thing falls into is the core of the identity-types objective.
Trap Listing groups as an Entra ID identity type; groups are collections used to assign access, not one of the identity types (users, workload identities, devices).
- External collaborators are guests added through B2B, not members
A member is a user from your own organization; a guest is an external person invited through Entra External ID B2B collaboration who signs in with their own home credentials, so you never issue or manage a password for them. Member versus guest is the user distinction SC-900 tests.
Trap Creating a full internal member account for an outside partner instead of inviting them as a B2B guest; the guest keeps their own home identity and you avoid managing their credentials.
5 questions test this
- You need to give a partner company's users access to a shared application in your tenant while allowing them to sign in with their own…
- Partner company users need to access applications in your Microsoft Entra tenant by using their own organizational accounts. Which identity…
- Your organization wants to grant external partner users access to a shared application while leaving their accounts managed in the…
- An organization invites users from a partner company to access shared resources by using Microsoft Entra B2B collaboration. What is true…
- Your organization wants external partner employees to access a shared SharePoint Online site by signing in with their own organization…
- A workload identity is an identity for software, not for a person
Workload identities let applications, services, scripts, and containers authenticate to Entra ID. In Entra ID they take three forms: an application, a service principal, and a managed identity. Reach for one wherever code, rather than a human, needs to sign in and access a protected resource.
3 questions test this
- In Microsoft Entra ID, what are applications, service principals, and managed identities collectively known as?
- Which type of identity in Microsoft Entra ID is assigned to applications and services so that they can authenticate and access resources…
- In Microsoft Entra, which identity types are classified as workload identities?
- The application object is the blueprint; the service principal holds the permissions
An application object is the single global definition of an app, living in the tenant where it was registered, and it acts as a template. A service principal is the local instance of that app inside a specific tenant, and it is the security principal that actually receives permissions and role assignments. One application object maps to many service principals, one in every tenant that uses the app.
Trap Assigning permissions to the application object; access is granted to the service principal, which is the app's local instance in the tenant.
- A managed identity is a service principal that removes stored secrets
A managed identity is a special type of service principal that an Azure resource uses to obtain Entra ID tokens with no credential to store or rotate, and it is available at no extra cost. It works only with resources and services that support Entra ID authentication.
8 questions test this
- Select the answer that correctly completes the sentence. A managed identity is a special type of [answer choice] in Microsoft Entra ID.
- What type of identity in Microsoft Entra ID eliminates the need for developers to manage credentials when Azure resources need to access…
- A developer needs to grant an Azure virtual machine access to secrets stored in Azure Key Vault without placing any credentials in the…
- A developer has an application hosted outside of Azure that needs to authenticate to Microsoft Entra ID to access protected resources. What…
- An organization wants its Azure-hosted applications to access Azure Key Vault without developers having to store or rotate secrets in code.…
- You need to enable an Azure virtual machine to access Azure Key Vault without storing credentials in code. What should you use?
- What is a primary benefit of using managed identities for Azure resources?
- Select the answer that correctly completes the sentence. Internally, managed identities are [answer choice] that can only be used with…
- System-assigned managed identity is 1:1 with its resource; user-assigned is reusable
A system-assigned managed identity is created on a single Azure resource and shares that resource's lifecycle, so it is deleted with the resource and cannot be shared, a strict one-to-one binding. A user-assigned managed identity is a standalone Azure resource with its own lifecycle that you can attach to many resources, making it the reusable choice when several workloads need the same access or when the identity must outlive any one resource.
Trap Choosing a system-assigned managed identity when several resources must share one identity; system-assigned is bound to a single resource, so shared access needs a user-assigned identity.
6 questions test this
- Select the answer that correctly completes the sentence. When an Azure resource with a system-assigned managed identity is deleted, the…
- What are the two types of managed identities available in Microsoft Entra ID?
- What happens to a system-assigned managed identity when the Azure resource it is enabled on is deleted?
- What is a characteristic of a user-assigned managed identity?
- A company needs a single Microsoft Entra identity that can be shared across several Azure virtual machines and whose lifecycle is…
- What happens to a system-assigned managed identity when the Azure resource it is associated with is deleted?
- Devices need an identity for Conditional Access and Intune
Giving a device an identity in Entra ID lets policy engines weigh the device in an access decision, which is what enables device-based Conditional Access and Microsoft Intune management. Without a device identity, Entra ID cannot require, for example, a compliant or managed device.
3 questions test this
- You want corporate devices to be represented in Microsoft Entra ID so that their state can be evaluated by Conditional Access policies.…
- What can you create in Microsoft Entra ID to provide a single identity for devices, enabling you to manage and secure the devices that…
- You configure a Conditional Access policy with the grant control set to require the device to be marked as compliant. From which service…
- Entra registered is for personal devices; Entra joined is for org-owned
A device gets an Entra ID identity in one of three ways. Entra registered covers personal, bring-your-own devices, including phones and tablets. Entra joined is for organization-owned devices that live only in the cloud. Entra hybrid joined is for organization-owned devices joined to both on-premises AD and Entra ID, typically a transition step for companies that still run an on-premises domain.
Trap Requiring Entra join for a personal phone; a personal, bring-your-own device only needs Entra registration, while join is for organization-owned devices.
- Hybrid identity gives one identity that works on-premises and in the cloud
Hybrid identity provides a single user identity for authentication and authorization across both on-premises Active Directory and the cloud, so people use the same account everywhere. It is built through directory synchronization plus a chosen sign-in method, and it applies only to organizations that already run an on-premises directory.
6 questions test this
- What is the result of implementing hybrid identity with Microsoft Entra ID?
- A user account originates in on-premises Active Directory and is synchronized to Microsoft Entra ID so the user can access both on-premises…
- Select the answer that correctly completes the sentence. Configuring hybrid identity with Microsoft Entra ID lets users access on-premises…
- Your organization uses both on-premises Active Directory and Microsoft Entra ID. What does configuring hybrid identity provide for your…
- What is the primary benefit of implementing a hybrid identity solution that integrates on-premises Active Directory with Microsoft Entra ID?
- What is the primary benefit of implementing hybrid identities in Microsoft Entra ID for an enterprise?
- Entra Connect synchronizes accounts; it is not the authentication method
Microsoft Entra Connect, and the lighter-weight Entra Cloud Sync, is the tool that synchronizes users and groups from on-premises Active Directory into Entra ID. How a hybrid sign-in is actually verified is a separate choice among three authentication methods, and any sync configuration can sit under any of them.
Trap Naming Microsoft Entra Connect as an authentication method; Entra Connect only synchronizes directory objects, while sign-in is verified by password hash sync, pass-through authentication, or federation.
- Password hash synchronization verifies sign-in in the cloud and is the simplest method
With password hash synchronization (PHS), a hash of the on-premises password hash is synchronized to Entra ID, which then verifies sign-ins itself, in the cloud. It needs nothing on-premises beyond the sync server, so it is the simplest option, and Microsoft recommends enabling it even alongside another method so cloud sign-in survives an on-premises outage.
Trap Assuming password hash synchronization validates the password on-premises; PHS verifies sign-in in the cloud, unlike pass-through authentication, where an on-premises agent performs the check.
4 questions test this
- What does Microsoft Entra Connect synchronize to Microsoft Entra ID when password hash synchronization is enabled?
- What is a characteristic of password hash synchronization in Microsoft Entra Connect?
- Which sign-in method synchronizes a hash of a user's on-premises Active Directory password to Microsoft Entra ID so that users can sign in…
- You use password hash synchronization for hybrid identity. The on-premises server running Microsoft Entra Connect unexpectedly goes offline…
- Pass-through authentication validates the password on-premises via an agent
Pass-through authentication (PTA) installs a lightweight agent on an on-premises server that validates the user's password directly against Active Directory, so the password check never happens in the cloud. It suits organizations that must enforce on-premises account state, such as disabled, locked out, expired, or sign-in hours, at every sign-in.
Trap Standing up AD FS when pass-through authentication would do; PTA validates against on-premises AD with a lightweight agent and needs no federation server farm or TLS certificate.
- Federation hands sign-in off to a trusted system such as AD FS
Federated authentication delegates sign-in to a separate trusted system, typically on-premises Active Directory Federation Services (AD FS), which verifies the password on-premises. It fits requirements Entra ID cannot meet natively, such as certain third-party MFA or smartcard scenarios, but it needs its own server farm and a TLS certificate, which makes it the most complex option.
7 questions test this
- Which authentication option for hybrid identity redirects sign-in requests to a separate trusted authentication system, such as Active…
- Which statement best describes federation in a hybrid identity scenario with Microsoft Entra ID?
- In a hybrid identity deployment, what is the purpose of configuring federation between on-premises Active Directory and Microsoft Entra ID?
- What does federation between Microsoft Entra ID and another identity provider establish to enable users to access resources across…
- In a federated identity scenario with Microsoft Entra ID, what is the primary function of an identity provider (IdP)?
- In a federated hybrid identity configuration that uses Active Directory Federation Services (AD FS), how are users authenticated when they…
- With federated authentication for hybrid identity, where is the user's password actually validated when they sign in to a Microsoft cloud…
- Entra Cloud Sync uses a lightweight cloud-managed provisioning agent
Microsoft Entra Cloud Sync synchronizes on-premises Active Directory identities using a lightweight provisioning agent installed on-premises, with all synchronization configuration managed in the cloud. It supports scenarios that Connect Sync handles poorly, such as synchronizing from multiple disconnected AD forests during mergers and acquisitions.
Trap Assuming Cloud Sync and Connect Sync are interchangeable; Cloud Sync's agent is lightweight and cloud-configured, whereas Connect Sync installs a heavier server configured on-premises.
4 questions test this
- What is a key difference between Microsoft Entra Cloud Sync and Microsoft Entra Connect Sync?
- What does Microsoft Entra Cloud Sync use to synchronize identities from on-premises Active Directory to Microsoft Entra ID?
- Your organization wants to use a lightweight, agent-based synchronization solution that does not require an on-premises synchronization…
- Which scenario is a key benefit of using Microsoft Entra Cloud Sync?
Authentication and MFA
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Conditional Access and RBAC
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Identity Protection and Governance
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Microsoft Security Solutions
Azure Infrastructure Security
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- DDoS Protection guards layers 3 and 4; a WAF guards layer 7
Azure DDoS Protection mitigates network- and transport-layer floods (volumetric and protocol attacks at layers 3 and 4) but does not read HTTP content, so application-layer attacks such as HTTP floods, SQL injection, and cross-site scripting fall to a Web Application Firewall. Microsoft positions the two as complementary, so DDoS Protection plus a WAF is the defense-in-depth answer covering both the network and the application.
Trap Reaching for Azure DDoS Protection to stop an HTTP flood or SQL injection; those are layer 7 attacks a WAF handles, not DDoS Protection.
3 questions test this
- Azure DDoS Protection automatically mitigates attacks that target the network layer of your Azure virtual network resources. Which attack…
- Your organization needs to protect a web application from both network-layer and application-layer DDoS attacks. What should you use?
- To defend against resource layer (application layer) attacks, Azure DDoS Protection should be combined with which additional service?
- DDoS attacks come in volumetric, protocol, and application-layer forms
The three shapes are volumetric attacks that saturate bandwidth, protocol attacks that exhaust server resources by abusing layer 3 and 4 weaknesses, and resource (application) layer attacks aimed at the web application itself. Azure DDoS Protection covers the first two at layers 3 and 4; the application-layer form is left to a WAF.
- DDoS Network Protection covers a VNet; IP Protection is billed per IP
The two paid DDoS tiers share the same core mitigation engine but differ in scope and billing: DDoS Network Protection protects an entire virtual network, while DDoS IP Protection is a pay-per-protected-public-IP model. IP Protection omits the value-added extras Network Protection includes, namely DDoS rapid-response support, cost protection, and WAF discounts.
Trap Assuming DDoS IP Protection includes rapid-response support and cost protection; those value-added services come only with DDoS Network Protection.
6 questions test this
- What happens when Azure DDoS Network Protection is enabled on an Azure virtual network?
- Which capability is available with Azure DDoS Network Protection but is NOT included with Azure DDoS IP Protection?
- At what level is Azure DDoS Network Protection enabled?
- You manage an Azure virtual network that contains several public IP resources. You need to enable a DDoS Protection tier that is applied at…
- What must be in place before your operations team can engage the DDoS Rapid Response (DRR) team for help during an attack?
- During an active DDoS attack on resources protected by Azure DDoS Network Protection, which capability provides access to a team that can…
- Every Azure resource has free default DDoS protection, but it is thin
Azure gives all resources a default infrastructure-level DDoS protection at no cost, but its thresholds are tuned high and it provides no telemetry, alerting, or per-application tuning. A flood the platform treats as harmless can still overwhelm one application, which is why the paid tiers add monitoring, alerts, and adaptive tuning.
Trap Treating the free default infrastructure-level DDoS protection as equivalent to DDoS Network Protection; it lacks telemetry, alerting, and application-tuned thresholds.
- Azure Firewall is a managed, stateful, centralized network security service
Azure Firewall is a cloud-native, fully stateful firewall-as-a-service you typically place on a central hub VNet so every other VNet and on-premises network routes through one policy, giving centralized control across subscriptions. Being stateful, it tracks active connections and judges traffic in context, and it provides built-in high availability across availability zones.
8 questions test this
- In a defense-in-depth design, which characteristic distinguishes Azure Firewall from network security groups (NSGs)?
- Which characteristic best describes how Azure Firewall evaluates network traffic for resources in an Azure virtual network?
- Which statement best describes a characteristic of Azure Firewall?
- In a defense-in-depth strategy, what is the primary role of Azure Firewall within an Azure network architecture?
- Which Azure service acts as a centrally managed, stateful firewall-as-a-service that can filter traffic for an entire virtual network and…
- In a layered network design, what is the role of Azure Firewall when it is used together with Azure Bastion?
- Your organization deploys Azure Firewall in a central hub virtual network with spoke virtual networks peered to it. What is the primary…
- Which Azure service is a managed, cloud-based network security service that protects your Azure virtual network resources?
- Azure Firewall filters by FQDN and Microsoft threat intelligence
Beyond IP, port, and protocol network rules, Azure Firewall filters application traffic by fully qualified domain name (FQDN) over HTTP/S, and its threat-intelligence filtering alerts on or denies traffic to and from IP addresses and domains Microsoft's feed flags as malicious. It also performs source and destination network address translation (SNAT and DNAT).
7 questions test this
- Which traffic-filtering capability is provided by Azure Firewall but is not available in a network security group?
- Where does Azure Firewall threat intelligence-based filtering obtain the IP addresses, domains, and URLs used to identify malicious traffic?
- Which operating modes can be configured for threat intelligence-based filtering in Azure Firewall?
- Your organization wants the network perimeter to automatically alert on and deny outbound traffic to IP addresses and domains that…
- Which Azure service acts as a centrally managed, stateful firewall-as-a-service that can filter traffic for an entire virtual network and…
- A company must restrict outbound HTTP and HTTPS traffic from its virtual network so that workloads can only reach an approved list of fully…
- What do Azure Firewall application rules filter traffic based on?
- Azure Firewall filters across networks; an NSG filters within one
Both control traffic to virtual-network resources, but by scope. A network security group does distributed filtering within a VNet, at a subnet or network interface, on the five-tuple. Azure Firewall is a centralized, stateful service that protects across VNets and subscriptions and adds FQDN and threat-intelligence filtering an NSG cannot do. They are complementary layers, not an either-or choice.
Trap Using a network security group where you need FQDN or threat-intelligence filtering; an NSG only allows or denies on the five-tuple, so that job belongs to Azure Firewall.
9 questions test this
- Which Azure network security option can be used at no additional cost to filter inbound and outbound traffic at the subnet and network…
- Which traffic-filtering capability is provided by Azure Firewall but is not available in a network security group?
- In a defense-in-depth architecture, at which layer does a network security group operate to help reduce the attack surface of virtual…
- What is the primary purpose of a network security group (NSG) in Azure?
- Your organization wants to centrally filter and log all outbound internet traffic from multiple Azure virtual networks while also…
- How do network security groups (NSGs) help implement network segmentation within an Azure virtual network?
- A company applies network security groups (NSGs) to individual subnets to control traffic between workloads inside a virtual network, while…
- At which layer of network protection are network security groups (NSGs) intended to filter traffic in Azure?
- In a hub-and-spoke architecture that follows a defense-in-depth strategy, how do Azure Firewall and network security groups (NSGs) provide…
- NSG rules allow or deny on the five-tuple in priority order
A network security group evaluates rules by priority (lower numbers first, and evaluation stops at the first match) using five values: source, source port, destination, destination port, and protocol. Each rule either allows or denies, and you can override the undeletable default rules by adding a higher-priority, lower-numbered rule.
6 questions test this
- In Azure, a network security group (NSG) can filter network traffic based on which characteristics?
- On what basis do network security groups (NSGs) allow or deny network traffic to Azure resources?
- What does a network security group (NSG) use to determine whether inbound or outbound traffic is allowed or denied?
- In an architecture that uses Azure Bastion for remote access, what is the primary purpose of a network security group (NSG)?
- Which statement accurately describes a network security group (NSG) in Azure?
- At which layers of the OSI model do network security groups (NSGs) primarily filter network traffic in Azure?
- Attach one NSG per subnet or NIC, but reuse it widely
You can associate at most one network security group with a given subnet and one with a given network interface (NIC), but the same NSG can be attached to many subnets and NICs at once. This lets a single rule set cover many resources that share the same security needs.
- A new NSG allows intra-VNet and outbound internet traffic by default
Every NSG ships with default rules (three inbound, three outbound) you cannot delete. Their net effect allows traffic within the virtual network and from the Azure load balancer, allows outbound to the VNet and the internet, and denies all other inbound traffic from the internet. You change this only by adding higher-priority rules.
Trap Assuming a new NSG blocks everything by default; its default rules already allow traffic within the VNet and outbound to the internet, denying only other inbound traffic.
6 questions test this
- By default, how can virtual machines deployed in the same subnet of an Azure virtual network communicate with each other?
- By default, how does a network security group (NSG) handle inbound traffic from the internet?
- By default, how does a newly created network security group (NSG) handle inbound traffic from the internet?
- You have a virtual network with resources deployed in multiple subnets. By default, what traffic is allowed between the subnets?
- You need to prevent virtual machines in a specific subnet from initiating outbound connections to the internet, while keeping the…
- Which default behavior is included in every Azure network security group (NSG)?
- VNets block cross-VNet and inbound traffic by default
An Azure virtual network is the isolation boundary of your private network in Azure: by default no traffic crosses between VNets or arrives inbound from outside, so any communication must be explicitly provisioned. This default-deny posture is what makes segmentation the practical basis of the Zero Trust assume breach principle.
Trap Assuming resources in two different VNets can talk by default; cross-VNet traffic is denied until you explicitly provision it, for example with peering.
3 questions test this
- By default, how are resources deployed in two separate Azure virtual networks able to communicate with each other?
- What is a Microsoft Azure virtual network (VNet)?
- Within a defense-in-depth security strategy, which layer is primarily addressed when you use Azure virtual networks to segment and isolate…
- Subnets segment a VNet to contain a breach
Within a VNet, subnets divide the network into smaller segments with their own controls, for example separating web servers from database servers. Segmenting this way limits lateral movement, so a compromise in one subnet is harder to spread, which serves the Zero Trust assume breach principle directly.
6 questions test this
- Within a defense-in-depth strategy, what is the primary security benefit of dividing workloads into separate subnets within an Azure…
- How does network segmentation with Azure virtual networks support the Zero Trust principle of assume breach?
- Your organization hosts a multi-tier application with web, application, and database servers in one Azure virtual network. You want to…
- What is the primary benefit of using Azure virtual networks for network segmentation in a defense-in-depth strategy?
- Within an Azure virtual network, what is the primary purpose of dividing the network into subnets?
- What is a benefit of segmenting an Azure virtual network into multiple subnets?
- VNet peering connects two VNets over the private Azure backbone
Peering links two virtual networks so their resources communicate as if on one network, and the traffic travels over the private Azure backbone rather than the public internet. Global VNet peering extends this connection across Azure regions.
- Azure Bastion gives RDP and SSH without a public IP or open ports
Azure Bastion is a managed PaaS service provisioned inside a VNet that brokers Remote Desktop Protocol (RDP) and Secure Shell (SSH) sessions to your VMs from the Azure portal over TLS on port 443. The VM keeps only a private IP and never exposes an RDP or SSH port to the internet, which removes the open management port attackers scan for.
Trap Assuming the target VM still needs a public IP with Azure Bastion; the point is that the VM keeps only a private IP while Bastion brokers the session over TLS.
15 questions test this
- Your organization uses Azure Bastion to access Azure virtual machines. Which inbound ports can you keep closed to the internet on the…
- Select the answer that correctly completes the sentence. When you use Azure Bastion to connect to an Azure virtual machine, Bastion…
- How do users initiate an Azure Bastion session to a virtual machine over TLS without installing additional client software?
- What must you install on the target Azure virtual machines to enable browser-based connectivity through Azure Bastion?
- How does Azure Bastion improve the security of remote access to Azure virtual machines?
- In a layered network design, what is the role of Azure Firewall when it is used together with Azure Bastion?
- What is a primary security benefit of using Azure Bastion to access Azure virtual machines?
- How do administrators establish a remote session to an Azure virtual machine when using Azure Bastion?
- By keeping Azure virtual machines off the public internet, what type of threat does Azure Bastion primarily help protect those virtual…
- What does Azure Bastion use to provide RDP and SSH connectivity to an Azure virtual machine through a web browser?
- Which Azure service enables you to connect to Azure virtual machines by using RDP and SSH directly from the Azure portal without assigning…
- Your Azure virtual machines do not have public IP addresses. When a user connects to one of these virtual machines through Azure Bastion,…
- A user connects to an Azure virtual machine through Azure Bastion from the Azure portal. Which protocol and port does the user's browser…
- What is a benefit of using Azure Bastion to connect to Azure virtual machines?
- Your organization deploys Azure Bastion to provide administrative connectivity to its Azure virtual machines. As a result, which inbound…
- Bastion is a managed broker, not a VPN or a jump box you patch
Azure Bastion brokers a single portal-based RDP or SSH session; it does not extend an on-premises network into Azure the way a VPN does, and it is not a jump-box VM you deploy and patch yourself. Azure keeps the Bastion service hardened and current, including against zero-day exploits.
Trap Treating Azure Bastion as a VPN or a self-managed jump-box VM; it is a fully managed session broker that Azure patches and hardens for you.
2 questions test this
- Bastion is deployed per virtual network, not per VM
You provision one Azure Bastion per virtual network, and it also serves peered VNets, rather than one per VM or per subscription. Once it is deployed, every VM in that network and its peers becomes reachable through it.
4 questions test this
- Where is Azure Bastion deployed in order to provide secure connectivity to virtual machines?
- You deploy a single Azure Bastion host into a virtual network. To which virtual machines can this Bastion host provide RDP and SSH…
- Which statement best describes how Azure Bastion is deployed to provide secure connectivity to virtual machines?
- Your Azure environment uses multiple virtual networks. You deploy Azure Bastion into one virtual network. Which additional configuration…
- Key Vault manages secrets, keys, and certificates
Azure Key Vault centralizes three kinds of protected material: secrets (passwords, connection strings, API keys), cryptographic keys used to encrypt data, and public and private TLS/SSL certificates it can provision and renew. Applications fetch these at runtime so credentials never sit in application code.
7 questions test this
- Which Azure Key Vault capability allows an organization to provision, manage, and automatically renew TLS/SSL certificates from supported…
- Select the answer that correctly completes the sentence. Azure Key Vault can be used to securely manage [answer choice].
- In a defense-in-depth model, protecting the encryption keys that secure stored information is an example of safeguarding which layer?
- Which types of sensitive data can be securely stored and managed in Azure Key Vault?
- How does centralizing secrets, keys, and certificates in Azure Key Vault contribute to a defense-in-depth strategy?
- Which capability does Azure Key Vault provide as part of a defense-in-depth strategy in Azure?
- What is a benefit of centralizing application secrets in Azure Key Vault?
- Key Vault holds app secrets, not user identities
Key Vault stores an application's secrets, keys, and certificates, not user accounts or sign-in credentials. Those identities live in Microsoft Entra ID, which Key Vault itself relies on to authenticate its callers before authorizing them with Azure RBAC or a Key Vault access policy.
Trap Storing user sign-in credentials in Key Vault; user identities belong in Microsoft Entra ID, while Key Vault holds application secrets, keys, and certificates.
Key Vault's Standard tier protects keys with software, while the Premium tier stores them in a hardware security module (HSM), tamper-resistant hardware the keys never leave. Choose Premium when compliance requires HSM-backed key protection; both tiers offer the same secrets, keys, and certificate management otherwise.
Trap Assuming HSM-backed keys come with the Standard tier; hardware security module protection requires the Premium tier of Key Vault.
- Key Vault authenticates via Entra ID, authorizes via RBAC or access policy
Access to Key Vault is a two-step gate: authentication, which proves the caller's identity, is always handled by Microsoft Entra ID, and authorization, which decides what the caller may do, is handled by Azure role-based access control (RBAC) or a Key Vault access policy. Every access is logged so you can monitor use.
- Azure WAF runs on Application Gateway, Front Door, or CDN
A Web Application Firewall gives centralized layer-7 protection using the OWASP core rule set against exploits like SQL injection and cross-site scripting, and Azure delivers it through Application Gateway (regional), Azure Front Door (global), or Azure CDN. Patching a vulnerability once at the WAF then covers every application behind it.
Trap Expecting Azure Firewall to block SQL injection or cross-site scripting; those layer-7 web exploits are a WAF's job, delivered through Application Gateway, Front Door, or CDN.
11 questions test this
- In Azure Web Application Firewall (WAF) on Azure Front Door, what provides Azure-authored, preconfigured rules that are based on the OWASP…
- What is the primary benefit of integrating Azure Web Application Firewall (WAF) with Azure Front Door rather than deploying WAF only within…
- Your organization hosts a web application in a single Azure region and wants to protect it with a Web Application Firewall (WAF) that…
- At which layer does Web Application Firewall (WAF) on Azure Application Gateway inspect and filter traffic to protect web applications from…
- In an Azure Web Application Firewall (WAF) policy associated with Application Gateway, which component provides preconfigured,…
- Which type of attack does Azure Web Application Firewall on Application Gateway help protect against?
- Azure Web Application Firewall (WAF) on Application Gateway uses managed rule sets based on which security project?
- Which two Azure front-end delivery services can you associate with a Web Application Firewall (WAF) policy to protect web applications from…
- At which layer does Azure Web Application Firewall (WAF) on Azure Front Door inspect traffic to protect web applications?
- Your organization wants to protect a globally distributed web application at the network edge, closest to the source of incoming traffic.…
- Azure Web Application Firewall (WAF) on Application Gateway uses managed rule sets based on the OWASP Core Rule Set. Which type of attacks…
- A network security group is stateful, so an allowed connection gets automatic return traffic
A network security group allows or denies both inbound and outbound traffic at no extra cost and with no dedicated appliance. Because it is stateful, when it permits a connection the return traffic for that connection is allowed automatically, so you never add a matching reverse rule. When it is associated with a subnet, its rules apply to every resource connected to that subnet.
Trap Assuming an inbound allow rule needs a matching outbound rule for the reply traffic.
13 questions test this
- What is the effect of associating a network security group (NSG) with a virtual network subnet?
- Which Azure network security option can be used at no additional cost to filter inbound and outbound traffic at the subnet and network…
- Why is a network security group (NSG) described as stateful?
- In a defense-in-depth architecture, at which layer does a network security group operate to help reduce the attack surface of virtual…
- Your organization wants to allow or deny basic inbound and outbound traffic to several virtual machines in an Azure virtual network at no…
- Your organization hosts a multi-tier application with web, application, and database servers in one Azure virtual network. You want to…
- In an architecture that uses Azure Bastion for remote access, what is the primary purpose of a network security group (NSG)?
- Which statement accurately describes a network security group (NSG) in Azure?
- When a network security group (NSG) is associated with a virtual network subnet, to which resources in the subnet are the security rules…
- Which types of network traffic can a network security group (NSG) filter for Azure resources?
- Which statement best describes the purpose of a network security group (NSG) in Azure?
- You need to prevent virtual machines in a specific subnet from initiating outbound connections to the internet, while keeping the…
- What effect does associating a network security group (NSG) with a virtual network subnet have on the resources in that subnet?
- WAF Detection mode only logs a matching request; Prevention mode blocks it
In Detection mode an Azure WAF records matching requests in the WAF logs but lets them through, which is useful for tuning rules before enforcement. In Prevention mode it actively blocks a matching request, returns a 403 response, and logs the event.
Trap Leaving a tuned policy in Detection mode when the goal is to actively stop malicious requests.
4 questions test this
- Your organization deploys an Azure Application Gateway with a Web Application Firewall (WAF) policy configured in Detection mode. What does…
- You deploy Azure Web Application Firewall (WAF) on Azure Application Gateway and want the WAF to actively block requests that match the…
- In a Web Application Firewall (WAF) policy, what does Prevention mode do when an incoming request matches a configured rule?
- What happens when Azure Application Gateway WAF is running in Prevention mode and a request matches a managed rule?
- DDoS Protection reports attacks through Azure Monitor telemetry, alerts, and post-attack reports
Azure DDoS Protection surfaces rich telemetry through Azure Monitor, including near real-time metrics of packets dropped, forwarded, or tagged during mitigation. It can alert your operations team at the start and stop of an attack, provides attack analytics reports in about five-minute increments during the event, and delivers a forensic mitigation summary report after the attack ends.
5 questions test this
- Which Azure DDoS Protection capability provides detailed reports in five-minute increments during an attack and a complete summary after…
- Which Azure service is used to access real-time DDoS attack metrics and configure diagnostic logging for Azure DDoS Protection?
- Which Azure DDoS Protection capability proactively notifies your operations team at the start and stop of an attack by using built-in…
- What is the primary purpose of the attack telemetry and mitigation reports that Azure DDoS Protection makes available after an attack ends?
- Which information does Azure DDoS Protection make available through its attack telemetry metrics during an active attack?
Azure Security Management
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Defender for Cloud is one CNAPP covering posture and workload protection
Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) with two halves: cloud security posture management (CSPM), which checks whether resources are configured securely, and cloud workload protection (CWPP), which detects threats against running workloads. CSPM is preventive and works on configuration, so it prevents problems; CWPP is detective and works on runtime behavior, so it catches attacks in progress. Sorting any feature into posture or protection is the fastest way to place it on this topic.
- Free CSPM gives recommendations; a paid Defender plan gives alerts
The single most testable Defender for Cloud fact is that posture management produces recommendations while workload protection produces security alerts. Free foundational CSPM continuously assesses configuration and surfaces hardening recommendations, but on its own it never raises a runtime threat alert. A security alert appears only when the paid Defender plan for that resource type is enabled and detects an active threat.
Trap Assuming a live attack will always raise an alert; if the matching Defender plan was never enabled, nothing is watching the workload at runtime and no alert fires.
3 questions test this
- A security analyst wants guidance that helps proactively harden resources and close misconfigurations before attackers can exploit them,…
- In Microsoft Defender for Cloud, which capability must be enabled to provide cloud workload protection (CWP) that detects threats and…
- What is one of the main purposes of Cloud Security Posture Management (CSPM) in Microsoft Defender for Cloud?
- Secure score is a percentage of posture that rises as you remediate
Secure score summarizes your current security posture as a single percentage, computed from how many of Defender for Cloud's recommendations your resources satisfy. Remediating recommendations raises the score, so the score together with its recommendation list is the everyday loop for improving posture. It is a relative measure of hardening, not a pass-or-fail result and not a compliance certification.
Trap Reading the secure score as proof of regulatory compliance; compliance against a named framework such as ISO or PCI is a separate regulatory compliance view, not the secure score.
12 questions test this
- In Microsoft Defender for Cloud, how is the overall secure score presented to summarize the security posture of a subscription?
- In Microsoft Defender for Cloud, what must you do to improve your secure score?
- What does a higher secure score in Microsoft Defender for Cloud indicate about your environment?
- How does a security team typically use the secure score that Microsoft Defender for Cloud provides?
- What should you do in Microsoft Defender for Cloud to improve your secure score?
- In Microsoft Defender for Cloud, what does a higher secure score indicate about your environment?
- What does the secure score in Microsoft Defender for Cloud represent?
- In Microsoft Defender for Cloud, what is the direct effect of remediating the security recommendations that are presented for your…
- In Microsoft Defender for Cloud, which capability provides a single numeric value that represents your current security situation, where a…
- In Microsoft Defender for Cloud, what is the most effective way for an administrator to increase the secure score of an Azure subscription?
- In Microsoft Defender for Cloud, what does the secure score represent?
- In Microsoft Defender for Cloud, what does the secure score primarily represent?
- The Microsoft cloud security benchmark is applied by default
When Defender for Cloud is enabled, the Microsoft cloud security benchmark (MCSB) is assigned automatically as the initial security standard, and its controls generate most recommendations across Azure, AWS, and GCP. You can add regulatory compliance standards such as ISO 27001 or PCI DSS on top of MCSB, but those added standards require enabling a paid Defender plan, whereas MCSB assessment is free.
Trap Confusing the free MCSB assessment with the paid regulatory compliance standards; MCSB is applied by default at no cost, while adding ISO or PCI requires a Defender plan.
5 questions test this
- Your organization must demonstrate that its Azure subscription meets PCI DSS requirements by using the regulatory compliance dashboard in…
- Which standard is assigned by default to your Azure subscriptions when you enable Microsoft Defender for Cloud and serves as the basis for…
- In Microsoft Defender for Cloud, what does the Microsoft cloud security benchmark (MCSB) provide as the default policy initiative?
- In Microsoft Defender for Cloud, how can you assess your environment against the NIST SP 800-53 standard when it is not applied by default?
- In Microsoft Defender for Cloud, what is the secure score primarily based on to measure the security posture of your subscriptions?
- A recommendation is raised when a resource fails a standard's control
Defender for Cloud continuously evaluates each resource against the controls in its assigned security standards. When a resource does not meet a control, the product generates a security recommendation that describes the gap and the steps to fix it. Standards define what secure looks like, and recommendations are the per-resource findings that flow from failing those controls.
13 questions test this
- In Microsoft Defender for Cloud, what is the primary purpose of the security recommendations generated by CSPM?
- What do security recommendations in Microsoft Defender for Cloud provide?
- Your organization wants a service that continuously assesses Azure resources and provides actionable guidance to fix misconfigurations and…
- In Microsoft Defender for Cloud, security recommendations are generated based on what underlying mechanism?
- Select the answer that correctly completes the sentence. In Microsoft Defender for Cloud, security recommendations are generated based on…
- In Microsoft Defender for Cloud, what do security recommendations provide to help improve your cloud security posture?
- When Microsoft Defender for Cloud assesses a resource and finds a security issue, what does the resulting security recommendation primarily…
- Security recommendations in Microsoft Defender for Cloud are generated from continuous assessments of your resources. What do these…
- How do the security recommendations generated by Microsoft Defender for Cloud help an organization reduce its attack surface?
- What is the primary purpose of a security recommendation in Microsoft Defender for Cloud?
- Resources protected by Microsoft Defender for Cloud are assessed against security standards, and security recommendations are produced from…
- What is the primary purpose of Cloud Security Posture Management (CSPM) as implemented by Microsoft Defender for Cloud?
- In Microsoft Defender for Cloud, what is the primary purpose of security recommendations?
- Foundational CSPM is free and on automatically for connected subscriptions
The foundational CSPM tier turns on automatically for every subscription connected to Defender for Cloud and costs nothing. It provides secure score, security recommendations, MCSB assessment, and multicloud posture visibility. What it does not include is runtime threat detection, so it issues no security alerts until a paid Defender plan is enabled.
3 questions test this
- You enable Microsoft Defender for Cloud on an Azure subscription but do not turn on any paid plans. Which capability is available to you…
- Which statement accurately describes the foundational Cloud Security Posture Management (CSPM) capabilities in Microsoft Defender for Cloud?
- A company uses Microsoft Defender for Cloud without enabling any paid plans. Which Cloud Security Posture Management (CSPM) capability is…
- Workload protection is enabled per resource type as a Defender plan
Cloud workload protection is delivered as individual Defender plans, each covering one resource family: Defender for Servers, for Storage, for Containers, for SQL and other databases, for App Service, for Key Vault, for Resource Manager, and for APIs. You enable the plans for the resource types you want to defend, and each adds runtime threat detection and security alerts for its family. Collectively these paid plans are the workload-protection tier of Defender for Cloud.
Trap Assuming one Defender plan protects the whole environment; each plan covers only its resource type, so any family whose plan is off has no workload protection.
7 questions test this
- Which Microsoft Defender for Cloud plan generates security alerts when unusual or suspicious attempts to access an Azure key vault are…
- Your organization hosts databases on Azure Database for PostgreSQL and Azure Database for MySQL. You need an enhanced workload protection…
- In Microsoft Defender for Cloud, which capability must be enabled to provide cloud workload protection (CWP) that detects threats and…
- You need an enhanced workload protection plan in Microsoft Defender for Cloud that monitors the Azure management layer and detects…
- Which capability of Microsoft Defender for Cloud provides enhanced threat detection and protection for specific workloads such as servers,…
- Which Microsoft Defender for Cloud plan should you use to protect Windows and Linux virtual machines across Azure, multicloud, and…
- Your organization runs several web applications on Azure App Service. You need an enhanced workload protection plan in Microsoft Defender…
- The paid Defender CSPM plan is not the same as free foundational CSPM
Two capabilities share the CSPM name. Free foundational CSPM gives secure score and recommendations. The paid Defender CSPM plan is a separate upgrade that adds advanced posture tools: agentless vulnerability scanning, attack path analysis, and the cloud security graph and explorer for querying risk across the environment. Both are posture rather than workload protection, so neither raises runtime threat alerts.
Trap Enabling the paid Defender CSPM plan expecting runtime threat alerts; Defender CSPM is enhanced posture, and alerts still come only from a workload-protection Defender plan.
5 questions test this
- Which capability in Microsoft Defender for Cloud helps you visualize the exploitable routes that an attacker could take to breach your…
- Which capability is available only with the paid Defender Cloud Security Posture Management (Defender CSPM) plan and not with the free…
- In Microsoft Defender for Cloud, which capability must be enabled to view risk-prioritized security recommendations based on the actual…
- Which Defender Cloud Security Posture Management (Defender CSPM) capability lets you proactively run graph-based queries to find security…
- Which Defender CSPM feature lets Microsoft Defender for Cloud assess virtual machines for vulnerabilities and misconfigurations without…
- Defender for Cloud secures multicloud and hybrid, not just Azure
Defender for Cloud protects Azure resources natively, on-premises and other-cloud machines connected through Azure Arc, and AWS accounts and GCP projects connected with agentless connectors. Multicloud posture coverage, including secure score and recommendations for AWS and GCP, is part of the free tier. The result is one portal and one secure score spanning all three clouds.
Trap Assuming Defender for Cloud only covers Azure; AWS, GCP, and on-premises resources connect too, and their CSPM coverage is free.
6 questions test this
- You want Microsoft Defender for Cloud to assess your Amazon Web Services (AWS) resources against the Microsoft cloud security benchmark.…
- In Microsoft Defender for Cloud, you manage workloads that run in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform…
- Your organization runs workloads in Amazon Web Services (AWS) and Google Cloud Platform (GCP) in addition to Azure, and you want to assess…
- To use Microsoft Defender for Cloud to continuously assess the security posture of resources hosted in Amazon Web Services (AWS) and Google…
- You want Microsoft Defender for Cloud to assess the security posture of your resources running in Amazon Web Services (AWS) and Google…
- You manage workloads that run in Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). What should you use to extend Microsoft…
- Defender for Cloud is not Defender XDR
Microsoft ships two products under the Defender brand. Defender for Cloud protects cloud infrastructure and workloads: subscriptions, virtual machines, storage, databases, and containers, across Azure, hybrid, and multicloud. Defender XDR protects the user side: endpoints, email, identities, and SaaS apps. They integrate but defend different things, so route a question by what is being protected.
Trap Choosing Microsoft Defender XDR to secure an Azure subscription or virtual machine; cloud resource and workload security is Defender for Cloud's job, not XDR's.
- Just-in-time VM access keeps management ports closed until requested
Just-in-time (JIT) VM access, an enhanced feature of Defender for Servers, keeps management ports such as RDP and SSH closed by default and opens them only for an approved, time-boxed request from a specific source. Nothing decides the moment of access on its own; the defining protection is simply that the opening is strictly time-limited, which shrinks the window an attacker has to find an exposed port. It cuts attack surface without leaving management ports permanently open.
- Defender for Cloud feeds alerts to Sentinel; it does not run the SOC
Defender for Cloud raises security alerts on the workloads it protects and can export them to a SIEM or SOAR system. Microsoft Sentinel ingests those alerts and correlates them with signals from across the estate into incidents. In Zero Trust terms, posture management serves the infrastructure pillar, while these alerts feed the seventh pillar, visibility, automation, and orchestration, where Sentinel is the correlation engine.
Trap Expecting Defender for Cloud to correlate alerts from across the whole estate into incidents; that estate-wide correlation is Microsoft Sentinel's job, and Defender for Cloud is only one signal source feeding it.
- Defender for Cloud groups recommendations into security controls and ranks them by risk
In Microsoft Defender for Cloud, related recommendations are grouped into security controls, and each control contributes points to the secure score once its recommendations are remediated. Recommendations are prioritized by risk level and carry a severity rating so you can address the most exploitable issues first.
Trap Treating each recommendation as an isolated item rather than part of a scored security control.
7 questions test this
- In Microsoft Defender for Cloud, how is the overall secure score presented to summarize the security posture of a subscription?
- Select the answer that correctly completes the sentence. In Microsoft Defender for Cloud, related security recommendations are grouped into…
- In Microsoft Defender for Cloud, how are related security recommendations organized within the secure score?
- A security analyst wants Defender for Cloud to present recommendations so that the most urgent issues, those most likely to be exploited,…
- In Microsoft Defender for Cloud, what is used to indicate the relative importance of a security recommendation so that you can decide which…
- In Microsoft Defender for Cloud, what is the most effective way for an administrator to increase the secure score of an Azure subscription?
- In Microsoft Defender for Cloud, a security control is best described as which of the following?
- Defender for Cloud acts on recommendations with Fix, governance rules, and workflow automation
The Fix option remediates a recommendation quickly, often across many affected resources at once, and remediating a misconfiguration reduces the resource's attack surface. Governance rules assign an owner and a remediation due date to drive accountability, while workflow automation triggers a Logic App response, such as a notification, when an alert or recommendation fires.
Trap Reaching for Microsoft Sentinel playbooks when the response should stay inside Defender for Cloud's own workflow automation.
5 questions test this
- A virtual machine has a management port left open to the internet. Microsoft Defender for Cloud surfaces a recommendation to restrict that…
- How do the security recommendations generated by Microsoft Defender for Cloud help an organization reduce its attack surface?
- In Microsoft Defender for Cloud, what should you use to automatically trigger a response, such as sending a notification or running a Logic…
- In Microsoft Defender for Cloud, which feature lets you assign owners and remediation timeframes to security recommendations to drive…
- In Microsoft Defender for Cloud, what does the Fix option on a security recommendation allow you to do?
- Defender for Servers and Defender for Containers protect their own workload types
Defender for Servers adds integrated vulnerability assessment and native Microsoft Defender for Endpoint integration to protect Windows and Linux machines across Azure, on-premises, and other clouds. Defender for Containers secures Kubernetes clusters, container registries, and images, scanning registry images for known vulnerabilities when they are pushed and on a recurring basis.
5 questions test this
- What types of assets does Microsoft Defender for Containers help secure?
- Which capabilities does the Microsoft Defender for Servers plan provide to protect machines in Azure, on-premises, and other clouds?
- What does Microsoft Defender for Containers provide for container images stored in Azure Container Registry?
- What does Microsoft Defender for Containers scan for when a new container image is pushed to Azure Container Registry?
- Which Microsoft Defender for Cloud plan should you use to protect Windows and Linux virtual machines across Azure, multicloud, and…
Microsoft Sentinel
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Microsoft Defender XDR
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Microsoft Compliance Solutions
Service Trust Portal and Privacy
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- The Service Trust Portal is Microsoft's audit evidence library, not your workspace
The Service Trust Portal (STP) is where Microsoft publishes the independent audit reports and compliance documentation for its cloud services, so you can download SOC 1, SOC 2, and SOC 3 reports, ISO/IEC certifications, FedRAMP and PCI DSS attestations, and Microsoft whitepapers. You go there to read evidence about Microsoft, not to configure anything on your tenant. If a question asks where to obtain Microsoft's SOC or ISO report, the answer is STP.
Trap Reaching for Microsoft Purview Compliance Manager to download Microsoft's SOC or ISO report; Compliance Manager measures your own tenant, it does not hand you Microsoft's audit artifacts.
7 questions test this
- Which type of content can you download from the Service Trust Portal?
- The Service Trust Portal provides independent audit reports that are organized by the standard under which they were issued. Which of the…
- Which statement best describes the purpose of the Microsoft Service Trust Portal?
- How does the content available on the Service Trust Portal help an organization?
- What types of documents can users download from the Microsoft Service Trust Portal?
- Your compliance team needs to download SOC and ISO/IEC audit reports produced by independent external auditors for Microsoft's cloud…
- An auditor at your organization wants to obtain independent third-party attestation reports for Microsoft cloud services. Which types of…
- Read Microsoft's evidence in STP; do your own compliance in the Purview portal
The Service Trust Portal and the Microsoft Purview portal both say compliance but sit on opposite sides. STP is read-only evidence about Microsoft's cloud. The Microsoft Purview portal is where you act on your own tenant: run Compliance Manager, configure policies, and review your compliance score. Match the verb in the stem: obtain or download Microsoft's report points to STP, while assess, configure, or improve your posture points to the Purview portal.
Trap Assuming you configure your organization's compliance in the Service Trust Portal; STP is read-only Microsoft evidence, and tenant compliance work happens in the Microsoft Purview portal.
- STP sorts its content into certifications, reports, industry, and org resources
STP organizes documents into a few areas: certifications, regulations, and standards (the ISO/IEC, SOC, FedRAMP, PCI DSS, and CSA STAR artifacts), reports and whitepapers (penetration-test attestations, privacy and data protection material, business continuity and disaster recovery), industry and regional resources, and resources scoped to your own organization. Knowing the buckets helps you locate the right evidence quickly.
4 questions test this
- Which of the following is a category of documentation available on the Service Trust Portal?
- Which types of content are available in the Certifications, Regulations, and Standards section of the Microsoft Service Trust Portal?
- Which type of content can you obtain from the Microsoft Service Trust Portal?
- Besides third-party audit reports, what additional type of resource can be found on the Service Trust Portal?
- Downloading many STP documents needs an Entra account, and some need a role
Anyone can browse the Service Trust Portal, but downloading many documents requires signing in with a Microsoft Entra organization account and accepting a non-disclosure agreement for compliance materials. Restricted documents need a specific role such as Compliance Administrator or Security Reader. STP is public-facing but gated for its most sensitive audit content.
4 questions test this
- What is required to access restricted documents, such as audit reports, on the Microsoft Service Trust Portal?
- Your security team wants to access restricted audit reports on the Service Trust Portal. What is required before they can download these…
- What type of account is required to sign in and access resources on the Service Trust Portal?
- What must users review and accept to access certain compliance materials on the Service Trust Portal?
- Know Microsoft's four privacy principles by name
Microsoft frames its privacy commitment to commercial customers as four areas: you control your data, you know where your data is located, your data is secured at rest and in transit, and Microsoft defends your data. These are contractual commitments backed by the Product Terms and the Data Protection Addendum, not a product you configure.
Trap Picking an option that lists a fifth principle which is actually a product feature or a security control; the privacy principles are these four commitments, not a Priva feature or a portal setting.
- You control your data means Microsoft will not mine it for advertising
Under the control-your-data principle, your data belongs to you: you can access, modify, or delete it, and Microsoft uses it only to provide the services you chose. Microsoft does not use your data for advertising or mine it for marketing research, and any subprocessor it engages is bound by the same commitments. This is the principle often paraphrased as no content-based advertising.
- Microsoft defends your data by directing government requests to you
Under the defend-your-data principle, Microsoft directs government and law-enforcement requests for your data to you rather than answering them itself, gives no government direct or unfettered access, and challenges demands in court where it can lawfully do so. It is a commitment about how Microsoft responds to third-party and government access attempts.
- Microsoft Priva is a product you run on your own data, unlike STP and the principles
STP and the privacy principles describe Microsoft's obligations to you; Microsoft Priva flips the direction. Priva is the product your organization operates to manage the personal data it holds, meeting your privacy obligations to your own users. When a stem is about finding or reducing risk in personal data you store, the answer is Priva, not a Microsoft-published document.
Trap Treating Priva as something Microsoft runs to protect its own cloud; Priva acts on your tenant's personal data and is your responsibility to operate.
- Priva Privacy Risk Management flags overexposure, transfers, and hoarding
Priva's Privacy Risk Management solution gives visibility into personal data across your Microsoft 365 services and flags privacy risk using built-in policy templates: data minimization (personal data kept but no longer needed), data overexposure (personal data open to too many people), and data transfers (personal data crossing departments or borders). On a match it raises an alert and offers remediation such as making an item private, notifying the owner, or tagging it for review.
12 questions test this
- Which set of default policy templates is provided by Microsoft Priva Privacy Risk Management?
- Which Microsoft Priva Privacy Risk Management policy template can detect personal data that is stored for longer than your organization…
- You want to be alerted when personal data is moved between users in different regions or across departmental boundaries. Which Microsoft…
- Your organization wants to detect situations where personal data is being kept longer than necessary so that it can reduce unnecessary…
- Which capability is provided by the Privacy Risk Management solution in Microsoft Priva?
- What is a key benefit of using Microsoft Priva Privacy Risk Management?
- What is the primary function of the Privacy Risk Management solution in Microsoft Priva?
- In Microsoft Priva Privacy Risk Management, what action can a policy take to help employees remediate privacy issues with the data they…
- Which policy type in Priva Privacy Risk Management helps detect situations where personal data stored by your organization is too broadly…
- In Microsoft Priva Privacy Risk Management, what is the purpose of the data transfers policy template?
- Which statement best describes Microsoft Priva Privacy Risk Management policies?
- Which task can you accomplish by using Microsoft Priva?
- Priva only evaluates personal data inside your Microsoft 365 environment
Priva scans personal data in your organization's Microsoft 365 services (Exchange Online, SharePoint, OneDrive for Business, and Teams) plus sources you register through Microsoft Purview, using Purview's data classifications and sensitive information types to identify it. It does not reach a user's personal Microsoft account or arbitrary systems outside your tenant.
Trap Assuming Priva can scan a user's personal Microsoft account or data outside Microsoft 365; Priva is limited to your organization's Microsoft 365 environment and Purview-registered sources.
3 questions test this
- A data subject request is a person's demand to see or delete their personal data
A data subject request (DSR), also called a subject rights request, is an individual's request to access, correct, export, or delete the personal data an organization holds on them, a right granted by privacy laws such as the GDPR. Handling one obliges the organization to first find that person's personal data, then decide what to produce, redact, correct, or erase.
- Priva finds privacy risk; Purview eDiscovery produces one person's data for a DSR
Keep the division of labor: Priva finds and reduces privacy risk across your tenant's personal data, while locating and producing one individual's data to satisfy a data subject request is done with Microsoft Purview eDiscovery. A stem about responding to a specific DSR points to eDiscovery, not to Priva's risk policies.
Trap Choosing Priva Privacy Risk Management to fulfil a specific data subject request end to end; Priva surfaces privacy risk, but eDiscovery is what locates and exports one individual's data.
- Priva measures privacy risk in data; Compliance Manager measures your compliance posture
Priva and Compliance Manager both concern your own obligations but answer different questions. Priva finds and reduces privacy risk in the personal data you hold. Purview Compliance Manager scores how well your tenant meets regulatory requirements overall and lists improvement actions. A personal-data privacy stem points to Priva, while an overall compliance score points to Compliance Manager.
Trap Reaching for Compliance Manager to find and remediate personal data overexposure; that is Priva's job, while Compliance Manager tracks your overall compliance score, not personal-data risk.
- Priva targets privacy risk in personal data, not broad data classification
Do not confuse Priva with Purview's information protection tools. Sensitivity labels, data loss prevention, and retention classify and protect data of all kinds across the tenant. Priva is narrower and privacy-specific: it surfaces privacy risk in personal data and drives remediation. A stem about labeling or blocking data broadly is information protection, while a stem about personal-data privacy risk is Priva.
Trap Reaching for sensitivity labels or DLP to run a data minimization or overexposure policy on personal data; those broad protection tools are not Priva's privacy risk policies.
Purview Compliance Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Information Protection and Governance
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Insider Risk, eDiscovery, and Audit
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.