Test yourself
Azure security
Final exam · 60 questions · answers explained as you pick
Entra ID & RBAC
12 questions
01Entra ID directory roles and Azure RBAC roles are…
Incorrect — They are two distinct planes with separate role definitions.
Correct — Global Administrator is a directory role; Owner is an Azure RBAC role.
Incorrect — Both apply to users, groups, and service principals.
Incorrect — They are identity/authorization, not networking.
02An Azure RBAC role assignment is composed of…
Correct — Who, what permissions, and where (MG/subscription/RG/resource).
Incorrect — RBAC is not credential-based.
Incorrect — That is a network control, not RBAC.
Incorrect — Unrelated to RBAC assignment.
03RBAC scope inheritance works so that a role assigned at a subscription…
Correct — Scope flows down: management group → subscription → RG → resource.
Incorrect — Child scopes inherit the assignment.
Incorrect — Deny assignments take precedence over role grants.
Incorrect — It propagates automatically.
04The two built-in roles that can grant access to others are…
Incorrect — Reader cannot write; Contributor cannot manage access.
Correct — Both can create role assignments — a privilege-escalation surface to watch.
Incorrect — Neither manages access.
Incorrect — Those are user types, not RBAC roles.
05Contributor differs from Owner in that Contributor…
Correct — It lacks Microsoft.Authorization/roleAssignments/write.
Incorrect — Owner is the superset.
Incorrect — That is Reader.
Incorrect — It is a general resource role.
06Privileged Identity Management (PIM) provides…
Incorrect — The opposite — it makes privileged access time-bound.
Correct — You elevate on demand with an audit trail, shrinking the standing-access window.
Incorrect — It is about activation, not encryption.
Incorrect — Not a network control.
07A managed identity avoids…
Correct — No secret in code or config for the app to leak.
Incorrect — You still assign the managed identity RBAC roles.
Incorrect — Its actions are still logged.
Incorrect — Unrelated to networking.
08System-assigned vs user-assigned managed identity differ in that user-assigned…
Incorrect — It can; that is how it gets access.
Correct — System-assigned is tied to a single resource lifecycle.
Incorrect — Neither produces a downloadable key.
Incorrect — Both work across many resource types.
09A common Entra service-principal escalation is…
Correct — A principal who can add credentials to an SP can authenticate as it.
Incorrect — That is data access, not SP escalation.
Incorrect — A network action, not identity escalation.
Incorrect — Unrelated to SP credentials.
10Conditional Access policies gate sign-in based on…
Incorrect — CA is about the sign-in context, not keys.
Correct — Access decisions adapt to context rather than being static.
Incorrect — Irrelevant to Conditional Access.
Incorrect — Unrelated.
11Granting roles to Entra groups instead of individual users…
Correct — Membership changes flow through without editing assignments.
Incorrect — CA still applies.
Incorrect — Evaluation cost is the same.
Incorrect — You still scope roles tightly.
12To give a human admin access with least standing privilege, use…
Incorrect — That is maximal standing privilege.
Correct — No standing admin; elevate on demand and log it.
Incorrect — Shared accounts destroy attribution.
Incorrect — Secrets are not for human sign-in.
12 questions · explanations appear as you answer
Network security & segmentation
12 questions
01A Network Security Group (NSG) is…
Correct — Return traffic is automatic; lower priority number wins.
Incorrect — NSGs are stateful and scoped to subnet/NIC.
Incorrect — It governs packets, not permissions.
Incorrect — Not a resolver.
02Application Security Groups (ASGs) let you…
Incorrect — They group NICs, not encrypt.
Correct — Rules follow the workload identity, so scaling never breaks the ruleset.
Incorrect — Unrelated to identity.
Incorrect — Not an addressing feature.
03Azure Firewall adds capability NSGs lack, namely…
Correct — It enables domain allowlists and IDPS at the network edge.
Incorrect — That is RBAC, not the firewall.
Incorrect — Not an encryption service.
Incorrect — That is Key Vault.
04Controlling egress with Azure Firewall FQDN rules matters because…
Correct — A compromised workload with open egress phones home freely.
Incorrect — Performance is not the point.
Incorrect — Ingress is filtered too; egress is the neglected half.
Incorrect — Complementary, not a replacement.
05A Private Endpoint gives a PaaS service (Storage, SQL)…
Incorrect — The opposite — it keeps traffic private.
Correct — The data plane stays on the Azure backbone, off the internet.
Incorrect — Connectivity, not storage encryption.
Incorrect — Not an authorization control.
06Private Endpoints are stronger than Service Endpoints because they…
Correct — Service Endpoints still use the service’s public IP, just over the Azure backbone.
Incorrect — Cost is not the differentiator.
Incorrect — Neither is an encryption feature.
Incorrect — NSGs still apply.
07Disabling public network access on a Storage account or SQL and using Private Endpoints…
Correct — Even a leaked key cannot connect from the internet.
Incorrect — Backups work over private connectivity.
Incorrect — RBAC still authorizes.
Incorrect — It is a supported, recommended configuration.
08Azure Bastion is used to…
Incorrect — The opposite — it removes the need for public RDP/SSH.
Correct — No open management ports on the internet.
Incorrect — Unrelated to encryption.
Incorrect — That is Key Vault.
09A hub-and-spoke topology with a central Azure Firewall gives you…
Correct — One place to enforce and log traffic policy across the estate.
Incorrect — Not an encryption feature.
Incorrect — Unrelated to identity.
Incorrect — Not the security purpose.
10NSG flow logs are valuable for…
Incorrect — They record; they do not enforce.
Correct — A key forensic and detection input, sent to storage/Log Analytics.
Incorrect — They are logs, not crypto.
Incorrect — Unrelated to addressing.
11A VM exposing RDP/SSH to 0.0.0.0/0 is risky; a good mitigation is…
Correct — Remove standing internet exposure of management ports entirely.
Incorrect — Exposure remains the core risk.
Incorrect — That reduces visibility, not risk.
Incorrect — That does nothing to reduce exposure.
12Azure DDoS Protection and a WAF (on App Gateway/Front Door) together address…
Incorrect — Neither encrypts storage.
Correct — DDoS absorbs floods; the WAF filters injection and known exploits.
Incorrect — Unrelated to RBAC.
Incorrect — That is Key Vault.
12 questions · explanations appear as you answer
Key Vault & encryption
12 questions
01Azure Key Vault stores…
Correct — One governed store for the three credential types.
Incorrect — It stores keys/secrets, not disks.
Incorrect — That is NSG/Firewall.
Incorrect — That is Log Analytics.
02The recommended access model for a new Key Vault is…
Incorrect — Access policies are coarser and being superseded.
Correct — RBAC gives granular, consistent, auditable access aligned with the rest of Azure.
Incorrect — Shared access destroys least privilege and attribution.
Incorrect — Never expose a vault publicly.
03Soft-delete plus purge protection on a Key Vault…
Correct — An attacker or mistake cannot irrecoverably wipe your keys.
Incorrect — They are recovery features, not encryption.
Incorrect — Not a performance feature.
Incorrect — Separate from rotation.
04Data at rest in Azure Storage is, by default…
Correct — Customer-managed keys (CMK) let you take control for compliance and revocation.
Incorrect — Storage Service Encryption is always on.
Incorrect — It applies to all tiers.
Incorrect — Encoding is not encryption.
05Customer-managed keys (CMK) in Key Vault give you…
Incorrect — Performance is not the point.
Correct — Disabling the key renders the encrypted data unreadable: a kill switch.
Incorrect — Key access is governed by RBAC/policy.
Incorrect — The opposite of control.
06Azure Key Vault Managed HSM is chosen when you need…
Correct — For regulated workloads requiring attestable hardware custody.
Incorrect — Managed HSM is not a cost optimization.
Incorrect — It manages keys, not logs.
Incorrect — Unrelated.
07A Key Vault reference in App Service/Functions lets an app…
Incorrect — The opposite — it avoids embedding the secret.
Correct — The app setting holds a reference, not the value.
Incorrect — RBAC still authorizes the read.
Incorrect — Access stays private and controlled.
08Restricting a Key Vault to a Private Endpoint / selected networks…
Correct — A leaked token cannot reach the vault from the internet.
Incorrect — Managed identities still work over private connectivity.
Incorrect — Unrelated to soft-delete.
Incorrect — It is a network control, not encryption.
09Separating Key Vault administrators from secret consumers prevents…
Correct — Least privilege: distinct roles for distinct actions.
Incorrect — It does not block rotation.
Incorrect — Both actions are still logged.
Incorrect — Performance is not the point.
10Automatic key rotation for a CMK in Key Vault…
Incorrect — Envelope encryption means old versions still decrypt existing data.
Correct — Rotation is non-disruptive and can be enforced by policy.
Incorrect — Old data remains readable.
Incorrect — Keys are never public.
11Enabling Key Vault diagnostic logging matters because…
Correct — Anomalous bulk secret reads become visible.
Incorrect — Logging is not rotation.
Incorrect — The vault is already encrypted.
Incorrect — Not a performance feature.
12Rotating a secret without consumer refresh…
Correct — Consumers must refresh within the window before the old version is disabled.
Incorrect — Only if consumers re-read within the overlap.
Incorrect — Unrelated to rotation mechanics.
Incorrect — Key Vault supports rotation.
12 questions · explanations appear as you answer
Defender for Cloud & Sentinel
12 questions
01Microsoft Defender for Cloud provides…
Correct — It is the central posture + threat surface for Azure (and hybrid/multicloud).
Incorrect — It is a security product.
Incorrect — That is ACR.
Incorrect — Unrelated.
02The Defender for Cloud Secure Score is…
Incorrect — It measures security posture, not cost.
Correct — It turns posture into a trackable, actionable number.
Incorrect — Unrelated to networking.
Incorrect — It informs compliance but is not a certificate.
03Defender workload protection plans cover…
Correct — You enable the plans relevant to what you run.
Incorrect — Coverage is far broader than VMs.
Incorrect — Key Vault is one of many plans.
Incorrect — CWPP adds active threat detection.
04Microsoft Sentinel is…
Incorrect — That is Azure Firewall.
Correct — It correlates across sources and runs playbooks for response.
Incorrect — That is Key Vault.
Incorrect — That is ACR.
05Sentinel analytics rules…
Correct — Scheduled/near-real-time detections generate the incident queue.
Incorrect — They detect; they do not encrypt.
Incorrect — Unrelated to identity.
Incorrect — Unrelated.
06Sentinel playbooks (Logic Apps) are used to…
Incorrect — That is Key Vault.
Correct — SOAR turns a detection into containment without waiting for a human.
Incorrect — Unrelated to networking config.
Incorrect — Unrelated to encryption.
07The relationship between Defender for Cloud and Sentinel is that…
Correct — Defender is posture+workload; Sentinel is the SIEM that unifies and automates.
Incorrect — They are complementary, distinct products.
Incorrect — Defender provides the Azure-native signals Sentinel correlates.
Incorrect — Both produce and route alerts.
08Enabling Defender at the management-group/subscription level with auto-provisioning…
Correct — A quiet attacker hides where protection is not enabled.
Incorrect — It does not change identity.
Incorrect — Not its function.
Incorrect — Plans cost money; coverage is the point.
09Routing high-severity Defender/Sentinel incidents into a response workflow…
Incorrect — A dashboard nobody watches is not a control.
Correct — Isolate, disable, or ticket in seconds via playbooks.
Incorrect — You need the logs feeding it.
Incorrect — Incidents stay internal.
10Alert quality matters in Sentinel because…
Correct — Tune analytics rules, dedupe, and prioritize by severity.
Incorrect — Volume without signal degrades response.
Incorrect — They are signals, not crypto.
Incorrect — Tuning helps cost, but signal quality is the point.
11UEBA in Sentinel helps detect…
Incorrect — That is a configuration scan.
Correct — Behavioral baselining surfaces subtle account compromise.
Incorrect — That is a posture check.
Incorrect — Unrelated.
12A behavioral alert on mass secret reads or bulk role assignments catches…
Correct — A permitted action at abnormal volume/pattern is the tell.
Incorrect — It covers control-plane behavior too.
Incorrect — Behavioral signals are high value.
Incorrect — Far broader than that.
12 questions · explanations appear as you answer
Governance & incident response
12 questions
01Azure Policy is used to…
Correct — e.g. deny public IPs, require encryption, auto-deploy diagnostic settings.
Incorrect — That is RBAC; policy governs configuration.
Incorrect — That is Key Vault.
Incorrect — That is NSG/Firewall.
02The difference between Azure Policy and RBAC is that policy governs…
Incorrect — That is identity/Conditional Access.
Correct — Two planes: allowed configuration vs allowed principals.
Incorrect — That is Key Vault.
Incorrect — Its scope is far broader.
03A policy with the deny effect…
Correct — The misconfiguration never happens rather than being reported.
Incorrect — That would be audit, a detective effect.
Incorrect — Deny blocks new/updated non-compliant deployments.
Incorrect — Not an encryption effect.
04Management groups let you…
Incorrect — They organize subscriptions, not VMs.
Correct — Apply org-wide guardrails once at the top.
Incorrect — Resource groups still hold resources; MGs sit above subscriptions.
Incorrect — Unrelated to Key Vault.
05Azure Landing Zones (Cloud Adoption Framework) provide…
Correct — New subscriptions arrive secure-by-default, not after a hardening sprint.
Incorrect — Unrelated.
Incorrect — Not a delivery network.
Incorrect — That is Key Vault.
06A deny assignment (from a managed app or blueprint) differs from “no role” because it…
Correct — Deny assignments take precedence over role assignments.
Incorrect — It only blocks.
Incorrect — It is enforced.
Incorrect — It applies to any principal in scope.
07On a confirmed compromised Entra user, an early action is…
Correct — Revoke-SignInSessions invalidates tokens already issued.
Incorrect — Destroying everything is not measured containment.
Incorrect — Contain the identity before broad rotation.
Incorrect — Active compromise is not backlog work.
08Isolating a compromised VM for forensics means…
Incorrect — Deletion discards volatile evidence.
Correct — Contain and preserve evidence rather than destroying it.
Incorrect — A reboot can wipe memory evidence.
Incorrect — That worsens exposure.
09After containment, hunting persistence in Entra/Azure means looking for…
Correct — Persistence hides in the identity control plane; find it before restoring.
Incorrect — Metrics are not persistence indicators.
Incorrect — A weak signal, not the hunt.
Incorrect — A competent attacker plants a second way in.
10The Azure Activity Log records…
Incorrect — That is resource/diagnostic logs, not the Activity Log.
Correct — It is the subscription-level audit trail for management actions.
Incorrect — That is flow logs / packet capture.
Incorrect — Unrelated to keys.
11Routing diagnostic settings and Activity Log to an immutable store / Log Analytics matters because…
Correct — Immutable storage stops an attacker deleting the evidence trail.
Incorrect — Not a performance measure.
Incorrect — Unrelated.
Incorrect — Logging is not RBAC.
12A pre-written IR runbook matters because…
Correct — Speed and correctness come from practice, not invention mid-incident.
Incorrect — It uses the logs; it does not replace them.
Incorrect — Runbooks are procedures.
Incorrect — Not its purpose.
12 questions · explanations appear as you answer