Question 1

Your on-premises network contains an Active Directory Domain Services (AD DS) domain named

corpxontoso.com and an AD DS-integrated application named App1.

Your perimeter network contains a server named Server1 that runs Windows Server.

You have a Microsoft Entra tenant named contoso.com that syncs with corp.contoso.com.

You plan to implement a security solution that will include the following configurations:

Manage access to App1 by using Microsoft Entra Private Access.

Deploy a Microsoft Entra application proxy connector to Server1.

Implement single sign-on (SSO) for App1 by using Kerberos constrained delegation.

For Server1, configure the following rules in Windows Defender Firewall with Advanced Security:

o Rule1: Allow TCP 443 inbound from a designated set of Azure URLs.

o Rule2: Allow TCP 443 outbound to a designated set of Azure URLs.

o Rule3: Allow TCP 80 outbound to a designated set of Azure URLs.

o Rule4: Allow TCP 389 outbound to the domain controllers on corp.contoso.com.

You need to maximize security for the planned implementation. The solution must minimize the

impact on the connector.

Which rule should you remove?

Options :

A : Rule1

B : Rule2

C : Rule3

D : Rule4

Answer: C

Question 2

Your company is developing a modern application that will run as an Azure App Service web app. You plan to perform threat modeling to identify potential security issues by using the Microsoft Threat Modeling Tool. Which type of diagram should you create?

Options :

A : data flow

B : system flow

C : process flow

D : network flow

Answer: A

Question 3

Your company has the virtual machine infrastructure shown in the following table.

The company plans to use Microsoft Azure Backup Server (MABS) to back up the virtual machines to

Azure.

You need to provide recommendations to increase the resiliency of the backup strategy to mitigate

attacks such as ransomware.

What should you include in the recommendation?

Options :

A : Use geo-redundant storage (GRS)

B : Use customer-managed keys (CMKs) for encryption

C : Require PINs to disable backups.

D : Implement Azure Site Recovery replication.

Answer: C

Question 4

Your company develops several applications that are accessed as custom enterprise applications in Azure Active Directory (Azure AD). You need to recommend a solution to prevent users on a specific list of countries from connecting to the applications. What should you include in the recommendation?

Options :

A : activity policies in Microsoft Defender for Cloud Apps

B : sign-in risk policies in Azure AD Identity Protection

C : device compliance policies in Microsoft Endpoint Manager

D : Azure AD Conditional Access policies

E : user risk policies in Azure AD Identity Protection

Answer: A

Question 5

A customer has a hybrid cloud infrastructure that contains a Microsoft 365 E5 subscription and an

Azure subscription.

All the on-premises servers in the perimeter network are prevented from connecting directly to the

internet.

The customer recently recovered from a ransomware attack.

The customer plans to deploy Microsoft Sentinel.

You need to recommend configurations to meet the following requirements:

Ensure that the security operations team can access the security logs and the operation logs.

Ensure that the IT operations team can access only the operations logs, including the event logs of

the servers in the perimeter network.

Which two configurations can you include in the recommendation? Each correct answer presents a

complete solution. NOTE: Each correct selection is worth one point.

Options :

A : Configure Azure Active Directory (Azure AD) Conditional Access policies.

B : Use the Azure Monitor agent with the multi-homing configuration.

C : Implement resource-based role-based access control (RBAC) in Microsoft Sentinel.

D : Create a custom collector that uses the Log Analytics agent.

Answer: B,C