Visit here for our full Microsoft AZ-140 exam dumps and practice test questions.

Question 136

A company wants to ensure that all users accessing Azure resources are using devices that meet organizational security requirements. They need a solution that checks device compliance before granting access. Which feature should they implement

A) Azure AD Conditional Access
B) Microsoft Endpoint Manager
C) Azure AD Identity Protection
D) Azure Policy

Answer

A) Azure AD Conditional Access

Explanation

Azure AD Conditional Access is an essential identity and access management tool that allows organizations to enforce access requirements based on multiple conditions, including user identity, device state, location, risk signals, and application sensitivity. In this scenario, the company requires that only devices adhering to organizational security standards are permitted to access Azure resources. Conditional Access enables this by evaluating device compliance as a prerequisite for granting access. It integrates seamlessly with Microsoft Endpoint Manager, which handles device compliance evaluation, creating a holistic access management system that ensures secure and controlled connections.

Device compliance in Endpoint Manager is defined by a set of policies specifying requirements such as operating system versions, encryption, password protection, antivirus status, and device health. Once devices are assessed against these compliance policies, they are marked as compliant or non-compliant. Conditional Access policies can then use this signal to either grant or block access to resources, enforcing security without requiring manual checks by IT staff. For instance, a policy can be configured to allow access only from devices that are compliant and meet specified configuration rules, automatically blocking non-compliant devices or directing users to remediate compliance issues.

Administrators can target Conditional Access policies to specific users, groups, or applications, ensuring a fine-grained approach to security enforcement. Applications containing highly sensitive data can have stricter compliance requirements compared to less critical apps. For example, access to finance or HR applications may require devices to be encrypted, updated, and running antivirus software, whereas less sensitive internal applications might have relaxed compliance rules. By enforcing these policies selectively, organizations minimize risk while maintaining operational efficiency.

Conditional Access also supports the integration of additional controls beyond device compliance. Policies can require multi-factor authentication, enforce network location conditions, restrict access from untrusted networks, and even leverage session controls through Microsoft Defender for Cloud Apps to manage data actions such as download or sharing restrictions. This layered approach enhances security posture, making Conditional Access a critical component in implementing a Zero Trust security model, where continuous verification of users and devices is mandatory before granting access.

Microsoft Endpoint Manager (option B) is crucial for defining and enforcing device compliance, but it does not independently enforce access restrictions to Azure resources. Azure AD Identity Protection (option C) primarily addresses risk detection and remediation for user accounts, focusing on account compromise or risky sign-ins rather than device compliance. Azure Policy (option D) manages resource configuration at the Azure subscription or resource level but does not evaluate endpoint compliance for user access.

Implementing Conditional Access with device compliance conditions ensures that access is only granted to users on devices that meet organizational security requirements, reducing the risk of unauthorized access. It allows IT administrators to automate access control based on device health, enforce policies consistently across the organization, and adapt policies to evolving security requirements. Reports and logs provide insights into policy effectiveness, enabling continuous improvement of the access management strategy.

By using Conditional Access to enforce device compliance, organizations achieve a secure and proactive access control mechanism. This ensures that resources are protected without disrupting legitimate user activities, providing a balance between security and productivity. The solution scales effectively across hybrid environments, remote work scenarios, and mobile devices, supporting a modern approach to cloud security. This makes Azure AD Conditional Access the optimal choice for this scenario.

Question 137

A company wants to provide just-in-time access to Azure virtual machines for their administrators, limiting access to specific time windows. Which feature should they implement

A) Azure AD Privileged Identity Management
B) Azure RBAC
C) Azure AD B2B
D) Network Security Groups

Answer

A) Azure AD Privileged Identity Management

Explanation

Azure AD Privileged Identity Management (PIM) is a service designed to manage and monitor privileged access in Azure environments. The requirement described in this scenario involves granting just-in-time (JIT) access to Azure virtual machines, which limits the duration of administrative privileges. PIM is the recommended solution because it provides temporary activation for privileged roles, integrates approval workflows, and ensures automatic revocation after a specified time window.

PIM allows users to be assigned as eligible for roles rather than permanent members, meaning they must explicitly activate their roles to gain privileges. During activation, organizations can enforce approvals, requiring a manager to authorize access before it is granted. PIM also supports time-bound activation, which allows administrators to define access windows such as a few hours or days. Once the time window expires, privileges are automatically revoked, preventing standing administrative access that could pose a security risk.

The service provides detailed auditing and logging for all privileged activities, including who requested access, who approved it, activation times, and actions performed while the role was active. These logs support compliance and governance requirements and help organizations detect anomalies or misuse of privileges. Notifications and alerts can also be configured to monitor activation trends or unusual access patterns.

Azure RBAC (option B) is useful for assigning roles and permissions but does not inherently provide just-in-time activation or automatic expiration. Azure AD B2B (option C) focuses on external user collaboration and does not address time-limited administrative access. Network Security Groups (option D) control network traffic and cannot manage user roles or privileged access.

By implementing PIM, the organization ensures that administrative access is granted only when necessary, adhering to the principle of least privilege. This reduces security risks and enforces structured governance over privileged accounts. Integration with access reviews allows administrators to validate eligibility for roles periodically, preventing temporary access from becoming permanent.

JIT access via PIM also improves operational efficiency by reducing the need for manual role assignments and revocations. Users can request access only when needed, with approval workflows and multi-factor authentication ensuring secure and deliberate activation. This approach allows organizations to manage administrative access centrally, maintain security, and support compliance requirements while enabling administrators to perform their tasks without unnecessary barriers.

Overall, Azure AD Privileged Identity Management provides a comprehensive solution for managing temporary administrative access. Its features of just-in-time activation, approval workflows, automatic expiration, auditing, and integration with access reviews make it the ideal solution for granting time-limited access to Azure virtual machines, aligning perfectly with the scenario requirements.

Question 138

A company wants to monitor and protect against suspicious sign-ins in their Azure AD environment. They require automated risk detection and remediation for high-risk accounts. Which feature should they use

A) Azure AD Identity Protection
B) Azure AD Conditional Access
C) Microsoft Defender for Endpoint
D) Azure Sentinel

Answer

A) Azure AD Identity Protection

Explanation

Azure AD Identity Protection is designed to help organizations detect, investigate, and remediate identity-based risks automatically. The scenario involves monitoring for suspicious sign-ins and enforcing remediation for high-risk accounts. Identity Protection uses machine learning and behavior analytics to identify anomalies such as unusual sign-in locations, unfamiliar devices, leaked credentials, atypical sign-in patterns, or sign-ins from anonymous IP addresses.

When a risky sign-in is detected, Identity Protection evaluates the risk and can automatically trigger remediation actions. These actions may include forcing a password reset, requiring multi-factor authentication, or blocking access to prevent account compromise. Policies can be customized to automatically enforce different responses based on the risk level, ensuring that users with high-risk sign-ins are remediated appropriately while low-risk sign-ins proceed normally.

Integration with Conditional Access enhances the security posture. For example, if a user is flagged as high-risk, Conditional Access can require MFA or block access to sensitive applications until the risk is mitigated. This combined approach ensures a layered defense strategy, balancing usability and security. Administrators can monitor reports to identify trends, view affected accounts, and analyze patterns of suspicious activity.

Azure AD Conditional Access (option B) enforces policies based on predefined conditions but does not independently detect risks. Microsoft Defender for Endpoint (option C) protects endpoints from malware and security threats but does not monitor identity-based risks. Azure Sentinel (option D) is a SIEM that aggregates security events but requires additional configuration for automated remediation of Azure AD risk events.

Identity Protection provides capabilities such as user risk policies, sign-in risk policies, and automated remediation workflows. These allow organizations to define thresholds for risk detection, specify remediation actions, and integrate notifications for administrators. Reporting and audit logs support compliance requirements and help track security improvements over time.

By using Azure AD Identity Protection, organizations proactively secure accounts, detect anomalies, and enforce automated remediation. This reduces the likelihood of account compromise, supports compliance and governance requirements, and strengthens identity-based security in modern cloud environments. Identity Protection’s automation, risk evaluation, and integration with Conditional Access make it the optimal solution for detecting and responding to suspicious sign-ins.

Question 139

A company wants to provide external partners with access to specific resources in Azure while maintaining control over internal data. Which feature should they implement

A) Azure AD B2B
B) Azure RBAC
C) Azure AD Conditional Access
D) Azure AD Privileged Identity Management

Answer

A) Azure AD B2B

Explanation

Azure Active Directory Business-to-Business (B2B) collaboration enables organizations to securely share resources with external partners, suppliers, or contractors while maintaining control over internal resources. In this scenario, the company needs to allow external partners to access specific resources in Azure without compromising internal security. B2B provides a way to invite external users into the organization’s directory, granting them access through their own credentials or by creating guest accounts in Azure AD.

When an external user is invited, they are added as a guest user to the tenant and can be assigned roles or permissions using Azure RBAC. Access can be scoped to specific applications, resource groups, or subscriptions, ensuring that external users cannot access unauthorized resources. Additionally, policies such as multi-factor authentication, conditional access, and device compliance can still be enforced on these guest accounts to maintain security standards.

B2B supports self-service invitation, meaning internal administrators can invite partners without complex administrative workflows. External users receive an email invitation and can log in using their existing organizational credentials, minimizing the need for new accounts. Identity governance features such as access reviews and entitlement management allow administrators to periodically validate external user access and remove unnecessary privileges, reducing the risk of lingering access for inactive accounts.

Azure RBAC (option B) can control access to resources but does not provide mechanisms to manage external user identities and collaboration. Conditional Access (option C) can enforce access policies but does not handle the onboarding and management of external partners. Privileged Identity Management (option D) manages temporary administrative roles for internal users and does not provide external collaboration capabilities.

By using Azure AD B2B, organizations maintain control over internal data while enabling secure collaboration with external partners. The platform integrates seamlessly with existing Azure resources, allowing fine-grained permission assignments and consistent application of security policies. B2B also supports auditing and monitoring of guest user activity, providing visibility into external access patterns.

Identity governance features in B2B ensure that access remains appropriate over time. For instance, administrators can configure time-limited access packages for external users, automatically revoking permissions after a set duration. This mitigates security risks associated with permanent access for external partners. Access reviews can be scheduled to validate that external users still require access, with notifications sent to internal owners to approve or revoke access as necessary.

Integration with conditional access policies enhances security further. External users can be required to use compliant devices, perform multi-factor authentication, or access resources only from trusted locations. Organizations can also enforce terms of use agreements to ensure that external collaborators acknowledge organizational policies before gaining access.

Overall, Azure AD B2B provides a comprehensive framework for managing external access securely, supporting collaboration without exposing internal data. It balances usability for external partners with strong governance and auditing, making it the ideal choice for scenarios requiring controlled external access to Azure resources.

Question 140

A company wants to ensure that all virtual machines in Azure have specific security configurations applied consistently. Which feature should they implement

A) Azure Policy
B) Azure RBAC
C) Azure Monitor
D) Azure Security Center

Answer

A) Azure Policy

Explanation

Azure Policy is a governance tool designed to enforce standards and assess compliance of resources in Azure. When an organization wants to ensure consistent security configurations across all virtual machines, Azure Policy is the ideal solution because it can automatically evaluate and enforce desired configurations. Policies define rules for resources, such as requiring specific OS versions, enabling encryption, or applying network security settings.

Policies can be applied at different scopes, including management groups, subscriptions, resource groups, or individual resources. Once applied, Azure Policy continuously evaluates resources against these rules and flags non-compliant resources. In many cases, policies can also automatically remediate non-compliant configurations, for example, by enforcing security extensions, configuring endpoint protection, or applying tagging standards.

Azure RBAC (option B) controls who can perform actions on resources but does not enforce resource configurations. Azure Monitor (option C) collects telemetry and alerts on performance or operational issues but does not enforce compliance policies. Azure Security Center (option D) provides recommendations and threat protection but does not enforce configurations automatically at scale.

Azure Policy supports built-in and custom policies. Built-in policies address common scenarios, such as enforcing disk encryption, securing storage accounts, or ensuring network configurations are compliant. Custom policies allow organizations to define rules unique to their environment, such as requiring specific extensions on virtual machines or controlling allowed VM sizes.

Compliance reports generated by Azure Policy provide visibility into the state of all resources, showing which resources meet policy requirements and which do not. This enables administrators to track security posture over time, identify trends, and prioritize remediation efforts. Policies can also be integrated with DevOps pipelines to ensure that resources deployed via templates or scripts are automatically compliant upon creation, reducing the risk of misconfigurations during deployment.

Azure Policy can be combined with initiatives, which are collections of multiple policies grouped together to simplify management. For example, an organization may create a security initiative that ensures encryption, endpoint protection, and secure networking configurations are applied consistently across all virtual machines. Applying the initiative ensures comprehensive governance without requiring administrators to manage individual policies separately.

By implementing Azure Policy, organizations can maintain consistent security configurations across all virtual machines, automatically detect and remediate non-compliance, and generate reporting for auditing and regulatory requirements. This approach enforces organizational standards, reduces human error, and strengthens the overall security posture of Azure resources, making it the optimal solution for the scenario described.

Question 141

A company wants to track changes to Azure resources over time and detect unauthorized modifications. Which feature should they implement

A) Azure Activity Logs
B) Azure Monitor
C) Azure Policy
D) Azure Security Center

Answer

A) Azure Activity Logs

Explanation

Azure Activity Logs provide a comprehensive record of all management-level operations performed on resources in Azure. The company’s requirement is to track changes and detect unauthorized modifications. Activity Logs record information such as which user or service made a change, the time of the change, the operation performed, and the status of the operation. This enables organizations to maintain accountability and transparency over their Azure environment.

Activity Logs are automatically available for all Azure resources without requiring additional configuration, providing insights into operations such as resource creation, modification, deletion, role assignments, and policy changes. Organizations can analyze these logs to detect patterns, identify unauthorized activities, or investigate incidents. Integration with tools like Azure Monitor, Log Analytics, and Azure Sentinel allows for alerting, querying, and visualization of activity trends, further enhancing security monitoring.

Azure Monitor (option B) collects metrics and telemetry data for performance monitoring but does not provide a detailed history of administrative actions. Azure Policy (option C) enforces compliance rules but does not track individual resource changes. Azure Security Center (option D) provides security recommendations and threat detection but is not a primary source for detailed activity logs.

Activity Logs can also be exported to storage accounts, event hubs, or third-party SIEM systems for long-term retention, compliance auditing, and advanced analytics. Organizations can configure alerts to trigger notifications when specific operations occur, such as unexpected deletion of critical resources or assignment of high-privilege roles, enabling proactive incident response.

Additionally, Activity Logs support filtering and querying to focus on particular subscriptions, resource groups, resource types, users, or time periods. This granularity allows administrators to investigate specific events, understand the context of changes, and determine if actions were authorized or suspicious. Audit reports generated from Activity Logs also support regulatory and internal compliance requirements by providing a clear history of administrative activities.

By implementing Azure Activity Logs, organizations gain visibility into all changes to their Azure resources, detect unauthorized modifications, and maintain accountability for administrative actions. This supports security governance, operational auditing, and compliance, ensuring that resource management activities are tracked and can be investigated effectively. Activity Logs serve as the foundational tool for monitoring resource changes and securing Azure environments.

Question 142

A company wants to implement a role-based access control model in Azure to ensure employees have only the permissions necessary for their job functions. Which feature should they use

A) Azure RBAC
B) Azure AD Conditional Access
C) Azure Policy
D) Azure AD Privileged Identity Management

Answer

A) Azure RBAC

Explanation

Azure Role-Based Access Control (RBAC) is a core feature in Azure that enables organizations to manage who has access to Azure resources, what actions they can perform, and what areas they have access to. The principle behind RBAC is to provide granular control over permissions so that users, groups, and service principals have only the access necessary to perform their job functions, minimizing security risks associated with over-permissioned accounts.

RBAC works by assigning roles at different scopes, such as the subscription, resource group, or individual resource level. Built-in roles include Owner, Contributor, Reader, and various service-specific roles, while custom roles can be created to address specific organizational requirements. Assignments can be applied to users, groups, or service principals, providing flexibility in managing access across a complex Azure environment.

In practice, Azure RBAC ensures that sensitive operations are restricted to authorized users. For example, a database administrator might be assigned a Contributor role on a specific SQL Database but not on unrelated resources, while a developer could have Contributor access to app services without permissions to modify network settings. By carefully defining roles and scopes, RBAC minimizes the likelihood of accidental or malicious changes to critical resources.

Azure AD Conditional Access (option B) enforces access policies based on conditions but does not control granular permissions for Azure resources. Azure Policy (option C) enforces resource configuration standards rather than assigning user permissions. Azure AD Privileged Identity Management (option D) manages temporary access to privileged roles but is not a general access control mechanism for all employees.

RBAC also integrates with monitoring and auditing tools to track role assignments, usage, and access patterns. Administrators can review role assignments periodically to ensure compliance with organizational policies and regulatory requirements. Access reviews and logs help detect unnecessary or excessive permissions, allowing timely remediation.

Organizations can combine RBAC with other security features such as Azure Policy, Conditional Access, and PIM for comprehensive identity and access management. For example, RBAC defines who can perform actions, Conditional Access enforces authentication requirements, and PIM provides temporary elevation for high-privilege roles. This layered approach ensures that employees have appropriate access, reducing security risks while maintaining operational efficiency.

By implementing Azure RBAC, the company can establish a robust and manageable access control framework, enforce the principle of least privilege, and maintain security governance across the Azure environment. It provides fine-grained permissions management, auditing capabilities, and integration with broader security policies, making it the optimal solution for controlling access based on job functions.

Question 143

A company needs to automatically apply tags to Azure resources based on resource type and environment to improve cost management and governance. Which feature should they use

A) Azure Policy
B) Azure RBAC
C) Azure Monitor
D) Azure Automation

Answer

A) Azure Policy

Explanation

Azure Policy is a governance tool that enables organizations to enforce organizational standards, manage compliance, and automate resource configurations across their Azure environment. For scenarios involving automatic tagging, Azure Policy provides built-in or custom policy definitions that evaluate resources and apply tags based on specified rules.

Automatic tagging helps organizations track costs, manage resources by environment (such as development, testing, or production), and maintain compliance with internal policies. Policies can specify that all resources of a particular type, such as virtual machines or storage accounts, receive predefined tags, ensuring consistent metadata for reporting, cost allocation, and management.

Policies can be assigned at various scopes, including management groups, subscriptions, resource groups, or individual resources, allowing flexible governance at scale. Non-compliant resources are either flagged for review or automatically remediated depending on the policy configuration. For example, a policy can automatically apply a “Department” tag with the value “Finance” to all new virtual machines in a subscription.

Azure RBAC (option B) controls who can perform actions but does not enforce resource configuration or tagging. Azure Monitor (option C) collects metrics and telemetry but does not manage tagging. Azure Automation (option D) can run scripts to enforce configurations but lacks the policy-driven, declarative, and continuous evaluation model provided by Azure Policy.

Azure Policy also supports initiatives, which are collections of policies grouped together to achieve broader governance goals. For example, an initiative for cost management could include multiple policies for automatic tagging, location restrictions, and allowed resource types, simplifying deployment and management. Policies and initiatives generate compliance reports, enabling administrators to visualize resource compliance and detect areas where governance requirements are not met.

By implementing Azure Policy for automatic tagging, the organization can enforce consistent resource metadata, improve cost management, facilitate resource tracking, and maintain compliance. This reduces manual intervention, minimizes errors, and strengthens governance by ensuring all resources are tagged according to organizational standards, which is essential for cost reporting, auditing, and operational oversight

Question 144

A company wants to prevent accidental deletion of critical Azure resources by requiring approval before certain operations can be performed. Which feature should they implement

A) Azure Resource Locks
B) Azure RBAC
C) Azure Policy
D) Azure AD Conditional Access

Answer

A) Azure Resource Locks

Explanation

Azure Resource Locks provide a mechanism to prevent accidental or unauthorized modifications or deletions of critical Azure resources. By applying a lock at the resource, resource group, or subscription level, organizations can protect important assets such as production virtual machines, storage accounts, databases, or network components from accidental deletion or modification.

There are two types of locks: CanNotDelete and ReadOnly. The CanNotDelete lock ensures that resources cannot be deleted but allows modifications, while the ReadOnly lock restricts both deletion and modification, essentially making the resource immutable except for role-based access adjustments. Locks help enforce operational safety by providing an additional layer of protection beyond permissions.

Azure RBAC (option B) controls who can perform actions on resources but does not prevent accidental deletion if users have the necessary permissions. Azure Policy (option C) enforces configuration standards and compliance rules but does not stop deletions in real time. Azure AD Conditional Access (option D) focuses on authentication and access conditions, not resource operation protection.

Resource Locks integrate with RBAC, so even administrators with high-level permissions are subject to the lock rules. Locks are visible in the Azure portal, and any attempt to delete a locked resource triggers an error message indicating that the operation is blocked. This ensures that critical resources are safeguarded, reducing the risk of human error or unintended operational disruptions.

Organizations often combine Resource Locks with change management processes and operational approvals. For example, before removing a lock or performing a high-impact operation, an internal approval workflow can be enforced. This provides a controlled environment where accidental deletions or modifications are minimized, and accountability is maintained.

Azure Resource Locks also complement monitoring and auditing solutions. When used with Activity Logs, any attempt to modify a locked resource is recorded, providing traceability and supporting compliance requirements. Administrators can review logs to understand attempted changes and evaluate security or operational risks.

By implementing Azure Resource Locks, the company ensures that critical Azure resources are protected from accidental deletions or unauthorized modifications. Locks provide a simple yet effective safeguard that enforces operational stability, enhances security governance, and supports compliance with organizational policies, making them the appropriate solution for protecting essential resources in Azure.

Question 145

A company wants to monitor and alert on resource health and performance in Azure to ensure high availability of critical workloads. Which service should they use

A) Azure Monitor
B) Azure Advisor
C) Azure Policy
D) Azure Security Center

Answer

A) Azure Monitor

Explanation

Azure Monitor is the comprehensive monitoring and observability service in Azure designed to provide full visibility into the performance, health, and availability of applications, resources, and infrastructure. By collecting metrics, logs, and telemetry from Azure resources, on-premises systems, and hybrid environments, Azure Monitor enables organizations to proactively detect issues, diagnose root causes, and respond to alerts before they impact business operations.

For critical workloads, Azure Monitor can track resource health by analyzing performance metrics such as CPU utilization, memory consumption, disk I/O, network traffic, and application-specific indicators. Metrics are collected in near real-time, enabling timely identification of anomalies or bottlenecks. Organizations can define thresholds for specific metrics and create alerts that trigger notifications or automated actions, ensuring that issues are addressed promptly.

Azure Monitor integrates with Log Analytics to provide advanced querying and analysis capabilities. Logs collected from various resources can be correlated and analyzed to understand patterns, detect trends, and predict potential failures. Workbooks and dashboards allow IT teams to visualize data in a centralized interface, making it easier to monitor health, availability, and performance across complex environments.

The service also includes Application Insights, which is focused on application-level monitoring, providing insights into request rates, response times, exceptions, dependencies, and user behavior. This enables developers and operations teams to identify performance issues, optimize code, and improve user experience for critical applications.

Azure Advisor (option B) provides personalized recommendations to optimize costs, improve performance, and enhance security, but it does not provide continuous monitoring or real-time alerting. Azure Policy (option C) enforces resource configurations and compliance but is not intended for performance monitoring. Azure Security Center (option D) focuses on security posture management and threat detection rather than general performance and health monitoring.

Azure Monitor also integrates with automation tools such as Azure Logic Apps, Azure Functions, or IT service management solutions, enabling automated remediation of issues. For example, if a VM exceeds a CPU threshold, an automated scale-out operation can be triggered to ensure availability. Notifications can be sent via email, SMS, or other messaging services to alert administrators and on-call engineers.

By implementing Azure Monitor, the company ensures a robust monitoring framework capable of maintaining high availability for critical workloads. It enables proactive detection of issues, rapid troubleshooting, automated responses, and comprehensive reporting. This combination of features is critical for maintaining operational continuity, improving resource utilization, and supporting strategic decision-making within Azure environments.

Question 146

A company wants to enforce encryption for all Azure storage accounts and ensure compliance with organizational security policies. Which feature should they implement

A) Azure Policy
B) Azure RBAC
C) Azure Key Vault
D) Azure Security Center

Answer

A) Azure Policy

Explanation

Azure Policy is a governance tool that enables organizations to define, enforce, and audit standards for resources across their Azure environment. When it comes to enforcing encryption for storage accounts, Azure Policy allows administrators to create rules that ensure all storage accounts comply with security requirements, such as enabling encryption with Microsoft-managed keys or customer-managed keys.

Using policy definitions, Azure Policy can evaluate existing storage accounts and flag or remediate non-compliant resources automatically. For example, a policy can require that all storage accounts use HTTPS and have encryption enabled. If a new storage account is deployed without encryption, the policy can prevent creation or automatically apply the necessary configuration to bring it into compliance.

Azure Policy supports both built-in and custom policies. Built-in policies cover common scenarios like enforcing encryption, enabling monitoring, and restricting allowed resource types. Custom policies allow organizations to tailor governance to specific compliance standards or regulatory requirements. Policies can be assigned at management group, subscription, or resource group levels, providing flexible scope and enforcement.

Azure RBAC (option B) controls who can perform actions on resources but does not enforce encryption settings. Azure Key Vault (option C) manages keys, secrets, and certificates but does not enforce encryption across all storage accounts automatically. Azure Security Center (option D) provides security recommendations and monitoring but does not enforce configuration automatically in the same policy-driven manner.

Policy compliance can be monitored via dashboards and reports, allowing IT teams to track which resources comply with encryption requirements and which require remediation. Integration with Azure Monitor and Log Analytics allows for detailed auditing and alerting, ensuring that encryption standards are continuously enforced across the environment.

Azure Policy initiatives allow multiple policies to be grouped to achieve broader security objectives. For example, an initiative for data protection may include policies for encryption, network access restrictions, and secure transfer requirements, creating a cohesive framework for securing data in Azure.

By leveraging Azure Policy for storage account encryption, the organization ensures that all resources adhere to defined security standards, reduces the risk of data exposure, and supports compliance with internal and external regulations. This policy-driven approach provides automated enforcement, continuous monitoring, and centralized governance, making it the optimal solution for consistent encryption management in Azure.

Question 147

A company needs to track changes to Azure resources and detect unauthorized modifications to maintain compliance. Which feature should they use

A) Azure Activity Log
B) Azure Monitor
C) Azure Advisor
D) Azure Policy

Answer

A) Azure Activity Log

Explanation

The Azure Activity Log is a system-level log that provides detailed records of operations performed on Azure resources. It captures events such as creation, modification, and deletion of resources, including who performed the action, when it occurred, and the source IP address. This information is crucial for auditing, compliance, and security monitoring.

Activity Log helps organizations detect unauthorized or unexpected changes to resources, providing a comprehensive view of operations across subscriptions and resource groups. Alerts can be configured based on specific activities, such as deletion of critical resources or modifications to security configurations, ensuring timely response to potential security incidents.

While Azure Monitor (option B) provides metrics and telemetry for performance and health monitoring, it does not provide detailed operational change history. Azure Advisor (option C) offers optimization recommendations but does not track operational changes. Azure Policy (option D) enforces compliance and configuration but does not track every user-initiated change automatically.

Activity Log integrates with Azure Monitor, Log Analytics, and Security Center, enabling advanced analysis, correlation, and visualization of events. Organizations can use this integration to identify patterns of suspicious activity, generate compliance reports, and provide evidence during audits. For example, if a storage account is modified without proper authorization, the Activity Log will capture the user identity, timestamp, and operation details, which can be investigated promptly.

Retention policies allow Activity Logs to be stored for extended periods, supporting regulatory requirements for data retention and audit trails. Logs can also be exported to external systems for long-term storage, analysis, and integration with security information and event management (SIEM) solutions.

By using the Azure Activity Log, the company gains continuous visibility into resource operations, enabling detection of unauthorized modifications, supporting compliance audits, and improving overall governance. This provides a robust mechanism to track, monitor, and respond to changes across Azure resources, ensuring operational security and integrity within the cloud environment.

Question 148

A company wants to implement automated patch management for Windows and Linux virtual machines in Azure to ensure compliance with security policies. Which service should they use

A) Azure Automation Update Management
B) Azure Policy
C) Azure Monitor
D) Azure Security Center

Answer

A) Azure Automation Update Management

Explanation

Azure Automation Update Management is a feature of Azure Automation that allows organizations to manage operating system updates for both Windows and Linux virtual machines hosted in Azure, on-premises, or in other cloud environments. The service enables IT teams to automate patch deployment, monitor update compliance, and ensure that critical and security updates are applied according to organizational policies.

Update Management works by assessing the update status of each VM and identifying missing updates. Administrators can schedule deployment of patches during maintenance windows to minimize disruptions, and orchestrate updates across multiple VMs simultaneously. The service supports grouping VMs by role, department, or environment, which allows for targeted patching strategies.

The process begins with scanning the VMs to determine which updates are required. Reports are generated showing compliance status, pending updates, and historical update deployments. Based on these reports, update deployments can be scheduled, which ensures that all critical and security updates are applied consistently and efficiently. Notifications and alerts can be configured to inform administrators about failed updates or non-compliant VMs.

Azure Policy (option B) can enforce configurations but does not provide a mechanism to deploy OS updates automatically. Azure Monitor (option C) collects telemetry and alerts but does not manage patch deployment. Azure Security Center (option D) provides recommendations for missing updates but does not automate the remediation process.

Update Management integrates with Log Analytics to provide detailed reporting and insights into update compliance trends. This integration enables IT teams to visualize patch deployment success rates, identify recurring issues, and track the patching process over time. Workbooks and dashboards allow stakeholders to monitor the compliance status of all VMs in real time.

The service supports both Windows and Linux operating systems, ensuring comprehensive coverage across heterogeneous environments. For Linux VMs, Update Management works with distributions such as Ubuntu, CentOS, Red Hat, and SUSE. For Windows VMs, it works with both server and client editions, supporting the deployment of security updates, critical updates, and optional updates as needed.

By implementing Azure Automation Update Management, the company can achieve consistent, automated, and auditable patch management across all virtual machines, reducing security risks, maintaining compliance with organizational policies, and minimizing operational overhead. The service is particularly valuable for large-scale environments where manual patching would be inefficient and prone to error, ensuring that all systems remain up-to-date and protected against known vulnerabilities.

Question 149

A company needs to control access to Azure SQL databases based on user roles and responsibilities. Which feature should they use

A) Azure Role-Based Access Control
B) Azure AD Privileged Identity Management
C) Azure Policy
D) Azure Security Center

Answer

A) Azure Role-Based Access Control

Explanation

Azure Role-Based Access Control (RBAC) is the primary mechanism for managing access to Azure resources, including Azure SQL databases. RBAC allows organizations to assign permissions to users, groups, and applications based on their role within the organization, following the principle of least privilege. By granting only the required permissions for specific tasks, RBAC helps reduce the risk of unauthorized access and ensures that users can only perform actions appropriate for their responsibilities.

For Azure SQL databases, RBAC can be used to assign built-in roles such as SQL DB Contributor, SQL Server Contributor, or custom roles with granular permissions. These roles define the actions a user can perform, such as reading data, writing data, or managing database schemas. Administrators can assign roles at different scopes, including subscription, resource group, or individual database level, enabling precise control over access.

Azure AD Privileged Identity Management (option B) provides just-in-time access and approval workflows for privileged roles but does not manage standard database permissions. Azure Policy (option C) enforces compliance configurations but does not assign user permissions. Azure Security Center (option D) focuses on security posture and threat detection but does not directly manage access control.

RBAC integrates with Azure Active Directory, allowing centralized management of identities and permissions. Changes to roles are reflected immediately, ensuring that new employees, departing employees, or changing responsibilities are accounted for efficiently. Administrators can also enable auditing to monitor role assignments, access attempts, and permission changes, supporting compliance and security requirements.

Additionally, RBAC supports the creation of custom roles tailored to specific business needs. For instance, a reporting team might have read-only access to production databases, while a development team may have write and schema modification permissions in development databases. This flexibility ensures that security requirements are met without compromising operational efficiency.

By using Azure RBAC for Azure SQL databases, the company can implement a structured, scalable, and auditable access control framework that aligns with organizational roles and responsibilities, providing security, compliance, and operational clarity across the database environment.

Question 150

A company wants to automate deployment of Azure resources using templates to ensure consistency across environments. Which service should they use

A) Azure Resource Manager templates
B) Azure Policy
C) Azure Blueprints
D) Azure DevOps Pipelines

Answer

A) Azure Resource Manager templates

Explanation

Azure Resource Manager (ARM) templates provide a declarative approach to deploying and managing Azure resources consistently and repeatedly. By defining infrastructure as code, organizations can automate deployment of complex environments, reduce manual errors, and maintain consistency across development, testing, and production environments.

ARM templates use JSON syntax to describe the resources, their properties, dependencies, and configurations. Templates can include virtual machines, networking components, storage accounts, databases, and other Azure services. Parameters and variables allow templates to be reused across environments, enabling customization without altering the underlying structure.

When deploying resources using ARM templates, the Azure Resource Manager service evaluates the template, resolves dependencies, and orchestrates resource creation in the correct order. This ensures that all resources are provisioned according to the defined configuration, maintaining consistency and compliance with organizational standards.

Azure Policy (option B) enforces rules on deployed resources but does not automate the deployment itself. Azure Blueprints (option C) extends ARM templates by combining them with policies, role assignments, and resource groups for end-to-end environment setup but relies on templates as the underlying mechanism. Azure DevOps Pipelines (option D) automates deployment workflows but typically invokes ARM templates or other infrastructure-as-code artifacts rather than replacing them.

ARM templates also support versioning and source control, enabling teams to track changes, implement review processes, and revert to previous configurations when necessary. Integration with CI/CD pipelines allows automated deployments upon code commits, ensuring rapid and consistent provisioning of resources across multiple environments.

By implementing Azure Resource Manager templates, the company can achieve repeatable, automated, and consistent deployment of Azure resources, reduce human error, accelerate provisioning, and enforce configuration standards. Templates also support auditing and compliance efforts by providing a clear record of intended resource configuration and deployment actions. This approach ensures operational efficiency, governance, and alignment with best practices in cloud infrastructure management.