Secure Compute, Storage & Databases

You want to reduce the attack surface of Azure VMs by keeping management ports closed until an administrator requests temporary access through Microsoft Defender for Cloud. Which feature provides this?

• A Just-in-time VM access ✓
• B File integrity monitoring
• C A network security group default deny
• D Adaptive application controls

Answer: Just-in-time VM access in Microsoft Defender for Cloud keeps inbound management ports closed and opens them only for an approved time window, source, and user when requested. This reduces exposure to brute-force attacks.

You must encrypt the OS and data disks of an Azure VM using BitLocker or dm-crypt with keys protected in Azure Key Vault. Which capability should you enable?

• A Storage service encryption
• B Transparent Data Encryption
• C Azure Disk Encryption ✓
• D Always Encrypted

Answer: Azure Disk Encryption uses BitLocker for Windows and dm-crypt for Linux to encrypt VM OS and data disks, with the encryption keys safeguarded in Azure Key Vault. Transparent Data Encryption and Always Encrypted apply to databases.

A storage account currently allows access using account keys, but you want applications to authenticate using Microsoft Entra identities and RBAC instead. Which step enforces this?

• A Enable infrastructure encryption
• B Disable shared key authorization and assign data-plane RBAC roles ✓
• C Rotate the account keys weekly
• D Generate a user delegation SAS for each app

Answer: Disabling shared key authorization on the storage account blocks account-key and shared-key SAS access, forcing clients to authenticate with Microsoft Entra ID, where you grant data roles such as Storage Blob Data Reader. Rotating keys alone does not remove key-based access.

You need to grant a partner read access to a single blob container for seven days, scoped and revocable, without sharing the storage account key. What is the most appropriate mechanism?

• A A network security group rule
• B A shared access signature with a stored access policy ✓
• C The storage account access key
• D A system-assigned managed identity

Answer: A shared access signature grants scoped, time-limited delegated access; binding it to a stored access policy lets you revoke it before expiry. Sharing the account key would grant full access and cannot be selectively revoked.

Which Azure SQL Database feature encrypts data at rest at the database level and is enabled by default for new databases?

• A Always Encrypted
• B Dynamic data masking
• C Row-level security
• D Transparent Data Encryption ✓

Answer: Transparent Data Encryption encrypts the database, backups, and transaction log files at rest and is enabled by default for new Azure SQL databases. Always Encrypted protects specific columns and dynamic data masking only obfuscates query results.

You manage an Azure Kubernetes Service cluster and want pods to obtain Azure resource access using Microsoft Entra identities without storing secrets in the cluster. Which approach is recommended?

• A Hardcoded service principal secrets in pod environment variables
• B A shared storage account key mounted as a volume
• C Basic Kubernetes service account tokens only
• D Microsoft Entra Workload ID with federated credentials ✓

Answer: Microsoft Entra Workload ID federates a Kubernetes service account with a Microsoft Entra application or managed identity, so pods get tokens without storing secrets. Embedding service principal secrets in pods is the practice this is designed to replace.