AZ-900 Questions 41-50: Identity, Security, and Network Protection

0
0
AZ-900Questions 41-50Original PracticeAnswers Hidden

AZ-900 Questions 41-50: Identity, Security, and Network Protection

Continue the AZ-900 practice bank with 10 original exam-style questions focused on identity, access, keys, and network security. Choose your answer first, then reveal the explanation.

Series position: This continues the AZ-900 sequence after the previous 10-question batch. The goal is a complete, reviewable Microsoft Azure Fundamentals practice bank from Questions 1-100.
Exam code
AZ-900
Question range
41-50
Format
Single-best-answer practice
Status
Original questions, source-grounded
Practice mode: Answers are hidden by default. Decide on A, B, C, or D before opening the reveal panel.

Questions

Question 41

Single answerIdentity
A company wants cloud identities that users can use to sign in to Microsoft 365 and Azure resources. Which service provides this identity platform?
  • A. Microsoft Entra ID
  • B. Azure DNS
  • C. Azure Firewall
  • D. Azure Advisor
Reveal answer and explanation
Correct answer: A. Microsoft Entra ID
Microsoft Entra ID is the cloud-based identity and access management service used for Azure and Microsoft cloud sign-ins.
Why the others are wrong: DNS hosts zones, Firewall filters traffic, and Advisor gives recommendations; none is the identity platform.

Objective: Identity.

Question 42

Single answerAuthentication
A security team wants users to prove their identity using a password plus a second verification method. What should be enabled?
  • A. Multi-factor authentication
  • B. Azure Reservations
  • C. Availability zones
  • D. Resource locks
Reveal answer and explanation
Correct answer: A. Multi-factor authentication
Multi-factor authentication requires two or more verification factors and reduces risk from stolen passwords.
Why the others are wrong: Reservations reduce cost, zones improve availability, and locks prevent changes or deletion.

Objective: Authentication.

Question 43

Single answerAuthorization
A user needs permission to restart virtual machines but should not manage access for other users. What should you assign?
  • A. An Azure RBAC role with the required VM permissions
  • B. A resource tag
  • C. An availability set
  • D. A public IP address
Reveal answer and explanation
Correct answer: A. An Azure RBAC role with the required VM permissions
Azure role-based access control grants permissions to users, groups, service principals, or managed identities at a scope.
Why the others are wrong: Tags organize metadata, availability sets improve VM placement, and public IPs expose network endpoints.

Objective: Authorization.

Question 44

Single answerLeast privilege
A team needs to give a contractor temporary read-only access to one resource group. Which approach best follows least privilege?
  • A. Assign Reader at the resource group scope
  • B. Assign Owner at the subscription scope
  • C. Share the subscription administrator account
  • D. Assign Global Administrator permanently
Reveal answer and explanation
Correct answer: A. Assign Reader at the resource group scope
Reader at the resource group scope grants only view access where needed.
Why the others are wrong: The other options grant too much privilege or violate identity best practices.

Objective: Least privilege.

Question 45

Single answerSecrets
An application needs to store database passwords and rotate them securely. Which Azure service is designed for secrets management?
  • A. Azure Key Vault
  • B. Azure Blob Storage hot tier
  • C. Azure Traffic Manager
  • D. Azure App Configuration only
Reveal answer and explanation
Correct answer: A. Azure Key Vault
Azure Key Vault stores and controls access to secrets, keys, and certificates.
Why the others are wrong: Blob Storage stores objects, Traffic Manager routes DNS traffic, and App Configuration is not a secure secret vault by itself.

Objective: Secrets.

Question 46

Single answerNetwork filtering
You need to allow HTTPS traffic to a subnet but deny inbound Remote Desktop traffic from the internet. What Azure resource can apply these packet-filtering rules?
  • A. Network security group
  • B. Azure Monitor workbook
  • C. Management group
  • D. Azure Policy initiative
Reveal answer and explanation
Correct answer: A. Network security group
A network security group uses security rules to allow or deny inbound and outbound network traffic.
Why the others are wrong: Monitor visualizes telemetry, management groups organize subscriptions, and Policy evaluates compliance.

Objective: Network filtering.

Question 47

Single answerPrivate access
A storage account should be reachable from a virtual network using a private IP address instead of a public endpoint. Which feature best fits?
  • A. Private endpoint
  • B. Public IP address
  • C. Azure Marketplace
  • D. Service Health alert
Reveal answer and explanation
Correct answer: A. Private endpoint
Private endpoints use Azure Private Link to expose supported services through private IP addresses in a virtual network.
Why the others are wrong: The other choices do not provide private network access to the storage account.

Objective: Private access.

Question 48

Single answerPerimeter security
A company wants a managed network security service that filters and logs traffic between networks using application and network rules. Which service should it use?
  • A. Azure Firewall
  • B. Azure Functions
  • C. Azure Advisor
  • D. Azure Cost Management
Reveal answer and explanation
Correct answer: A. Azure Firewall
Azure Firewall is a managed cloud network security service for filtering and logging traffic.
Why the others are wrong: Functions runs code, Advisor recommends improvements, and Cost Management analyzes spending.

Objective: Perimeter security.

Question 49

Single answerDDoS protection
A public-facing application needs additional protection against large distributed denial-of-service attacks. Which Azure service should be considered?
  • A. Azure DDoS Protection
  • B. Azure Blueprints
  • C. Azure Resource Graph
  • D. Azure Cloud Shell
Reveal answer and explanation
Correct answer: A. Azure DDoS Protection
Azure DDoS Protection helps protect Azure resources from DDoS attacks, especially for internet-facing workloads.
Why the others are wrong: Blueprints, Resource Graph, and Cloud Shell are governance/query/management tools, not DDoS mitigation services.

Objective: DDoS protection.

Question 50

Single answerSecurity posture
An administrator wants a dashboard of security recommendations and workload protection capabilities across Azure resources. Which service should they review?
  • A. Microsoft Defender for Cloud
  • B. Azure DNS
  • C. Azure Load Testing
  • D. Azure Storage Explorer
Reveal answer and explanation
Correct answer: A. Microsoft Defender for Cloud
Microsoft Defender for Cloud helps strengthen security posture and provides workload protection recommendations.
Why the others are wrong: The other tools do not provide Azure security posture management recommendations.

Objective: Security posture.

Answer key

Reveal full answer key
QuestionCorrect answerObjective area
41AIdentity
42AAuthentication
43AAuthorization
44ALeast privilege
45ASecrets
46ANetwork filtering
47APrivate access
48APerimeter security
49ADDoS protection
50ASecurity posture
Exam tip: AZ-900 questions usually reward the simplest Azure service or concept that exactly matches the requirement. Watch for distractors that are real services but solve a different problem.
Next: Continue with AZ-900 Questions 51-60 for compute, storage, and data service scenarios.

Sources