AZ-900Questions 41-50Original PracticeAnswers Hidden
AZ-900 Questions 41-50: Identity, Security, and Network Protection
Continue the AZ-900 practice bank with 10 original exam-style questions focused on identity, access, keys, and network security. Choose your answer first, then reveal the explanation.
Series position: This continues the AZ-900 sequence after the previous 10-question batch. The goal is a complete, reviewable Microsoft Azure Fundamentals practice bank from Questions 1-100.
Exam code
AZ-900
AZ-900
Question range
41-50
41-50
Format
Single-best-answer practice
Single-best-answer practice
Status
Original questions, source-grounded
Original questions, source-grounded
Practice mode: Answers are hidden by default. Decide on A, B, C, or D before opening the reveal panel.
Questions
Question 41
A company wants cloud identities that users can use to sign in to Microsoft 365 and Azure resources. Which service provides this identity platform?
Reveal answer and explanation
Correct answer: A. Microsoft Entra ID
Microsoft Entra ID is the cloud-based identity and access management service used for Azure and Microsoft cloud sign-ins.
Microsoft Entra ID is the cloud-based identity and access management service used for Azure and Microsoft cloud sign-ins.
Why the others are wrong: DNS hosts zones, Firewall filters traffic, and Advisor gives recommendations; none is the identity platform.
Objective: Identity.
Question 42
A security team wants users to prove their identity using a password plus a second verification method. What should be enabled?
Reveal answer and explanation
Correct answer: A. Multi-factor authentication
Multi-factor authentication requires two or more verification factors and reduces risk from stolen passwords.
Multi-factor authentication requires two or more verification factors and reduces risk from stolen passwords.
Why the others are wrong: Reservations reduce cost, zones improve availability, and locks prevent changes or deletion.
Objective: Authentication.
Question 43
A user needs permission to restart virtual machines but should not manage access for other users. What should you assign?
Reveal answer and explanation
Correct answer: A. An Azure RBAC role with the required VM permissions
Azure role-based access control grants permissions to users, groups, service principals, or managed identities at a scope.
Azure role-based access control grants permissions to users, groups, service principals, or managed identities at a scope.
Why the others are wrong: Tags organize metadata, availability sets improve VM placement, and public IPs expose network endpoints.
Objective: Authorization.
Question 44
A team needs to give a contractor temporary read-only access to one resource group. Which approach best follows least privilege?
Reveal answer and explanation
Correct answer: A. Assign Reader at the resource group scope
Reader at the resource group scope grants only view access where needed.
Reader at the resource group scope grants only view access where needed.
Why the others are wrong: The other options grant too much privilege or violate identity best practices.
Objective: Least privilege.
Question 45
An application needs to store database passwords and rotate them securely. Which Azure service is designed for secrets management?
Reveal answer and explanation
Correct answer: A. Azure Key Vault
Azure Key Vault stores and controls access to secrets, keys, and certificates.
Azure Key Vault stores and controls access to secrets, keys, and certificates.
Why the others are wrong: Blob Storage stores objects, Traffic Manager routes DNS traffic, and App Configuration is not a secure secret vault by itself.
Objective: Secrets.
Question 46
You need to allow HTTPS traffic to a subnet but deny inbound Remote Desktop traffic from the internet. What Azure resource can apply these packet-filtering rules?
Reveal answer and explanation
Correct answer: A. Network security group
A network security group uses security rules to allow or deny inbound and outbound network traffic.
A network security group uses security rules to allow or deny inbound and outbound network traffic.
Why the others are wrong: Monitor visualizes telemetry, management groups organize subscriptions, and Policy evaluates compliance.
Objective: Network filtering.
Question 47
A storage account should be reachable from a virtual network using a private IP address instead of a public endpoint. Which feature best fits?
Reveal answer and explanation
Correct answer: A. Private endpoint
Private endpoints use Azure Private Link to expose supported services through private IP addresses in a virtual network.
Private endpoints use Azure Private Link to expose supported services through private IP addresses in a virtual network.
Why the others are wrong: The other choices do not provide private network access to the storage account.
Objective: Private access.
Question 48
A company wants a managed network security service that filters and logs traffic between networks using application and network rules. Which service should it use?
Reveal answer and explanation
Correct answer: A. Azure Firewall
Azure Firewall is a managed cloud network security service for filtering and logging traffic.
Azure Firewall is a managed cloud network security service for filtering and logging traffic.
Why the others are wrong: Functions runs code, Advisor recommends improvements, and Cost Management analyzes spending.
Objective: Perimeter security.
Question 49
A public-facing application needs additional protection against large distributed denial-of-service attacks. Which Azure service should be considered?
Reveal answer and explanation
Correct answer: A. Azure DDoS Protection
Azure DDoS Protection helps protect Azure resources from DDoS attacks, especially for internet-facing workloads.
Azure DDoS Protection helps protect Azure resources from DDoS attacks, especially for internet-facing workloads.
Why the others are wrong: Blueprints, Resource Graph, and Cloud Shell are governance/query/management tools, not DDoS mitigation services.
Objective: DDoS protection.
Question 50
An administrator wants a dashboard of security recommendations and workload protection capabilities across Azure resources. Which service should they review?
Reveal answer and explanation
Correct answer: A. Microsoft Defender for Cloud
Microsoft Defender for Cloud helps strengthen security posture and provides workload protection recommendations.
Microsoft Defender for Cloud helps strengthen security posture and provides workload protection recommendations.
Why the others are wrong: The other tools do not provide Azure security posture management recommendations.
Objective: Security posture.
Answer key
Reveal full answer key
| Question | Correct answer | Objective area |
|---|---|---|
| 41 | A | Identity |
| 42 | A | Authentication |
| 43 | A | Authorization |
| 44 | A | Least privilege |
| 45 | A | Secrets |
| 46 | A | Network filtering |
| 47 | A | Private access |
| 48 | A | Perimeter security |
| 49 | A | DDoS protection |
| 50 | A | Security posture |
Exam tip: AZ-900 questions usually reward the simplest Azure service or concept that exactly matches the requirement. Watch for distractors that are real services but solve a different problem.
Next: Continue with AZ-900 Questions 51-60 for compute, storage, and data service scenarios.
Sources
- Microsoft Learn: Study guide for Exam AZ-900
- Microsoft Learn: Microsoft Entra ID overview
- Microsoft Learn: Azure RBAC overview
- Microsoft Learn: Azure Storage redundancy
- Microsoft Learn: Azure Monitor overview
- Microsoft Learn: Azure Policy overview
- Microsoft Learn: Microsoft Cost Management overview
- Microsoft Learn: Shared responsibility in the cloud
