Identity, Governance & Monitoring

Contoso Ltd is a global financial institution with 80 Azure subscriptions spread across 4 management groups. They currently use a decentralized logging approach where each application team deploys their own Log Analytics workspace.

The Chief Information Security Officer (CISO) requires a new logging architecture that meets the following requirements:

• Security and audit logs must be retained centrally for 2 years to meet compliance.
• Application teams must still be able to query their own application performance logs without having access to other teams' data.
• The solution must minimize administrative overhead and data duplication.
• Costs must be optimized.

Which Log Analytics workspace architecture should you recommend?

Fabrikam Inc. operates a hybrid cloud environment with 500 on-premises VMware virtual machines running Windows Server and Linux, and 200 Azure VMs.

The company wants to standardize its monitoring and governance strategy. You need to design a solution that meets the following requirements:

• Collect guest operating system performance metrics and event logs from ALL virtual machines (both on-premises and in Azure).
• Apply Azure Policy guest configuration to the on-premises VMs.
• Ensure the solution uses the most current Microsoft monitoring agents.
• Minimize the number of outbound firewall ports required for on-premises servers.

Which TWO components must you include in your design? (Select TWO)

A startup company has a single Azure subscription with a monthly budget of $5,000.

The CFO wants to ensure that the development team is notified immediately if the forecasted spending for the current month exceeds $4,500. The solution must not require writing any custom code and must be implemented with the least administrative effort.

Which Azure service should you configure?

You are designing an Azure Sentinel architecture for a Managed Security Service Provider (MSSP).

The MSSP manages security for 15 different enterprise customers. Each customer has their own Azure Active Directory (Microsoft Entra ID) tenant and strict data residency requirements (some in the US, some in the EU). The MSSP's Security Operations Center (SOC) team needs to view and correlate incidents across all 15 customers from a single pane of glass.

Which TWO technologies should you include in your design to meet these requirements? (Select TWO)

You are designing a governance strategy for a large enterprise with 150 Azure subscriptions.

The enterprise has the following compliance requirements:

• All resources must be deployed in the 'West Europe' or 'North Europe' regions.
• Every resource group must have a 'CostCenter' tag.
• If a resource is deployed without a 'CostCenter' tag, it should automatically inherit the tag from its parent resource group.
• These rules must be applied centrally and automatically to all new and existing subscriptions.

Which THREE components should you include in your governance design? (Select THREE)

A company has a critical Azure SQL Database hosting their ERP system.

To prevent accidental deletion, an administrator applies a 'CanNotDelete' resource lock to the resource group containing the database.

A developer with the 'Owner' RBAC role on the resource group attempts to delete the SQL Database.

What will be the outcome, and why?

Your enterprise is adopting the Microsoft Cloud Adoption Framework (CAF) for Azure.

You need to design an Azure Landing Zone architecture that provides a scalable, secure, and governed environment for new application workloads. The design must separate platform resources (like ExpressRoute and central firewalls) from application workloads.

Which TWO management groups are standard components of the enterprise-scale Landing Zone architecture? (Select TWO)

A development team needs the ability to start and stop Azure Virtual Machines in a specific resource group. They should not be able to create new VMs, delete existing VMs, or modify network settings.

You review the built-in Azure RBAC roles and find that none perfectly match these exact requirements.

What should you do?

Fabrikam Inc. is a global financial services company with 200 Azure subscriptions managed via a complex Management Group hierarchy. They currently operate in 5 Azure regions.

The security team requires that all security logs, performance metrics, and application telemetry from all resources across all subscriptions be collected for threat hunting and compliance reporting. The compliance team mandates that data must be retained for 2 years, and access to logs must be strictly segregated so that regional IT teams can only query logs for resources in their respective regions.

Which Log Analytics workspace architecture should you recommend to minimize operational overhead while meeting all security and compliance requirements?

A healthcare organization has 500 on-premises Windows Server VMs and 300 Azure VMs. They are implementing Azure Monitor to collect performance counters and event logs across the entire hybrid environment.

The CIO has mandated a strict cost optimization policy. You need to design a monitoring solution that meets the following requirements:

• Collect logs from both on-premises and Azure VMs.
• Minimize data ingestion costs for non-critical event logs.
• Ensure that on-premises VMs can be managed using Azure Policy.

Which THREE actions should you include in your recommendation? (Select THREE)

You are designing a security monitoring solution using Microsoft Sentinel.

The compliance department requires that all security incident data and associated logs be retained for exactly 7 years. The data must be available for interactive querying for the first 90 days, and afterward, it must be retained at the lowest possible cost while still being accessible for compliance audits within 48 hours if requested.

Which data retention strategy should you configure in the Log Analytics workspace?

Your company has a microservices application deployed across multiple Azure App Service instances. Each microservice sends telemetry to its own dedicated Application Insights instance.

The operations team needs to create an Azure Monitor Workbook that correlates performance data across all microservices to identify bottlenecks in the end-to-end transaction flow.

Which TWO approaches can you use to query data across multiple Application Insights instances? (Select TWO)

A global enterprise has 50 Azure subscriptions organized under a single root Management Group. They have three main business units: North America (NA), Europe (EU), and Asia Pacific (APAC).

Due to strict GDPR compliance, the EU business unit must be absolutely restricted from deploying any resources outside of the 'West Europe' and 'North Europe' Azure regions. The NA and APAC units have no such restrictions.

You need to design a governance solution that enforces this requirement with the least administrative effort. What should you do?

Your organization is implementing a chargeback model using Microsoft Cost Management.

The finance department requires that every Azure resource be tagged with a 'CostCenter' tag. If a user attempts to create a resource without this tag, the deployment must be blocked. Furthermore, for existing resources missing the tag, the tag should be automatically added with a value of 'Unassigned'.

Which THREE Azure Policy effects should you use to achieve this? (Select THREE)

You have an Azure Storage account containing critical compliance archives.

You apply a 'ReadOnly' resource lock to the Storage account at the Azure Resource Manager (ARM) level.

What is the effect of this lock on the data within the Storage account?

Your company is adopting Azure and needs to deploy 20 new subscriptions for various project teams.

Each subscription must be provisioned with a standard set of role assignments, Azure Policies, and a core virtual network topology. You want to ensure this provisioning process is repeatable, version-controlled, and aligns with the Microsoft Cloud Adoption Framework.

Which solution should you recommend?

Contoso Ltd is a global manufacturing company with 50,000 employees across 30 countries. They currently operate a mix of on-premises infrastructure and Azure (20 subscriptions with 100+ VMs and various PaaS services).

The company needs to design a centralized logging and monitoring solution. The security team requires full visibility into all security events across all subscriptions. However, individual application teams must only be able to view logs and metrics for their specific resources. Data sovereignty laws require that logs generated by resources in the European Union (EU) remain in the EU.

Which Log Analytics workspace architecture should you recommend to meet ALL requirements while minimizing operational overhead?

Fabrikam Inc. is a Managed Service Provider (MSP) managing Azure environments for 50 different enterprise customers. Each customer has their own Microsoft Entra ID (Azure AD) tenant and multiple Azure subscriptions.

Fabrikam needs to implement a centralized security monitoring and incident response solution. The Fabrikam Security Operations Center (SOC) team must be able to view alerts, hunt for threats, and run automated playbooks across all 50 customer tenants from a single pane of glass. Customers must retain ownership of their data, and Fabrikam must not require guest accounts in customer tenants.

Which combination of Azure services should you recommend?

A financial institution generates 5 TB of telemetry and audit logs daily across its Azure environment.

The company has the following requirements for log data:

1. Security audit logs must be queried frequently for the first 30 days for immediate incident response.
2. Application debug logs are rarely queried but must be retained for 7 years to meet compliance regulations.
3. The overall cost of log ingestion and retention must be minimized.

Which TWO actions should you recommend to optimize the architecture? (Select TWO)

A retail company has recently migrated several workloads to Azure. The IT Director wants a centralized dashboard that provides actionable recommendations to optimize their Azure deployments.

The recommendations must cover:

• Identifying underutilized virtual machines to reduce costs
• Highlighting missing high availability configurations
• Identifying security vulnerabilities
• Recommending performance improvements for SQL databases

Which Azure service should you recommend as the primary tool to meet these requirements?

An organization mandates that every new Azure Virtual Machine must have the Azure Monitor Agent (AMA) installed automatically upon creation to ensure compliance with monitoring standards.

If a developer deploys a VM without the agent, the system should automatically install the agent without blocking the VM deployment process.

Which Azure Policy effect should you use in your policy definition?

A multinational corporation is designing its Azure landing zone architecture. The company has 5 distinct Business Units (BUs).

Requirements:

1. The Central IT team must enforce baseline security policies (e.g., requiring Microsoft Defender) across ALL subscriptions in the company.
2. Each BU must be able to manage its own resources and apply BU-specific policies.
3. Two of the BUs operate in the healthcare sector and must adhere to strict HIPAA compliance policies that do not apply to the other three BUs.

You need to design a Management Group hierarchy. Which THREE actions should you include in your design? (Select THREE)

The finance department requires that all Azure resources be tagged with a 'CostCenter' tag for billing allocation.

You need to ensure that if a user attempts to create a resource without the 'CostCenter' tag, the resource is created anyway, but the tag is automatically added with a default value of 'Unassigned'.

Which Azure Policy effect should you use?

You are the Azure Architect for a company. A critical production Azure SQL Database is hosted in a resource group named RG-Prod-DB.

To prevent accidental deletion, you apply a CanNotDelete resource lock to the RG-Prod-DB resource group.

A database administrator, who has the 'Owner' RBAC role on the resource group, attempts to delete the Azure SQL Database.

What will be the result of this action?

Contoso Ltd has 50 Azure subscriptions managed via a complex Management Group hierarchy. They are designing a centralized monitoring solution using Azure Monitor and Log Analytics.

The security team requires strict isolation of security logs, accessible only by the SOC team. The application teams require access to their own performance and application logs. You need to design the Log Analytics workspace architecture to minimize administrative overhead while meeting these access requirements.

Which architecture should you recommend?

You are designing a monitoring solution for a hybrid environment consisting of 200 Azure VMs and 300 on-premises VMware VMs.

You need to collect guest operating system metrics, application logs, and security events from all 500 VMs into a single Azure Log Analytics workspace. The solution must support Azure Policy for automated deployment and ensure that on-premises VMs are treated as first-class Azure resources for governance.

Which combination of services should you recommend?

Your enterprise has a monthly Azure spend of $200,000 across 40 subscriptions. The finance department requires strict cost allocation back to 5 different business units.

You need to design a cost management strategy that ensures all deployed resources are properly categorized for chargeback, and that business unit owners are notified if their specific spending exceeds predefined monthly limits.

Which TWO actions should you include in your design? (Select TWO)

You are designing the monitoring architecture for a globally distributed microservices application hosted on Azure Kubernetes Service (AKS) across three regions.

The development team needs to trace requests end-to-end as they flow through the microservices, identify performance bottlenecks, and view application dependency maps. The solution must minimize custom coding.

Which Azure service should you recommend?

You are designing the Azure resource organization for a large enterprise. The enterprise has three main divisions: Retail, Manufacturing, and Finance.

The Finance division requires strict compliance policies (e.g., PCI-DSS) that must not affect the other divisions. The Retail and Manufacturing divisions share common security policies. All divisions must inherit a baseline set of corporate policies (e.g., allowed regions).

How should you design the Management Group hierarchy?

Your company is expanding its Azure footprint to Europe. Due to strict GDPR requirements, you must ensure that no Azure resources can be deployed outside of the 'West Europe' and 'North Europe' regions for a specific set of subscriptions.

You need to design a governance solution to enforce this requirement. The solution must automatically prevent non-compliant deployments and provide a dashboard showing compliance status.

Which TWO components should you include in your design? (Select TWO)