An admin is configuring app registration permissions. What happens when the admin grants consent for the entire tenant?

In an OAuth 2.0 authorization request, how does a client application specify which delegated permissions it is requesting from the resource owner?

An administrator has been asked to prevent a specific user from accessing an Azure AD-registered application to which they previously granted consent. Which action should the administrator take?

A service principal used for authenticating against the Azure Databricks API has been deactivated. Which of the following outcomes will occur as a result of this deactivation?

Which of the following are considered best practices for securing service principals in Azure to prevent unauthorized access? (Select two)

Which of the following statements about system-assigned managed identities in Azure are not true? (Select two)

An Entra ID application workload is hosted on an Azure compute that has a managed identity. How can the workload use the managed identity to acquire a token that can be exchanged for an Entra ID Application Token?

John is configuring Azure Application Proxy. He selected Azure Active Directory as the pre-authentication method. However, when attempting to access API calls, the proxy fails. What is the most likely cause of this issue?

Jane wants all internet-bound traffic from her Azure virtual network to be routed through an on-premises firewall for security inspection. She configured user-defined routes (UDRs) with forced tunneling to redirect internet traffic through a site-to-site VPN connection. Which type of VPN gateway must be used to support this configuration?

You are implementing user-defined routes (UDRs) in Azure to direct traffic to a virtual network gateway. After adding the custom routes to the route table, what is the next logical step to ensure the routes take effect?

Contoso operates two Azure virtual networks: VNet-US (address space 10.1.0.0/16) in East US and VNet-EU (address space 10.0.0.0/16) in North Europe. The networks are connected via global VNet peering, and both peering links have ‘Allow forwarded traffic’ and ‘Virtual network access’ enabled.

A legacy application in VNet-US is published behind an internal Basic Load Balancer with frontend IP 10.1.10.4. Network Security Groups allow all required ports, and no overlapping IP ranges exist. When a VM in VNet-EU (10.0.1.4) tries to reach 10.1.10.4, the connection fails. You must restore connectivity without introducing gateways, public IPs, or additional peerings.

Which action should you take?

You create a route table RT-InternetInspect with one entry:

 0.0.0.0/0 → Virtual network gateway

Your goal is to force all outbound traffic from the Web-Subnet (10.5.2.0/24) through an on-premises firewall reachable via a site-to-site VPN. After adding the route, VMs in Web-Subnet still reach the internet directly instead of through the VPN. What is the most likely configuration error?

You are configuring a Standard Virtual WAN for a customer in Azure. While preparing to implement custom routing policies, you notice that preexisting routes are present in the Routing section of the associated Virtual Hub in the Azure portal.

Before creating new route tables, what is the most appropriate action you should take to ensure routing functions as expected?

You are configuring Point-to-Site (P2S) VPN authentication using RADIUS on an Azure VPN gateway. However, while reviewing the P2S configuration page in the Azure portal, you are unable to view or configure the tunnel type and authentication type options.

You confirm that the VPN gateway is currently using the Basic SKU.

What should you do to enable tunnel type and authentication type configuration for P2S?

You are configuring a site-to-site VPN between Microsoft Azure and an on-premises Check Point Security Gateway using a route-based (gateway-to-gateway) VPN architecture. In Check Point SmartConsole, which VPN Tunnel Sharing setting should you select to align with this configuration?

An administrator is configuring MACsec encryption on a 10 Gbps ExpressRoute Direct port. Which of the following are valid Non-XPN cipher suites supported for this configuration? (Choose two.)

When configuring IPSec over ExpressRoute, which of the following Azure resources and configurations should be in place before creating a virtual WAN and hub with gateways? (Choose two.)

An enterprise is using both VPN and ExpressRoute to connect on-premises networks to Azure. The administrator wants to ensure that traffic prefers ExpressRoute when available, and VPN only as a fallback. Which BGP advertisement strategy should be used to support this design?

You are creating a network security group (NSG) rule using application security groups (ASGs) as both the source and destination. AsgWeb is associated with network interfaces in VNet-A, and AsgDb is associated with network interfaces in VNet-B. What will happen if you try to use AsgWeb as the source and AsgDb as the destination in the same NSG rule?

Your company runs a multi-tier web application in Azure using Platform as a Service (PaaS) components. The backend tier consists of a group of Azure App Service instances integrated into a subnet protected by a network security group (NSG). For routine maintenance, a DevOps engineer has an active SSH session from a jump box virtual machine into one of the App Service environments running in a custom container. To improve security posture, the security team removes the NSG rule that allowed SSH (TCP port 22) access from the jump box to the subnet.

Shortly after, the DevOps engineer reports that their current SSH session is still responsive and fully functional. However, attempts to initiate a new SSH session fail. What best explains the behavior observed in this scenario?