Plan and implement identity and security
Drill 17 practice questions focused entirely on Plan and implement identity and security for the Microsoft AZ-140 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
Your company runs a pooled, multi-session Azure Virtual Desktop host pool used by call center staff. Security requires that only a curated set of signed, IT-approved applications may execute on the session hosts, and any unapproved executable, script, or installer must be blocked automatically — including software users might download. The solution must be enforced at the Windows kernel level and centrally managed. Which Windows threat protection feature should you implement on the session hosts?
Your organization runs a pooled Azure Virtual Desktop host pool in a spoke virtual network. Security policy requires that all outbound internet traffic from the session hosts be forced through an Azure Firewall in the hub virtual network. After you configure a User-Defined Route (UDR) pointing 0.0.0.0/0 to the firewall's private IP, users report they can no longer connect to their desktops and the session hosts show as unavailable in the host pool. You must allow the required AVD control-plane traffic while keeping all other outbound traffic filtered. What should you configure on the Azure Firewall?
A financial services company must deploy an Azure Virtual Desktop pooled host pool that processes highly sensitive data. Compliance requires that the memory of each session host be encrypted and isolated from the underlying hypervisor, with hardware-based attestation of the VM's integrity at boot. The team wants to use a purpose-built VM offering rather than manually layering security features onto a standard VM. Which session host VM configuration meets these requirements?
Your organization runs a pooled AVD host pool for finance staff. Security requires that the session hosts be hardened against ransomware that attempts to modify or encrypt files in users' FSLogix-mounted profile folders and known application data directories. You must enable a Microsoft Defender feature that blocks untrusted processes from writing to protected folders, while still allowing your approved line-of-business application to save files there. What should you configure?
You manage a pooled Azure Virtual Desktop host pool running Windows 11 multi-session. Security requires you to reduce the attack surface by blocking Office applications from creating child processes and from injecting code into other processes, using the built-in Microsoft Defender Antivirus capabilities. You want to enforce this centrally without deploying third-party software. Which Defender feature should you configure on the session hosts?
You manage a pooled Azure Virtual Desktop host pool running Windows 11 Enterprise multi-session with Microsoft Defender Antivirus enabled. Users store their profiles in FSLogix profile containers hosted on Azure Files. Users report intermittent profile corruption and slow logon times. Investigation shows Defender Antivirus is actively scanning the mounted VHDX files during logon. What should you configure to resolve the issue while keeping Defender Antivirus protection enabled?
Your company runs a pooled Azure Virtual Desktop host pool. The security team enabled Microsoft Defender for Cloud with the enhanced security features (Defender for Servers Plan 2) on the subscription containing the session hosts. In the Defender for Cloud recommendations, you see 'Management ports of your virtual machines should be protected with just-in-time network access control' flagged as unhealthy for all session host VMs. Management currently uses the default deny-inbound behavior via NSGs, and no administrator connects over RDP directly. You must resolve the recommendation with the least ongoing administrative effort while preserving occasional break-glass administrative access. What should you do?
Your organization runs a pooled Azure Virtual Desktop deployment with 40 multi-session session hosts. The security team wants to enable advanced threat protection that provides behavioral analytics, adaptive application controls, and integrated vulnerability assessment for these session host VMs. They require these capabilities to appear as security alerts and recommendations in Microsoft Defender for Cloud. Which action should you take?
Your company runs a pooled Azure Virtual Desktop host pool with non-persistent session hosts deployed from a golden image in an Azure Compute Gallery. Security requires that every session host report to Microsoft Defender for Endpoint with correct device identity, and that newly recreated hosts appear automatically without producing duplicate or orphaned device entries in the Defender portal. What should you do to onboard the session hosts?
Your organization runs a pooled Azure Virtual Desktop host pool with Windows 11 Enterprise multi-session session hosts that are onboarded to Microsoft Defender for Endpoint. A security review finds that a local administrator on one session host disabled Microsoft Defender Antivirus real-time protection during a troubleshooting session, leaving the host unprotected for several hours. You must ensure that security settings such as real-time protection cannot be turned off locally, even by users with administrative rights on the session host, while requiring the least ongoing administrative effort. What should you do?
Your organization runs a pooled AVD host pool with 30 multi-session Windows 11 Enterprise session hosts. The security team wants a continuous, prioritized inventory of software vulnerabilities and misconfigurations on the session hosts, along with remediation recommendations, surfaced in a central portal. They have already enabled Microsoft Defender for Servers Plan 2 on the subscription containing the session hosts. Which capability satisfies this requirement without deploying any additional third-party scanning agents?
A company is deploying a pooled Azure Virtual Desktop host pool to run a legacy line-of-business application that requires Kerberos authentication and Group Policy for configuration. The organization is fully cloud-based with identities in Microsoft Entra ID only; there are no on-premises domain controllers and no site-to-site VPN or ExpressRoute connectivity. Users must be able to sign in to the session hosts and have the application authenticate using traditional domain services. Which identity solution should you implement for the session hosts?
Your organization uses Azure Virtual Desktop with session hosts that are Microsoft Entra hybrid joined to an on-premises Active Directory Domain Services (AD DS) domain synchronized to Microsoft Entra ID. Users authenticate to session hosts and then need to access on-premises file shares and internal web apps that rely on Kerberos authentication. You want users to sign in to the session hosts with FIDO2 security keys (passwordless) while still being able to access the Kerberos-protected on-premises resources without a password prompt. Which feature must you enable to make this scenario work?
Your organization runs an Azure Virtual Desktop personal host pool. Administrators occasionally connect to individual session hosts via RDP (port 3389) for direct troubleshooting, but the security team requires that management ports remain closed by default and are only opened for a limited, approved time window when access is explicitly requested. All session hosts are protected by Microsoft Defender for Cloud (enhanced security features enabled). Which solution meets these requirements with the least administrative effort?
Your organization deploys an AVD host pool in a subnet that is locked down by a network security group (NSG). The security team wants to deny all outbound internet traffic by default but must still allow the session hosts to reach the AVD control plane (agent registration, broker, gateway, and diagnostics) without maintaining a manually updated list of public IP addresses. Which NSG outbound rule configuration best meets this requirement?
Your organization deploys a pooled AVD host pool. The service desk team must be able to start, restart, and shut down individual session host VMs in the resource group that contains them, but they must NOT be able to modify VM configuration, resize VMs, delete VMs, or change any AVD host pool objects. You want to follow the principle of least privilege using built-in Azure roles. Which role assignment should you grant the service desk team on the resource group containing the session host VMs?
A government agency requires all employees to authenticate to AD DS-joined AVD session hosts using physical smart cards issued by their PKI. Users connect from managed Windows client devices using the Windows App client. During testing, users can reach the session host logon screen but cannot present their smart card credential to the remote session — the smart card reader is not visible inside the AVD session. What must you configure to enable smart card authentication within the remote session?
More AZ-140 practice
Keep going with the other Microsoft Azure Virtual Desktop Specialty (AZ-140) domains, or take a full timed mock exam.
← Back to AZ-140 overview