Microsoft AZ-802: Secure Windows Server Hybrid Infrastructure

Topic snapshot

Sample questions

These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.

Question 1

Topic: Secure Windows Server Hybrid Infrastructure

A company uses Microsoft Sentinel as its central workspace for security investigations. It must ingest Windows Security event logs from Windows Server VMs in Azure and from on-premises Windows Server machines. The on-premises servers are already onboarded to Azure Arc. The solution must use the current agent-based collection model and support centralized rule-based collection. Which configuration should you implement?

Options:

• A. Install Microsoft Defender for Identity sensors on all Windows Server machines.

• B. Create Azure Update Manager schedules for the servers.

• C. Configure Microsoft Entra Connect Health agents on the servers.

• D. Configure the Windows Security Events via AMA connector with a DCR assigned to the servers.

Best answer: D

Explanation: Microsoft Sentinel ingests Windows Server security evidence through a Log Analytics workspace by using supported data connectors. For Windows Security event logs, the current model is the Windows Security Events via Azure Monitor Agent connector. Azure Monitor Agent uses a data collection rule (DCR) to define which events are collected and can be assigned to Azure VMs and Azure Arc-enabled servers. This fits a hybrid Windows Server estate without requiring a separate on-premises SIEM forwarding path. Defender for Identity, Entra Connect Health, and Azure Update Manager solve neighboring monitoring or management problems, but they do not provide the requested Security event log ingestion path into Sentinel.

• Identity sensor scope fails because Defender for Identity focuses on identity threat signals, primarily from domain controllers and related sensors.
• Connect Health scope fails because Microsoft Entra Connect Health monitors identity synchronization and AD DS health, not Sentinel event ingestion.
• Update scheduling fails because Azure Update Manager manages patching compliance and deployment, not security log collection.

Question 2

Topic: Secure Windows Server Hybrid Infrastructure

Your hybrid Windows Server environment uses Microsoft Defender for Servers and Microsoft Defender for Identity. Defender for Identity raises a high-severity alert: a domain service account used from APP01 attempted directory replication against a domain controller, consistent with DCSync behavior. Defender for Cloud also shows unrelated hardening recommendations for APP01. You must remediate the demonstrated security issue without blocking server management or disabling the application. Which configuration should you implement?

Options:

• A. Assign an Azure Policy guest configuration baseline

• B. Remove replication rights from the service account

• C. Suppress the Defender for Identity alert

• D. Apply an NSG rule blocking RDP to APP01

Best answer: B

Explanation: Defender for Identity evidence is identity-focused, not general server posture evidence. A DCSync-style alert indicates an account is attempting to use AD DS directory replication privileges against a domain controller. The appropriate remediation is to review that account, remove unnecessary replication permissions, rotate credentials as needed, and grant only the rights required by the application. Defender for Cloud recommendations may still be valid hardening work, but they do not directly remediate the identity permission that enabled the detected behavior. Treat the alert source and evidence as the guide for the control boundary.

• Blocking RDP addresses interactive management exposure, not AD DS replication permissions used by the service account.
• Guest configuration baselines improve operating system compliance but do not remove excessive directory replication rights.
• Suppressing the alert hides evidence and leaves the identity attack path unchanged.

Question 3

Topic: Secure Windows Server Hybrid Infrastructure

A company runs Windows Server 2022 application servers in Azure and on-premises. The security team must prevent untrusted executables, DLLs, and scripts from running, while allowing Windows components and a signed line-of-business application. Different server groups need small workload-specific exceptions without changing the common baseline. Which WDAC design is the best fit?

Options:

• A. Enable Microsoft Defender Antivirus cloud-delivered protection only

• B. Use an enforced WDAC base policy with supplemental workload policies

• C. Deploy WDAC in audit mode and leave it unchanged

• D. Use AppLocker allow rules linked to each server OU

Best answer: B

Explanation: Windows Defender Application Control is designed to enforce code integrity decisions before code runs. For this workload, a shared enforced base policy should allow trusted sources such as Windows components and the signed line-of-business application, typically by signer or publisher rules. Supplemental WDAC policies are the right design for limited workload-specific allowances because they extend the base policy without requiring a separate baseline for every server group. Audit mode is useful during validation, but it does not meet the requirement to prevent execution. The key distinction is enforcement plus controlled exceptions, not only detection or traditional application inventory.

• AppLocker fallback is less appropriate because the requirement specifically calls for WDAC-style code integrity enforcement across executables, DLLs, and scripts.
• Antivirus protection can detect malicious content, but it does not define an allow-list policy for trusted code execution.
• Audit-only WDAC records what would be blocked but does not stop untrusted code from running.

Question 4

Topic: Secure Windows Server Hybrid Infrastructure

A company has an Azure IaaS VM running Windows Server with one OS disk and two managed data disks. The security standard requires Azure Disk Encryption specifically, with disk encryption performed in the guest OS and encryption material protected by Azure Key Vault. Which configuration should you implement?

Options:

• A. Enable Azure Disk Encryption for OS and data disks using Key Vault

• B. Configure Azure Backup with encrypted Recovery Services vault storage

• C. Enable server-side encryption with platform-managed keys on each managed disk

• D. Enable Microsoft Defender for Servers disk protection recommendations

Best answer: A

Explanation: Azure Disk Encryption is the Azure IaaS VM feature that applies BitLocker-based encryption inside the Windows guest for OS and data volumes. For Windows Server VMs, the configuration uses the Azure Disk Encryption VM extension and Azure Key Vault to protect the encryption secrets and, optionally, key encryption keys. This matches a requirement that explicitly calls for Azure Disk Encryption rather than only storage-layer encryption. Managed disks already use server-side encryption at the storage platform layer, but that is not the same control as ADE guest-level BitLocker encryption.

• Platform-managed disk encryption protects managed disks at the storage service layer, but it does not satisfy an explicit Azure Disk Encryption requirement.
• Defender recommendations can identify security posture gaps, but they do not directly enable ADE on VM volumes.
• Backup vault encryption protects backup data, not the live VM OS and data disks with guest-level BitLocker.

Question 5

Topic: Secure Windows Server Hybrid Infrastructure

A company has an on-premises AD DS forest synchronized to Microsoft Entra ID by Microsoft Entra Connect Sync. You must implement Microsoft Defender for Identity to detect suspicious activity against domain controllers, minimize unnecessary agent deployment, and use least-privilege AD access for sensor lookups. Which configuration should you use?

Options:

• A. Install Defender for Identity sensors only on the Microsoft Entra Connect Sync server.

• B. Onboard the servers to Defender for Cloud with Defender for Servers enabled.

• C. Install Defender for Identity sensors on each domain controller and configure a gMSA directory services account.

• D. Enable Microsoft Entra ID Protection for synchronized users only.

Best answer: C

Explanation: Microsoft Defender for Identity is designed to monitor on-premises identity signals from AD DS, especially activity observed on domain controllers. In this scenario, the requirement is not just cloud sign-in risk or server posture management; it is detection of suspicious AD activity such as reconnaissance, credential misuse, and lateral movement involving domain controllers. Installing the Defender for Identity sensor on each domain controller provides the required visibility without deploying agents broadly to unrelated member servers. A group managed service account (gMSA) is the recommended directory services account approach because it supports least-privilege AD queries and managed password rotation.

The key distinction is that Microsoft Entra synchronization does not make Microsoft Entra ID Protection a replacement for on-premises domain controller telemetry.

• Sync server only misses most domain controller activity because the Entra Connect server is not the primary telemetry source for AD DS authentication and directory operations.
• Cloud risk only addresses Microsoft Entra sign-in and user risk, not suspicious activity occurring inside AD DS.
• Server posture improves security management for servers but does not provide Defender for Identity domain controller detections.

Question 6

Topic: Secure Windows Server Hybrid Infrastructure

A company uses on-premises AD DS with Microsoft Entra Connect Sync and Azure Arc-enabled Windows Server 2022 domain controllers. An audit finds that server operators can sign in to domain controllers through inherited GPO settings, and privileged admins often use the same accounts on member servers and domain controllers. Which design best hardens the domain controllers while preserving AD DS functionality?

Options:

• A. Install Microsoft Entra Connect Sync on each DC

• B. Use Azure RBAC through Azure Arc for DC administration

• C. Apply a DC-specific baseline and tier-0 admin model

• D. Allow RDP only through an RD Gateway with MFA

Best answer: C

Explanation: Domain controllers are tier-0 assets, so hardening should focus on limiting who can interactively access them and where privileged credentials are used. A DC-specific GPO baseline can restrict local and Remote Desktop sign-in, remove broad server-operator access, enforce Windows Defender Firewall and security settings, and keep DCs in the Domain Controllers OU policy scope. A tier-0 admin model uses dedicated privileged accounts and privileged access workstations for DC administration, reducing the chance that domain administrator credentials are exposed on lower-trust member servers. Azure Arc can monitor and govern servers, but it does not replace AD DS privilege boundaries for domain controller administration.

• Azure RBAC boundary fails because Azure Arc management rights do not control AD DS tier-0 administrative access on domain controllers.
• Sync on DCs increases dependency and attack surface; Microsoft Entra Connect Sync does not harden domain controller logon paths.
• RD Gateway only improves remote access control but does not remove excessive DC logon rights or separate privileged credentials.

Question 7

Topic: Secure Windows Server Hybrid Infrastructure

You add several domain admin accounts to the AD DS Protected Users group. An admin can sign in to a privileged access workstation and open Active Directory tools. However, when the admin connects from Windows Admin Center to SRV-DB01 by IP address, the connection fails immediately.

Target server log excerpt:

Event: 4625
Account: CONTOSO\Admin01
Authentication Package: NTLM
Status: Logon failure

Other admins not in Protected Users can connect the same way. What is the best root cause?

Options:

• A. The workstation cannot cache the admin password for offline sign-in.

• B. Microsoft Entra Conditional Access is blocking Windows Admin Center.

• C. Kerberos cannot be used, and NTLM is blocked for Protected Users.

• D. The account has an expired four-hour Kerberos TGT.

Best answer: C

Explanation: Protected Users is an AD DS security group that applies stronger protections to privileged accounts, including preventing NTLM authentication and reducing credential exposure. The key evidence is the target server log showing Authentication Package: NTLM for the protected admin. Connecting to a server by IP address commonly prevents Kerberos from matching the required service principal name, so the client falls back to NTLM. That fallback works for non-protected admins but fails for a Protected Users member. The diagnostic conclusion is not that Windows Admin Center itself is unhealthy; the authentication path is incompatible with the protections applied to the account.

• Offline credential caching is not the issue because the admin successfully signs in and reaches management tools.
• Conditional Access does not match the evidence, which shows an on-premises NTLM logon failure on the target server.
• Expired TGT is not supported by the log because the failed attempt used NTLM rather than Kerberos.

Question 8

Topic: Secure Windows Server Hybrid Infrastructure

A company manages on-premises Windows Server domain controllers and Azure Arc-enabled member servers. Microsoft Defender for Identity reports that privileged AD DS accounts are being used from jump servers where credential theft is a concern. The accounts are human administrator accounts, not service accounts. You must reduce the risk of NTLM use, cached credentials, and credential delegation for these accounts with the least administrative impact. Which design best fits?

Options:

• A. Mark the accounts as trusted for delegation

• B. Enable Password never expires

• C. Add the accounts to Protected Users

• D. Add the accounts to Domain Admins

Best answer: C

Explanation: The Protected Users security group is designed for high-privilege human accounts that need stronger credential protections. Members cannot authenticate with NTLM, Digest, or CredSSP, and their credentials are not cached in the same way as standard accounts. This also helps reduce delegation-related credential exposure. Because the scenario involves human privileged accounts and a credential-theft risk, this is a better fit than increasing privileges or changing password-expiration behavior. Service accounts should be evaluated carefully before using Protected Users because some authentication and delegation scenarios can break.

• More privilege fails because adding accounts to Domain Admins increases administrative reach rather than reducing credential-theft risk.
• Password setting fails because a non-expiring password does not block NTLM, cached credentials, or delegation.
• Delegation trust fails because allowing delegation increases the type of credential exposure the design is trying to reduce.

Question 9

Topic: Secure Windows Server Hybrid Infrastructure

Microsoft Defender for Identity reports that a domain service account used by an IIS application is a member of Account Operators and is configured for unconstrained Kerberos delegation. The application only needs to access one SQL Server service by using Kerberos. You must preserve the application flow while applying least privilege. Which configuration should you implement?

Options:

• A. Remove the account from Account Operators and configure constrained delegation to the SQL SPN only.

• B. Add the account to Protected Users and leave delegation unchanged.

• C. Convert the account to a domain administrator-managed service account.

• D. Disable NTLM for the domain by using Group Policy.

Best answer: A

Explanation: The core remediation is to reduce both privilege and delegation scope. A service account that only needs to access one backend service should not belong to an administrative group such as Account Operators, and it should not be trusted for delegation to any service. Kerberos constrained delegation lets you specify only the required service principal name, such as the SQL Server SPN, so the IIS application can still perform the required delegated access without creating a broad credential-theft path.

Blocking NTLM or changing account type might be useful in other identity-hardening scenarios, but they do not directly fix unconstrained Kerberos delegation plus unsafe administrative membership.

• Protected Users can restrict delegation behavior, but leaving the existing delegation configuration and group membership unchanged does not meet the least-privilege requirement.
• NTLM blocking addresses legacy authentication risk, not this Kerberos delegation and administrative membership finding.
• Domain administrator-managed account over-privileges the workload and does not scope delegation to the required SQL service.

Question 10

Topic: Secure Windows Server Hybrid Infrastructure

A Windows Server 2022 workload has a Windows Defender Application Control policy intended to allow only Microsoft-signed and Contoso-signed code. After a reboot, an unsigned diagnostic utility still starts successfully.

Exhibit: CodeIntegrity Operational log excerpt

Policy: Contoso-WDAC-Server
Event ID: 3076
Message: Code Integrity determined that a process would have been blocked.
File: C:\Tools\diag.exe
Policy enforcement: Audit

What is the most likely root cause?

Options:

• A. Microsoft Defender Antivirus has excluded the folder.

• B. The server must be joined to Microsoft Entra ID.

• C. The file is allowed by an AppLocker default rule.

• D. The WDAC policy is deployed in audit mode.

Best answer: D

Explanation: Windows Defender Application Control can evaluate code in audit mode or enforced mode. In audit mode, WDAC records what it would block without preventing execution. The CodeIntegrity event explicitly says the unsigned file “would have been blocked” and lists policy enforcement as Audit, which explains why diag.exe still starts. To restrict untrusted code execution, the administrator must deploy or switch to an enforced WDAC policy after validating that required workload binaries are allowed. AppLocker, antivirus exclusions, and Microsoft Entra join state do not explain this specific CodeIntegrity evidence.

• AppLocker default rule is not supported by the WDAC log evidence; the event is from CodeIntegrity and says WDAC only audited the block.
• Antivirus exclusion affects malware scanning, not whether WDAC enforces code trust decisions.
• Microsoft Entra join is not required for WDAC enforcement on a Windows Server workload.

Continue with full practice

Use the Microsoft AZ-802 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Try Microsoft AZ-802 on Web View Microsoft AZ-802 Practice Test

Related focused pages

• Free Microsoft AZ-802 Full-Length Practice Exam
• Deploy and Manage AD DS in Hybrid Environments
• Manage Windows Servers and Hybrid Workloads
• Manage Virtual Machines and Containers
• Implement and Manage Hybrid Networking
• Manage Storage and File Services
• Implement Windows Server High Availability
• Implement Disaster Recovery
• Migrate Servers and Workloads
• Monitor and Troubleshoot Windows Server

Free review resource

Read the Microsoft AZ-802 Cheat Sheet for compact concept review before returning to timed practice.