Security And Governance Boundary — Azure Fundamentals (AZ-900)
Sentinel Detects. Defender Postures. RBAC Governs. Entra Authenticates.
Questions in this domain use verbs to signal the correct service. 'Monitor and detect threats across the environment' points to Microsoft Sentinel. 'Assess security posture and remediate misconfigurations' points to Defender for Cloud. 'Control who can perform which actions on which resource' maps to Azure RBAC. 'Manage user identities, groups, and app access' belongs to Microsoft Entra ID. Candidates who conflate detection with protection, or governance with authentication, will consistently misread the question's intent.
What This Pattern Tests
Azure security questions test four distinct control planes. RBAC controls who can manage resources (Contributor, Reader, custom roles) scoped to management group, subscription, resource group, or resource. Azure Policy controls what resource configurations are allowed (enforce tags, restrict VM sizes, require encryption). NSGs control network traffic at the subnet or NIC level. Conditional Access controls authentication requirements (MFA, compliant device, location). The exam tests whether you apply the right control at the right layer — using Azure Policy to enforce encryption at rest, not RBAC.
Decision Axis
Security layer (identity vs. configuration vs. network vs. authentication) determines which Azure control applies.
Associated Traps
More Top Traps on This Exam
Decision Rules
Whether Microsoft Entra Conditional Access (signal-based authentication policy) or Azure RBAC (resource permission scoping for authenticated identities) satisfies a requirement to enforce MFA conditionally based on network location and user type.
Domain Coverage
Difficulty Breakdown