ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 3.1: Backup and Disaster RecoveryDomain 3Azure BackupSecurityRansomware

AZ-305 · Question 33 · Domain 3.1: Backup and Disaster Recovery

A financial company uses Azure Blob Storage to store immutable audit logs.

Recently, a compromised administrator account was used to maliciously delete several storage accounts and their associated backups.

You need to design a solution to protect against this specific ransomware/malicious insider threat. The solution must ensure that even a user with the highest administrative privileges cannot delete the backup data before a specified retention period expires.

What should you configure?

Answer options:

A.

Soft delete for Azure Backup

B.

Multi-user authorization (MUA) for Azure Backup

C.

Azure Resource Locks (CanNotDelete)

D.

Customer-managed keys (CMK) for encryption

How to approach this question

Identify the feature that requires a 'two-man rule' for destructive actions.

Full Answer

B.Multi-user authorization (MUA) for Azure Backup✓ Correct
Multi-user authorization (MUA) for Azure Backup adds an extra layer of protection to critical operations. It uses an Azure Resource Guard to ensure that destructive operations (like deleting backup data or disabling soft delete) require authorization from a different identity, often residing in a completely separate Azure AD tenant. This 'two-man rule' prevents a single compromised admin account from destroying backups.

Common mistakes

Choosing Resource Locks or Soft Delete. A compromised admin with Owner rights can easily disable soft delete or remove resource locks.
32All questions34

Practice the full Azure Solutions Architect Expert AZ-305 Practice Exam 2

55 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01Fabrikam Inc. is a global financial services company with 200 Azure subscriptions managed via a c...HardQ02A healthcare organization has 500 on-premises Windows Server VMs and 300 Azure VMs. They are impl...HardQ03You are designing a security monitoring solution using Microsoft Sentinel. The compliance depar...EasyQ04Your company has a microservices application deployed across multiple Azure App Service instances...MediumQ05A defense contractor is migrating to Microsoft 365 and Azure. They have a strict security policy ...Hard
View all 55 questions →