Azure Information Protection provides a means to classify documents and emails using

labels, and to optionally protect those items with encryption, identity, and authorization,

making option A correct. AIP does not provide secure storage for secrets; Key Vault serves

that function. AIP is not a mechanism in Azure AD.

Azure Threat Protection (ATP) can detect and identify a variety of threats and provides

reporting and other resources to help secure your environment, making option C the correct

answer. Security Center, AIP, and Microsoft Defender do not provide that threat detection

and reporting capability.

ATP can help you detect all these types of attacks, as well as brute-force attacks, overpassthe-

hash, and domain dominance attacks.

Testing multiple passwords against a username is an example of a brute-force attack.

Making authentication attempts against an alphabetical list of usernames is an example of a

reconnaissance attack.

Azure policies enable you to create JSON-based rules that apply effects to resources,

such as limiting the types of VMs that can be created in a resource group. Resource locks

apply restrictions on actions that you can take with resources but do not control the types of

resources you can create. Azure Resource Manager is the template-based service that enables you to create resources but does not apply restrictions on resources. Azure initiatives enable

you to create and manage a group of policies but do not apply restrictions themselves.

An initiative is a group of policies, enabling you to create, manage, and deploy policies

as a group to support governance goals and organizational standards. Blueprints represent a

different service called Azure Blueprints that enable you to create repeatable groups of Azure

resources, role assignments, and policies. You do not assign security policies using Azure

Security Center.

You can apply policies individually or within an initiative, which is a group of policies.

You cannot apply permissions using permissions with a policy; instead, you specify what

actions are allowed with a specified scope based on the RBAC permissions a user already

has. A policy applies to all resources within the scope at which it is applied, making option C

correct. Azure policies are not a component of Security Center.

23. C. RBAC is the mechanism that enables you to specify permissions for Azure. Azure policies,

resource groups, and Security Center do not provide any capability to create or assign

permissions.