Microsoft Cybersecurity Architect — Question 27

You have a Microsoft Entra tenant that syncs with an Active Directory Domain Services (AD DS) domain.

You have an on-premises datacenter that contains 100 servers. The servers run Windows Server and are backed up by using Microsoft Azure Backup Server (MABS).

You are designing a recovery solution for ransomware attacks. The solution follows Microsoft Security Best Practices.

You need to ensure that a compromised local administrator account cannot be used to stop scheduled backups.

What should you do?

Answer options

• A. From Azure Backup, configure multi-user authorization by using Resource Guard.
• B. From Microsoft Entra Privileged Identity Management (PIM), create a role assignment for the Backup Contributor role.
• C. From Microsoft Azure Backup Setup, register MABS with a Recovery Services vault.
• D. From a Recovery Services vault, generate a security PIN for critical operations.

Correct answer: A

Explanation

The correct answer is A because configuring multi-user authorization with Resource Guard ensures that more than one person is needed to stop backups, thereby preventing a compromised local administrator from doing so. The other options do not specifically address the issue of compromising backup integrity; they either assign roles or perform registrations without enhancing security against unauthorized actions.