Exam2pass
0 items Sign In or Register
  • Home
  • IT Exams
  • Guarantee
  • FAQs
  • Reviews
  • Contact Us
  • Demo
Exam2pass > Microsoft > Microsoft Certifications > SC-100 > SC-100 Online Practice Questions and Answers

SC-100 Online Practice Questions and Answers

Questions 4

HOTSPOT

You have a Microsoft 365 E5 subscription and an Azure subscription.

You need to evaluate the existing environment to increase the overall security posture for the following components:

1.

Windows 11 devices managed by Microsoft Intune

2.

Azure Storage accounts

3.

Azure virtual machines

What should you use to evaluate the components? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Buy Now

Correct Answer:

Box 1: Microsoft 365 Defender

The Microsoft 365 Defender portal emphasizes quick access to information, simpler layouts, and bringing related information together for easier use. It includes Microsoft Defender for Endpoint.

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

You can integrate Microsoft Defender for Endpoint with Microsoft Intune as a Mobile Threat Defense solution. Integration can help you prevent security breaches and limit the impact of breaches within an organization.

Microsoft Defender for Endpoint works with devices that run:

Android

iOS/iPadOS

Windows 10

Windows 11

Box 2: Microsoft Defender for Cloud

Microsoft Defender for Cloud currently protects Azure Blobs, Azure Files and Azure Data Lake Storage Gen2 resources. Microsoft Defender for SQL on Azure price applies to SQL servers on Azure SQL Database, Azure SQL Managed

Instance and Azure Virtual Machines.

Box 3: Microsoft 365 Compliance Center

Azure Storage Security Assessment: Microsoft 365 Compliance Center monitors and recommends encryption for Azure Storage, and within a few clicks customers can enable built-in encryption for their Azure Storage Accounts.

Note: Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area have been rebranded.

Microsoft Purview can be setup to manage policies for one or more Azure Storage accounts.

Reference: https://docs.microsoft.com/en-us/azure/purview/tutorial-data-owner-policies-storage

https://docs.microsoft.com/en-us/microsoft-365/security/defender/microsoft-365-defender?

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint

https://azure.microsoft.com/en-gb/pricing/details/defender-for-cloud/

Questions 5

HOTSPOT

You need to recommend a solution to meet the compliance requirements.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Buy Now

Correct Answer:

Box 1: A blueprint Scenario: Requirements. Compliance Requirements Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPAA HITRUST standard.

Microsoft releases automation for HIPAA/HITRUST compliance I am excited to share our new Azure Security and Compliance Blueprint for HIPAA/HITRUST

Questions 6

HOTSPOT

You are evaluating the security of ClaimsApp.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Hot Area:

Buy Now

Correct Answer:

Box 1: No Box 2: Yes

Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

Need certificate for HTTPS.

TLS/SSL certificates

To enable the HTTPS protocol for securely delivering content on a Front Door custom domain, you must use a TLS/SSL certificate. You can choose to use a certificate that is managed by Azure Front Door or use your own certificate.

Box 3: Yes

By default, Azure Front Door will respond to all user requests regardless of the location where the request is coming from. In some scenarios, you may want to restrict the access to your web application by countries/regions. The Web

application firewall (WAF) service in Front Door enables you to define a policy using custom access rules for a specific path on your endpoint to either allow or block access from specified countries/regions.

Note: Requirements. Security Requirements

Fabrikam identifies the following security requirements:

Internet-accessible applications must prevent connections that originate in North Korea.

Reference: https://techcommunity.microsoft.com/t5/azure-architecture-blog/permit-access-only-from-azure-front-door-to-azure-app-service-as/ba-p/2000173

https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https#tlsssl-certificates

Questions 7

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your on-premises network contains an e-commerce web app that was developed in Angular and Node,js. The web app uses a MongoDB database. You plan to migrate the web app to Azure. The solution architecture team proposes the following architecture as an Azure landing zone.

You need to provide recommendations to secure the connection between the web app and the database. The solution must follow the Zero Trust model.

Solution: You recommend creating private endpoints for the web app and the database layer.

Does this meet the goal?

A. Yes

B. No

Buy Now

Correct Answer: A

How to Use Azure Private Endpoints to Restrict Public Access to WebApps.

As an Azure administrator or architect, you are sometimes asked the question: “How can we safely deploy internal business applications to Azure App Services?”

These applications characteristically are:

Not accessible from the public internet.

Accessible from within the on-premises corporate network

Accessible via an authorized VPN client from outside the corporate network.

For such scenarios, we can use Azure Private Links, which enables private and secure access to Azure PaaS services over Azure Private Endpoints, along with the Site-to-Site VPN, Point-to-Site VPN, or the Express Route. Azure Private

Endpoint is a read-only network interface service associated with the Azure PAAS Services. It allows you to bring deployed sites into your virtual network, limiting access to them at the network level.

It uses one of the private IP addresses from your Azure VNet and associates it with the Azure App Services. These services are called Private Link resources. They can be Azure Storage, Azure Cosmos DB, SQL, App Services Web App,

your own / partner owned services, Azure Backups, Event Grids, Azure Service Bus, or Azure Automations.

Reference: https://www.varonis.com/blog/securing-access-azure-webapps

Questions 8

Your company has a Microsoft 365 E5 subscription.

The company plans to deploy 45 mobile self-service kiosks that will run Windows 10.

You need to provide recommendations to secure the kiosks. The solution must meet the following requirements:

1.

Ensure that only authorized applications can run on the kiosks.

2.

Regularly harden the kiosks against new threats.

Which two actions should you include in the recommendations? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Implement Automated investigation and Remediation (AIR) in Microsoft Defender for Endpoint.

B. Onboard the kiosks to Microsoft intune and Microsoft Defender for Endpoint.

C. Implement threat and vulnerability management in Microsoft Defender for Endpoint.

D. Onboard the kiosks to Azure Monitor.

E. Implement Privileged Access Workstation (PAW) for the kiosks.

Buy Now

Correct Answer: BC

B and C are the recommended actions to secure the kiosks. Implementing threat and vulnerability management in Microsoft Defender for Endpoint and onboarding the kiosks to Microsoft Intune and Microsoft Defender for Endpoint will help ensure that only authorized applications can run on the kiosks and that the kiosks are regularly hardened against new threats.

Questions 9

You have an Azure subscription that contains several storage accounts. The storage accounts are accessed by legacy applications that are authenticated by using access keys.

You need to recommend a solution to prevent new applications from obtaining the access keys of the storage accounts. The solution must minimize the impact on the legacy applications.

What should you include in the recommendation?

A. Apply read-only locks on the storage accounts.

B. Set the AllowSharcdKeyAccess property to false.

C. Set the AllowBlobPublicAcccss property to false.

D. Configure automated key rotation.

Buy Now

Correct Answer: A

A read-only lock on a storage account prevents users from listing the account keys. A POST request handles the Azure Storage List Keys operation to protect access to the account keys. The account keys provide complete access to data in

the storage account.

Incorrect:

Not A:

If any clients are currently accessing data in your storage account with Shared Key, then Microsoft recommends that you migrate those clients to Azure AD before disallowing Shared Key access to the storage account.

However, in this scenario we cannot migrate to Azure AD due to the legacy applications.

Note: Shared Key

A shared key is a very long string. You can simply access Azure storage by using this long string. It's almost like a password. Actually, it's worse: this is a master password. It gives you all sorts of rights on the Azure storage account. You can

imagine why this isn't my favorite mechanism of accessing Azure storage. What happens when this key is compromised? You don't get an alert. Perhaps you can set up monitoring to see misuse of your Azure storage account. But it's still less

than an ideal situation. Alerts will tell you of damage after it has already occurred.

Not C: Data breaches caused by cloud misconfiguration have been seen for the past few years. One of the most common misconfigurations is granting public access to cloud storage service. Such a data is often unprotected, making them to

be accessed without any authentication method. Microsoft recently introduced a new protection feature to help avoid public access on storage account. The feature introduces a new property named allowBlobPublicAccess.

Not D: Key rotation would improve security.

Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency.

You can use rotation policy to configure rotation for each individual key. Our recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices.

This feature enables end-to-end zero-touch rotation for encryption at rest for Azure services with customer-managed key (CMK) stored in Azure Key Vault.

Reference: https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources

https://docs.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent

https://docs.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation

Questions 10

You have Microsoft Defender for Cloud assigned to Azure management groups.

You have a Microsoft Sentinel deployment.

During the triage of alerts, you require additional information about the security events, including suggestions for remediation.

Which two components can you use to achieve the goal? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

A. Microsoft Sentinel threat intelligence workbooks

B. Microsoft Sentinel notebooks

C. threat intelligence reports in Defender for Cloud

D. workload protections in Defender for Cloud

Buy Now

Correct Answer: AC

A: Workbooks provide insights about your threat intelligence

Workbooks provide powerful interactive dashboards that give you insights into all aspects of Microsoft Sentinel, and threat intelligence is no exception. You can use the built-in Threat Intelligence workbook to visualize key information about

your threat intelligence, and you can easily customize the workbook according to your business needs. You can even create new dashboards combining many different data sources so you can visualize your data in unique ways. Since

Microsoft Sentinel workbooks are based on Azure Monitor workbooks, there is already extensive documentation available, and many more templates.

C: What is a threat intelligence report?

Defender for Cloud's threat protection works by monitoring security information from your Azure resources, the network, and connected partner solutions. It analyzes this information, often correlating information from multiple sources, to

identify threats.

Defender for Cloud has three types of threat reports, which can vary according to the attack. The reports available are:

Activity Group Report: provides deep dives into attackers, their objectives, and tactics.

Campaign Report: focuses on details of specific attack campaigns.

Threat Summary Report: covers all of the items in the previous two reports.

This type of information is useful during the incident response process, where there's an ongoing investigation to understand the source of the attack, the attacker's motivations, and what to do to mitigate this issue in the future.

Incorrect:

Not B: When to use Jupyter notebooks

While many common tasks can be carried out in the portal, Jupyter extends the scope of what you can do with this data.

For example, use notebooks to:

Perform analytics that aren't provided out-of-the box in Microsoft Sentinel, such as some Python machine learning features

Create data visualizations that aren't provided out-of-the box in Microsoft Sentinel, such as custom timelines and process trees

Integrate data sources outside of Microsoft Sentinel, such as an on-premises data set.

Not D: Defender for Cloud offers security alerts that are powered by Microsoft Threat Intelligence. It also includes a range of advanced, intelligent, protections for your workloads. The workload protections are provided through Microsoft

Defender plans specific to the types of resources in your subscriptions. For example, you can enable Microsoft Defender for Storage to get alerted about suspicious activities related to your Azure Storage accounts.

Reference: https://docs.microsoft.com/en-us/azure/sentinel/understand-threat-intelligence https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction https://docs.microsoft.com/en-us/azure/defender-for-cloud/threat-intelligence-reports https://docs.microsoft.com/en-us/azure/sentinel/notebooks

Questions 11

Your company has a Microsoft 365 subscription and uses Microsoft Defender for Identity.

You are informed about incidents that relate to compromised identities.

You need to recommend a solution to expose several accounts for attackers to exploit. When the attackers attempt to exploit the accounts, an alert must be triggered.

Which Defender for Identity feature should you include in the recommendation?

A. sensitivity labels

B. custom user tags

C. standalone sensors

D. honeytoken entity tags

Buy Now

Correct Answer: D

Honeytoken entities are used as traps for malicious actors. Any authentication associated with these honeytoken entities triggers an alert.

Incorrect:

Not B: custom user tags

After you apply system tags or custom tags to users, you can use those tags as filters in alerts, reports, and investigation.

Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-identity/entity-tags

Questions 12

For a Microsoft cloud environment, you are designing a security architecture based on the Microsoft Cloud Security Benchmark.

What are three best practices for identity management based on the Azure Security Benchmark? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

A. Manage application identities securely and automatically.

B. Manage the lifecycle of identities and entitlements

C. Protect identity and authentication systems.

D. Enable threat detection for identity and access management.

E. Use a centralized identity and authentication system.

Buy Now

Correct Answer: ACE

Questions 13

You need to recommend a solution to meet the security requirements for the virtual machines. What should you include in the recommendation?

A. an Azure Bastion host

B. a network security group (NSG)

C. just-in-time (JIT) VM access

D. Azure Virtual Desktop

Buy Now

Correct Answer: D

The security requirement this question wants us to meet is "The secure host must be provisioned from a custom operating system image." https://docs.microsoft.com/en-us/azure/virtual-desktop/set-up-golden-image

Exam Code: SC-100
Exam Name: Microsoft Cybersecurity Architect
Last Update: Jun 12, 2025
Questions: 251

PDF (Q&A)

$45.99
ADD TO CART

VCE

$49.99
ADD TO CART

PDF + VCE

$59.99
ADD TO CART

Exam2Pass----The Most Reliable Exam Preparation Assistance

There are tens of thousands of certification exam dumps provided on the internet. And how to choose the most reliable one among them is the first problem one certification candidate should face. Exam2Pass provide a shot cut to pass the exam and get the certification. If you need help on any questions or any Exam2Pass exam PDF and VCE simulators, customer support team is ready to help at any time when required.

Home | Guarantee & Policy |  Privacy & Policy |  Terms & Conditions |  How to buy |  FAQs |  About Us |  Contact Us |  Demo |  Reviews

2025 Copyright @ exam2pass.com All trademarks are the property of their respective vendors. We are not associated with any of them.