SC-100: Microsoft Cybersecurity Architect Part 2
Question #: 72
Topic #: 1
Your company has a third-party security information and event management (SIEM) solution that uses Splunk and Microsoft Sentinel.
You plan to integrate Microsoft Sentinel with Splunk.
You need to recommend a solution to send security events from Microsoft Sentinel to Splunk.
What should you include in the recommendation?
A. a Microsoft Sentinel data connector
B. Azure Event Hubs
C. a Microsoft Sentinel workbook
D. Azure Data Factory
Selected Answer: B
Question #: 73
Topic #: 2
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You need to enforce ISO 27001:2013 standards for the subscription. The solution must ensure that noncompliant resources are remediated automatically.
What should you use?
A. Azure Policy
B. Azure Blueprints
C. the regulatory compliance dashboard in Defender for Cloud
D. Azure role-based access control (Azure RBAC)
Selected Answer: A
Question #: 74
Topic #: 4
Your company has a Microsoft 365 E5 subscription.
Users use Microsoft Teams, Exchange Online, SharePoint Online, and OneDrive for sharing and collaborating.
The company identifies protected health information (PHI) within stored documents and communications.
What should you recommend using to prevent the PHI from being shared outside the company?
A. sensitivity label policies
B. data loss prevention (DLP) policies
C. insider risk management policies
D. retention policies
Selected Answer: B
Question #: 75
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing the encryption standards for data at rest for an Azure resource.
You need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.
Solution: For blob containers in Azure Storage, you recommend encryption that uses customer-managed keys (CMKs).
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 77
Topic #: 1
A customer follows the Zero Trust model and explicitly verifies each attempt to access its corporate applications.
The customer discovers that several endpoints are infected with malware.
The customer suspends access attempts from the infected endpoints.
The malware is removed from the endpoints.
Which two conditions must be met before endpoint users can access the corporate applications again? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. The client access tokens are refreshed.
B. Microsoft Intune reports the endpoints as compliant.
C. A new Azure Active Directory (Azure AD) Conditional Access policy is enforced.
D. Microsoft Defender for Endpoint reports the endpoints as compliant.
Selected Answer: AB
Question #: 78
Topic #: 4
Your company has a Microsoft 365 E5 subscription.
The company wants to identify and classify data in Microsoft Teams, SharePoint Online, and Exchange Online.
You need to recommend a solution to identify documents that contain sensitive information.
What should you include in the recommendation?
A. data classification content explorer
B. data loss prevention (DLP)
C. eDiscovery
D. Information Governance
Selected Answer: A
Question #: 79
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.
You need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.
Solution: You recommend access restrictions to allow traffic from the backend IP address of the Front Door instance.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 81
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.
You need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.
Solution: You recommend access restrictions that allow traffic from the Front Door service tags.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 82
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.
You need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.
Solution: You recommend configuring gateway-required virtual network integration.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 83
Topic #: 2
Your company finalizes the adoption of Azure and is implementing Microsoft Defender for Cloud.
You receive the following recommendations in Defender for Cloud
✑ Access to storage accounts with firewall and virtual network configurations should be restricted.
✑ Storage accounts should restrict network access using virtual network rules.
✑ Storage account should use a private link connection.
✑ Storage account public access should be disallowed.
You need to recommend a service to mitigate identified risks that relate to the recommendations.
What should you recommend?
A. Azure Policy
B. Azure Network Watcher
C. Azure Storage Analytics
D. Microsoft Sentinel
Selected Answer: A
Question #: 84
Topic #: 1
You have a customer that has a Microsoft 365 subscription and uses the Free edition of Azure Active Directory (Azure AD).
The customer plans to obtain an Azure subscription and provision several Azure resources.
You need to evaluate the customer’s security environment.
What will necessitate an upgrade from the Azure AD Free edition to the Premium edition?
A. Azure AD Privileged Identity Management (PIM)
B. role-based authorization
C. resource-based authorization
D. Azure AD Multi-Factor Authentication
Selected Answer: A
Question #: 85
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.
You need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.
Solution: You recommend access restrictions based on HTTP headers that have the Front Door ID.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 86
Topic #: 2
You receive a security alert in Microsoft Defender for Cloud as shown in the exhibit. (Click the Exhibit tab.)
After remediating the threat, which policy definition should you assign to prevent the threat from reoccurring?
A. Storage account public access should be disallowed
B. Azure Key Vault Managed HSM should have purge protection enabled
C. Storage accounts should prevent shared key access
D. Storage account keys should not be expired
Selected Answer: C
Question #: 87
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.
You need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.
Solution: You recommend access restrictions that allow traffic from the Front Door service tags.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 88
Topic #: 2
You have 50 Azure subscriptions.
You need to monitor the resource in the subscriptions for compliance with the ISO 27001:2013 standards. The solution must minimize the effort required to modify the list of monitored policy definitions for the subscriptions.
What are two ways to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Assign an initiative to a management group.
B. Assign a policy to each subscription.
C. Assign a policy to a management group.
D. Assign an initiative to each subscription.
E. Assign a blueprint to each subscription.
F. Assign a blueprint to a management group.
Selected Answer: AF
Question #: 89
Topic #: 3
Your company is designing an application architecture for Azure App Service Environment (ASE) web apps as shown in the exhibit. (Click the Exhibit tab.)
Communication between the on-premises network and Azure uses an ExpressRoute connection.
You need to recommend a solution to ensure that the web apps can communicate with the on-premises application server. The solution must minimize the number of public IP addresses that are allowed to access the on-premises network.
What should you include in the recommendation?
A. Azure Traffic Manager with priority traffic-routing methods
B. Azure Firewall with policy rule sets
C. Azure Front Door with Azure Web Application Firewall (WAF)
D. Azure Application Gateway v2 with user-defined routes (UDRs)
Selected Answer: C
Question #: 90
Topic #: 1
You are designing the security standards for a new Azure environment.
You need to design a privileged identity strategy based on the Zero Trust model.
Which framework should you follow to create the design?
A. Microsoft Security Development Lifecycle (SDL)
B. Enhanced Security Admin Environment (ESAE)
C. Rapid Modernization Plan (RaMP)
D. Microsoft Operational Security Assurance (OSA)
Selected Answer: C
Question #: 91
Topic #: 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.
You need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.
Solution: You recommend access restrictions based on HTTP headers that have the Front Door ID.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 93
Topic #: 3
You are planning the security requirements for Azure Cosmos DB Core (SQL) API accounts.
You need to recommend a solution to audit all users that access the data in the Azure Cosmos DB accounts.
Which two configurations should you include in the recommendation? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Send the Azure Active Directory (Azure AD) sign-in logs to a Log Analytics workspace.
B. Enable Microsoft Defender for Identity.
C. Send the Azure Cosmos DB logs to a Log Analytics workspace.
D. Disable local authentication for Azure Cosmos DB.
E. Enable Microsoft Defender for Cosmos DB.
Selected Answer: AC
Question #: 94
Topic #: 1
A customer has a hybrid cloud infrastructure that contains a Microsoft 365 E5 subscription and an Azure subscription.
All on-premises servers in the perimeter network are prevented from connecting directly to the internet.
The customer recently recovered from a ransomware attack.
The customer plans to deploy Microsoft Sentinel.
You need to recommend solutions to meet the following requirements:
✑ Ensure that the security operations team can access the security logs and the operation logs.
✑ Ensure that the IT operations team can access only the operations logs, including the event logs of the servers in the perimeter network.
Which two solutions should you include in the recommendation? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. a custom collector that uses the Log Analytics agent
B. the Azure Monitor agent
C. resource-based role-based access control (RBAC)
D. Azure Active Directory (Azure AD) Conditional Access policies
Selected Answer: BC
Question #: 95
Topic #: 4
Your company has an on-premises network, an Azure subscription, and a Microsoft 365 E5 subscription.
The company uses the following devices:
✑ Computers that run either Windows 10 or Windows 11
✑ Tablets and phones that run either Android or iOS
You need to recommend a solution to classify and encrypt sensitive Microsoft Office 365 data regardless of where the data is stored.
What should you include in the recommendation?
A. eDiscovery
B. Microsoft Information Protection
C. Compliance Manager
D. retention policies
Selected Answer: B
Question #: 96
Topic #: 3
You have an Azure subscription that contains several storage accounts. The storage accounts are accessed by legacy applications that are authenticated by using access keys.
You need to recommend a solution to prevent new applications from obtaining the access keys of the storage accounts. The solution must minimize the impact on the legacy applications.
What should you include in the recommendation?
A. Set the AllowSharedKeyAccess property to false.
B. Apply read-only locks on the storage accounts.
C. Set the AllowBlobPublicAccess property to false.
D. Configure automated key rotation.
Selected Answer: B
Question #: 97
Topic #: 1
Your company is developing a serverless application in Azure that will have the architecture shown in the following exhibit.
You need to recommend a solution to isolate the compute components on an Azure virtual network.
What should you include in the recommendation?
A. Azure Active Directory (Azure AD) enterprise applications
B. an Azure App Service Environment (ASE)
C. Azure service endpoints
D. an Azure Active Directory (Azure AD) application proxy
Selected Answer: B
Question #: 98
Topic #: 4
You have a Microsoft 365 E5 subscription.
You are designing a solution to protect confidential data in Microsoft SharePoint Online sites that contain more than one million documents.
You need to recommend a solution to prevent Personally Identifiable Information (PII) from being shared.
Which two components should you include in the recommendation? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. data loss prevention (DLP) policies
B. retention label policies
C. eDiscovery cases
D. sensitivity label policies
Selected Answer: AD
Question #: 99
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You are evaluating the Azure Security Benchmark V3 report.
In the Secure management ports controls, you discover that you have 0 out of a potential 8 points.
You need to recommend configurations to increase the score of the Secure management ports controls.
Solution: You recommend enabling the VMAccess extension on all virtual machines.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 101
Topic #: 3
You are designing the security standards for containerized applications onboarded to Azure.
You are evaluating the use of Microsoft Defender for Containers.
In which two environments can you use Defender for Containers to scan for known vulnerabilities? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Linux containers deployed to Azure Container Instances
B. Windows containers deployed to Azure Kubernetes Service (AKS)
C. Windows containers deployed to Azure Container Registry
D. Linux containers deployed to Azure Container Registry
E. Linux containers deployed to Azure Kubernetes Service (AKS)
Selected Answer: DE
Question #: 102
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You are evaluating the Azure Security Benchmark V3 report.
In the Secure management ports controls, you discover that you have 0 out of a potential 8 points.
You need to recommend configurations to increase the score of the Secure management ports controls.
Solution: You recommend enabling adaptive network hardening.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 103
Topic #: 4
Your company has the virtual machine infrastructure shown in the following table.
The company plans to use Microsoft Azure Backup Server (MABS) to back up the virtual machines to Azure.
You need to provide recommendations to increase the resiliency of the backup strategy to mitigate attacks such as ransomware.
What should you include in the recommendation?
A. Use geo-redundant storage (GRS).
B. Maintain multiple copies of the virtual machines.
C. Encrypt the backups by using customer-managed keys (CMKS).
D. Require PINs to disable backups.
Selected Answer: D
Question #: 104
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You are evaluating the Azure Security Benchmark V3 report.
In the Secure management ports controls, you discover that you have 0 out of a potential 8 points.
You need to recommend configurations to increase the score of the Secure management ports controls.
Solution: You recommend enabling just-in-time (JIT) VM access on all virtual machines.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 105
Topic #: 3
Your company has a hybrid cloud infrastructure that contains an on-premises Active Directory Domain Services (AD DS) forest, a Microsoft 365 subscription, and an Azure subscription.
The company’s on-premises network contains internal web apps that use Kerberos authentication. Currently, the web apps are accessible only from the network.
You have remote users who have personal devices that run Windows 11.
You need to recommend a solution to provide the remote users with the ability to access the web apps. The solution must meet the following requirements:
✑ Prevent the remote users from accessing any other resources on the network.
✑ Support Azure Active Directory (Azure AD) Conditional Access.
✑ Simplify the end-user experience.
What should you include in the recommendation?
A. Azure AD Application Proxy
B. web content filtering in Microsoft Defender for Endpoint
C. Microsoft Tunnel
D. Azure Virtual WAN
Selected Answer: A
Question #: 106
Topic #: 1
Your company plans to apply the Zero Trust Rapid Modernization Plan (RaMP) to its IT environment.
You need to recommend the top three modernization areas to prioritize as part of the plan.
Which three areas should you recommend based on RaMP? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. data, compliance, and governance
B. infrastructure and development
C. user access and productivity
D. operational technology (OT) and IoT
E. modern security operations
Selected Answer: ACE
Question #: 107
Topic #: 1
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend?
A. adaptive application controls in Defender for Cloud
B. app protection policies in Microsoft Endpoint Manager
C. OAuth app policies in Microsoft Defender for Cloud Apps
D. Azure Active Directory (Azure AD) Conditional Access App Control policies
Selected Answer: A
Question #: 110
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your on-premises network contains an e-commerce web app that was developed in Angular and Node,js. The web app uses a MongoDB database.
You plan to migrate the web app to Azure. The solution architecture team proposes the following architecture as an Azure landing zone.
You need to provide recommendations to secure the connection between the web app and the database. The solution must follow the Zero Trust model.
Solution: You recommend creating private endpoints for the web app and the database layer.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 111
Topic #: 1
You have an on-premises network that has several legacy applications. The applications perform LDAP queries against an existing directory service.
You are migrating the on-premises infrastructure to a cloud-only infrastructure.
You need to recommend an identity solution for the infrastructure that supports the legacy applications. The solution must minimize the administrative effort to maintain the infrastructure.
Which identity service should you include in the recommendation?
A. Azure Active Directory (Azure AD) B2C
B. Azure Active Directory Domain Services (Azure AD DS)
C. Azure Active Directory (Azure AD)
D. Active Directory Domain Services (AD DS)
Selected Answer: B
