SC-100: Microsoft Cybersecurity Architect Part 3
Question #: 114
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your on-premises network contains an e-commerce web app that was developed in Angular and Node,js. The web app uses a MongoDB database.
You plan to migrate the web app to Azure. The solution architecture team proposes the following architecture as an Azure landing zone.
You need to provide recommendations to secure the connection between the web app and the database. The solution must follow the Zero Trust model.
Solution: You recommend implementing Azure Key Vault to store credentials.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 115
Topic #: 1
For an Azure deployment, you are designing a security architecture based on the Microsoft Cloud Security Benchmark.
You need to recommend a best practice for implementing service accounts for Azure API management.
What should you include in the recommendation?
A. application registrations in Azure AD
B. managed identities in Azure
C. Azure service principals with usernames and passwords
D. device registrations in Azure AD
E. Azure service principals with certificate credentials
Selected Answer: A
Question #: 116
Topic #: 1
You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain. Client computers run Windows and are hybrid-joined to Azure AD.
You are designing a strategy to protect endpoints against ransomware. The strategy follows Microsoft Security Best Practices.
You plan to remove all the domain accounts from the Administrators groups on the Windows computers.
You need to recommend a solution that will provide users with administrative access to the Windows computers only when access is required. The solution must minimize the lateral movement of ransomware attacks if an administrator account on a computer is compromised.
What should you include in the recommendation?
A. Local Administrator Password Solution (LAPS)
B. Azure AD Identity Protection
C. Azure AD Privileged Identity Management (PIM)
D. Privileged Access Workstations (PAWs)
Selected Answer: A
Question #: 117
Topic #: 4
You have a Microsoft 365 subscription that syncs with Active Directory Domain Services (AD DS).
You need to define the recovery steps for a ransomware attack that encrypted data in the subscription. The solution must follow Microsoft Security Best Practices.
What is the first step in the recovery plan?
A. From Microsoft Defender for Endpoint, perform a security scan.
B. Recover files to a cleaned computer or device.
C. Contact law enforcement.
D. Disable Microsoft OneDrive sync and Exchange ActiveSync.
Selected Answer: D
Question #: 118
Topic #: 3
You have an Azure subscription that contains virtual machines.
Port 3389 and port 22 are disabled for outside access.
You need to design a solution to provide administrators with secure remote access to the virtual machines. The solution must meet the following requirements:
✑ Prevent the need to enable ports 3389 and 22 from the internet.
✑ Only provide permission to connect the virtual machines when required.
✑ Ensure that administrators use the Azure portal to connect to the virtual machines.
Which two actions should you include in the solution? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Configure Azure VPN Gateway.
B. Enable Just Enough Administration (JEA).
C. Configure Azure Bastion.
D. Enable just-in-time (JIT) VM access.
E. Enable Azure Active Directory (Azure AD) Privileged Identity Management (PIM) roles as virtual machine contributors.
Selected Answer: CD
Question #: 119
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your on-premises network contains an e-commerce web app that was developed in Angular and Node,js. The web app uses a MongoDB database.
You plan to migrate the web app to Azure. The solution architecture team proposes the following architecture as an Azure landing zone.
You need to provide recommendations to secure the connection between the web app and the database. The solution must follow the Zero Trust model.
Solution: You recommend implementing Azure Application Gateway with Azure Web Application Firewall (WAF).
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 121
Topic #: 3
Your company has on-premises Microsoft SQL Server databases.
The company plans to move the databases to Azure.
You need to recommend a secure architecture for the databases that will minimize operational requirements for patching and protect sensitive data by using dynamic data masking. The solution must minimize costs.
What should you include in the recommendation?
A. Azure SQL Managed Instance
B. Azure Synapse Analytics dedicated SQL pools
C. Azure SQL Database
D. SQL Server on Azure Virtual Machines
Selected Answer: C
Question #: 122
Topic #: 1
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend?
A. OAuth app policies in Microsoft Defender for Cloud Apps
B. Azure Security Benchmark compliance controls in Defender for Cloud
C. application control policies in Microsoft Defender for Endpoint
D. app discovery anomaly detection policies in Microsoft Defender for Cloud Apps
Selected Answer: C
Question #: 123
Topic #: 2
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend?
A. adaptive application controls in Defender for Cloud
B. app protection policies in Microsoft Endpoint Manager
C. app discovery anomaly detection policies in Microsoft Defender for Cloud Apps
D. Azure Security Benchmark compliance controls in Defender for Cloud
Selected Answer: A
Question #: 124
Topic #: 1
You have legacy operational technology (OT) devices and IoT devices.
You need to recommend best practices for applying Zero Trust principles to the OT and IoT devices based on the Microsoft Cybersecurity Reference Architectures (MCRA). The solution must minimize the risk of disrupting business operations.
Which two security methodologies should you include in the recommendation? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. active scanning
B. threat monitoring
C. software patching
D. passive traffic monitoring
Selected Answer: BD
Question #: 125
Topic #: 3
Your company plans to move all on-premises virtual machines to Azure.
A network engineer proposes the Azure virtual network design shown in the following table.
You need to recommend an Azure Bastion deployment to provide secure remote access to all the virtual machines.
Based on the virtual network design, how many Azure Bastion subnets are required?
A. 1
B. 2
C. 3
D. 4
E. 5
Selected Answer: B
Question #: 126
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your on-premises network contains an e-commerce web app that was developed in Angular and Node,js. The web app uses a MongoDB database.
You plan to migrate the web app to Azure. The solution architecture team proposes the following architecture as an Azure landing zone.
You need to provide recommendations to secure the connection between the web app and the database. The solution must follow the Zero Trust model.
Solution: You recommend implementing Azure Front Door with Azure Web Application Firewall (WAF).
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 127
Topic #: 4
Your company is developing an invoicing application that will use Azure AD B2C. The application will be deployed as an App Service web app.
You need to recommend a solution to the application development team to secure the application from identity-related attacks.
Which two configurations should you recommend? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Azure AD Conditional Access integration with user flows and custom policies
B. smart account lockout in Azure AD B2C
C. access packages in Identity Governance
D. custom resource owner password credentials (ROPC) flows in Azure AD B2C
Selected Answer: AB
Question #: 129
Topic #: 4
Your company plans to evaluate the security of its Azure environment based on the principles of the Microsoft Cloud Adoption Framework for Azure.
You need to recommend a cloud-based service to evaluate whether the Azure resources comply with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
What should you recommend?
A. Compliance Manager in Microsoft Purview
B. Microsoft Defender for Cloud
C. Microsoft Sentinel
D. Microsoft Defender for Cloud Apps
Selected Answer: B
Question #: 130
Topic #: 2
You have a customer that has a Microsoft 365 subscription and an Azure subscription.
The customer has devices that run either Windows, iOS, Android, or macOS. The Windows devices are deployed on-premises and in Azure.
You need to design a security solution to assess whether all the devices meet the customer’s compliance rules.
What should you include in the solution?
A. Microsoft Defender for Endpoint
B. Microsoft Endpoint Manager
C. Microsoft Information Protection
D. Microsoft Sentinel
Selected Answer: B
Question #: 131
Topic #: 1
You have an on-premises network and a Microsoft 365 subscription.
You are designing a Zero Trust security strategy.
Which two security controls should you include as part of the Zero Trust solution? Each correct answer presents part of the solution.
NOTE: Each correct answer is worth one point.
A. Always allow connections from the on-premises network.
B. Disable passwordless sign-in for sensitive accounts.
C. Block sign-in attempts from unknown locations.
D. Block sign-in attempts from noncompliant devices.
Selected Answer: CD
Question #: 132
Topic #: 1
You are designing a ransomware response plan that follows Microsoft Security Best Practices.
You need to recommend a solution to minimize the risk of a ransomware attack encrypting local user files.
What should you include in the recommendation?
A. Windows Defender Device Guard
B. Microsoft Defender for Endpoint
C. Azure Files
D. BitLocker Drive Encryption (BitLocker)
E. protected folders
Selected Answer: E
Question #: 133
Topic #: 1
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend?
A. app discovery anomaly detection policies in Microsoft Defender for Cloud Apps
B. Azure AD Conditional Access App Control policies
C. adaptive application controls in Defender for Cloud
D. app protection policies in Microsoft Endpoint Manager
Selected Answer: C
Question #: 134
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You are evaluating the Azure Security Benchmark V3 report.
In the Secure management ports controls, you discover that you have 0 out of a potential 8 points.
You need to recommend configurations to increase the score of the Secure management ports controls.
Solution: You recommend onboarding all virtual machines to Microsoft Defender for Endpoint.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 135
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are designing the encryption standards for data at rest for an Azure resource.
You need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.
Solution: For Azure SQL databases, you recommend Transparent Data Encryption (TDE) that uses customer-managed keys (CMKs).
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 136
Topic #: 1
You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain.
You are designing an Azure DevOps solution to deploy applications to an Azure subscription by using continuous integration and continuous deployment (CI/CD) pipelines.
You need to recommend which types of identities to use for the deployment credentials of the service connection. The solution must follow DevSecOps best practices from the Microsoft Cloud Adoption Framework for Azure.
What should you recommend?
A. a managed identity in Azure
B. an Azure AD user account that has role assignments in Azure AD Privileged Identity Management (PIM)
C. a group managed service account (gMSA)
D. an Azure AD user account that has a password stored in Azure Key Vault
Selected Answer: D
Question #: 137
Topic #: 3
A customer uses Azure to develop a mobile app that will be consumed by external users as shown in the following exhibit.
You need to design an identity strategy for the app. The solution must meet the following requirements:
✑ Enable the usage of external IDs such as Google, Facebook, and Microsoft accounts.
✑ Use a customer identity store.
✑ Support fully customizable branding for the app.
Which service should you recommend to complete the design?
A. Azure Active Directory (Azure AD) B2B
B. Azure Active Directory Domain Services (Azure AD DS)
C. Azure Active Directory (Azure AD) B2C
D. Azure AD Connect
Selected Answer: C
Question #: 138
Topic #: 1
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend?
A. Azure AD Conditional Access App Control policies
B. Azure Security Benchmark compliance controls in Defender for Cloud
C. app protection policies in Microsoft Endpoint Manager
D. application control policies in Microsoft Defender for Endpoint
Selected Answer: D
Question #: 139
Topic #: 2
Your company has an Azure subscription that has enhanced security enabled for Microsoft Defender for Cloud.
The company signs a contract with the United States government.
You need to review the current subscription for NIST 800-53 compliance.
What should you do first?
A. From Defender for Cloud, review the secure score recommendations.
B. From Microsoft Sentinel, configure the Microsoft Defender for Cloud data connector.
C. From Defender for Cloud, review the Azure security baseline for audit report.
D. From Defender for Cloud, add a regulatory compliance standard.
Selected Answer: D
Question #: 140
Topic #: 1
You have an Azure Kubernetes Service (AKS) cluster that hosts Linux nodes.
You need to recommend a solution to ensure that deployed worker nodes have the latest kernel updates. The solution must minimize administrative effort.
What should you recommend?
A. The nodes must restart after the updates are applied.
B. The updates must first be applied to the image used to provision the nodes.
C. The AKS cluster version must be upgraded.
Selected Answer: B
Question #: 141
Topic #: 1
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.
You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.
Which security control should you recommend?
A. app registrations in Azure AD
B. application control policies in Microsoft Defender for Endpoint
C. app discovery anomaly detection policies in Microsoft Defender for Cloud Apps
D. Azure AD Conditional Access App Control policies
Selected Answer: B
Question #: 142
Topic #: 3
Your company has a hybrid cloud infrastructure.
Data and applications are moved regularly between cloud environments.
The company’s on-premises network is managed as shown in the following exhibit.
You are designing security operations to support the hybrid cloud infrastructure. The solution must meet the following requirements:
✑ Govern virtual machines and servers across multiple environments.
✑ Enforce standards for all the resources across all the environments by using Azure Policy.
Which two components should you recommend for the on-premises network? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. on-premises data gateway
B. Azure VPN Gateway
C. guest configuration in Azure Policy
D. Azure Arc
E. Azure Bastion
Selected Answer: CD
Question #: 143
Topic #: 2
Your company has devices that run either Windows 10, Windows 11, or Windows Server.
You are in the process of improving the security posture of the devices.
You plan to use security baselines from the Microsoft Security Compliance Toolkit.
What should you recommend using to compare the baselines to the current device configurations?
A. Microsoft Intune
B. Local Group Policy Object (LGPO)
C. Windows Autopilot
D. Policy Analyzer
Selected Answer: D
Question #: 144
Topic #: 1
You have the following on-premises servers that run Windows Server:
• Two domain controllers in an Active Directory Domain Services (AD DS) domain
• Two application servers named Server1 and Server2 that run ASP.NET web apps
• A VPN server named Served that authenticates by using RADIUS and AD DS
End users use a VPN to access the web apps over the internet.
You need to redesign a user access solution to increase the security of the connections to the web apps. The solution must minimize the attack surface and follow the Zero Trust principles of the Microsoft Cybersecurity Reference Architectures (MCRA).
What should you include in the recommendation?
A. Publish the web apps by using Azure AD Application Proxy.
B. Configure the VPN to use Azure AD authentication.
C. Configure connectors and rules in Microsoft Defender for Cloud Apps.
D. Configure web protection in Microsoft Defender for Endpoint.
Selected Answer: A
Question #: 145
Topic #: 4
You have a Microsoft 365 subscription.
You need to design a solution to block file downloads from Microsoft SharePoint Online by authenticated users on unmanaged devices.
Which two services should you include in the solution? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Azure AD Conditional Access
B. Azure Data Catalog
C. Microsoft Purview Information Protection
D. Azure AD Application Proxy
E. Microsoft Defender for Cloud Apps
Selected Answer: AE
Question #: 146
Topic #: 2
You have an Azure subscription that is used as an Azure landing zone for an application.
You need to evaluate the security posture of all the workloads in the landing zone.
What should you do first?
A. Configure Continuous Integration/Continuous Deployment (CI/CD) vulnerability scanning.
B. Obtain Azure AD Premium Plan 2 licenses.
C. Add Microsoft Sentinel data connectors.
D. Enable the Defender plan for all resource types in Microsoft Defender for Cloud.
Selected Answer: D
Question #: 147
Topic #: 3
A customer has a Microsoft 365 E5 subscription and an Azure subscription.
The customer wants to centrally manage security incidents, analyze logs, audit activities, and search for potential threats across all deployed services
You need to recommend a solution for the customer.
What should you include in the recommendation?
A. Microsoft Defender for Cloud
B. Microsoft Defender for Cloud Apps
C. Microsoft 365 Defender
D. Microsoft Sentinel
Selected Answer: D
Question #: 151
Topic #: 2
Your company has an Azure subscription that has enhanced security enabled for Microsoft Defender for Cloud.
The company signs a contract with the United States government.
You need to review the current subscription for NIST 800-53 compliance.
What should you do first?
A. From Azure Policy, assign a built-in initiative that has a scope of the subscription.
B. From Azure Policy, assign a built-in policy definition that has a scope of the subscription.
C. From Defender for Cloud, review the Azure security baseline for audit report.
D. From Microsoft Defender for Cloud Apps, create an access policy for cloud applications.
Selected Answer: A
Question #: 152
Topic #: 3
For a Microsoft cloud environment, you are designing a security architecture based on the Microsoft Cloud Security Benchmark.
What are three best practices for identity management based on the Azure Security Benchmark? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Manage application identities securely and automatically.
B. Manage the lifecycle of identities and entitlements.
C. Protect identity and authentication systems.
D. Enable threat detection for identity and access management.
E. Use a centralized identity and authentication system.
Selected Answer: ACE
Question #: 153
Topic #: 1
You are designing a security operations strategy based on the Zero Trust framework.
You need to minimize the operational load on Tier 1 Microsoft Security Operations Center (SOC) analysts.
What should you do?
A. Enable built-in compliance policies in Azure Policy.
B. Enable self-healing in Microsoft 365 Defender.
C. Automate data classification.
D. Create hunting queries in Microsoft 365 Defender.
Selected Answer: B
Question #: 154
Topic #: 4
You have a Microsoft 365 tenant. Your company uses a third-party software as a service (SaaS) app named App1. App1 supports authenticating users by using Azure AD credentials.
You need to recommend a solution to enable users to authenticate to App1 by using their Azure AD credentials.
What should you include in the recommendation?
A. Azure AD Application Proxy
B. Azure AD B2C
C. an Azure AD enterprise application
D. a relying party trust in Active Directory Federation Services (AD FS)
Selected Answer: C
Question #: 155
Topic #: 2
Your company has an Azure subscription that uses Microsoft Defender for Cloud.
The company signs a contract with the United States government.
You need to review the current subscription for NIST 800-53 compliance.
What should you do first?
A. From Defender for Cloud, review the Azure security baseline for audit report.
B. From Microsoft Defender for Cloud Apps, create an access policy for cloud applications.
C. From Defender for Cloud, enable Defender for Cloud plans.
D. From Azure Policy, assign a built-in initiative that has a scope of the subscription.
Selected Answer: D
Question #: 157
Topic #: 3
Your company plans to follow DevSecOps best practices of the Microsoft Cloud Adoption Framework for Azure.
You need to perform threat modeling by using a top-down approach based on the Microsoft Cloud Adoption Framework for Azure.
What should you use to start the threat modeling process?
A. the STRIDE model
B. the DREAD model
C. OWASP threat modeling
Selected Answer: A
Question #: 158
Topic #: 4
You have a Microsoft 365 tenant.
Your company uses a third-party software as a service (SaaS) app named App1 that is integrated with an Azure AD tenant.
You need to design a security strategy to meet the following requirements:
• Users must be able to request access to App1 by using a self-service request.
• When users request access to App1, they must be prompted to provide additional information about their request.
• Every three months, managers must verify that the users still require access to App1.
What should you include in the design?
A. Microsoft Entra Identity Governance
B. connected apps in Microsoft Defender for Cloud Apps
C. access policies in Microsoft Defender for Cloud Apps
D. Azure AD Application Proxy
Selected Answer: A
Question #: 159
Topic #: 1
Your company has an Azure subscription that uses Microsoft Defender for Cloud.
The company signs a contract with the United States government.
You need to review the current subscription for NIST 800-53 compliance.
What should you do first?
A. From Microsoft Sentinel, configure the Microsoft Defender for Cloud data connector.
B. From Microsoft Defender for Cloud Apps, create an access policy for cloud applications.
C. From Defender for Cloud, enable Defender for Cloud plans.
D. From Defender for Cloud, add a regulatory compliance standard.
Selected Answer: C
Question #: 160
Topic #: 3
Your company has on-premises Microsoft SQL Server databases.
The company plans to move the databases to Azure.
You need to recommend a secure architecture for the databases that will minimize operational requirements for patching and protect sensitive data by using dynamic data masking. The solution must minimize costs.
What should you include in the recommendation?
A. SQL Server on Azure Virtual Machines
B. Azure Synapse Analytics dedicated SQL pools
C. Azure SQL Database
Selected Answer: C
Question #: 161
Topic #: 4
You have an Azure subscription.
You have a DNS domain named contoso.com that is hosted by a third-party DNS registrar.
Developers use Azure DevOps to deploy web apps to App Service Environments. When a new app is deployed, a CNAME record for the app is registered in contoso.com.
You need to recommend a solution to secure the DNS record for each web app. The solution must meet the following requirements:
• Ensure that when an app is deleted, the CNAME record for the app is removed also.
• Minimize administrative effort.
What should you include in the recommendation?
A. Microsoft Defender for Cloud Apps
B. Microsoft Defender for DevOps
C. Microsoft Defender for App Service
D. Microsoft Defender for DNS
Selected Answer: C
Question #: 162
Topic #: 1
Your company has an Azure subscription that uses Microsoft Defender for Cloud.
The company signs a contract with the United States government.
You need to review the current subscription for NIST 800-53 compliance.
What should you do first?
A. From Defender for Cloud, enable Defender for Cloud plans.
B. From Defender for Cloud, review the Azure security baseline for audit report.
C. From Defender for Cloud, add a regulatory compliance standard.
D. From Microsoft Defender for Cloud Apps, create an access policy for cloud applications.
Selected Answer: C
Question #: 164
Topic #: 3
You are designing a new Azure environment based on the security best practices of the Microsoft Cloud Adoption Framework for Azure. The environment will contain one subscription for shared infrastructure components and three separate subscriptions for applications.
You need to recommend a deployment solution that includes network security groups (NSGs), Azure Firewall, Azure Key Vault, and Azure Bastion. The solution must minimize deployment effort and follow security best practices of the Microsoft Cloud Adoption Framework for Azure.
What should you include in the recommendation?
A. the Azure landing zone accelerator
B. the Azure Well-Architected Framework
C. Azure Security Benchmark v3
D. Azure Advisor
Selected Answer: A
Question #: 165
Topic #: 1
Your company has an Azure subscription that has enhanced security enabled for Microsoft Defender for Cloud.
The company signs a contract with the United States government.
You need to review the current subscription for NIST 800-53 compliance.
What should you do first?
A. From Defender for Cloud, enable Defender for Cloud plans.
B. From Azure Policy, assign a built-in initiative that has a scope of the subscription.
C. From Defender for Cloud, review the secure score recommendations.
D. From Microsoft Defender for Cloud Apps, create an access policy for cloud applications.
Selected Answer: B
Question #: 170
Topic #: 3
You have an Azure subscription that contains a Microsoft Sentinel workspace.
Your on-premises network contains firewalls that support forwarding event logs in the Common Event Format (CEF). There is no built-in Microsoft Sentinel connector for the firewalls.
You need to recommend a solution to ingest events from the firewalls into Microsoft Sentinel.
What should you include in the recommendation?
A. an Azure logic app
B. an on-premises Syslog server
C. an on-premises data gateway
D. Azure Data Factory
Selected Answer: B
Question #: 171
Topic #: 2
You have an Azure subscription.
Your company has a governance requirement that resources must be created in the West Europe or North Europe Azure regions.
What should you recommend using to enforce the governance requirement?
A. Azure management groups
B. custom Azure roles
C. Azure Policy assignments
D. regulatory compliance standards in Microsoft Defender for Cloud
Selected Answer: C
Question #: 177
Topic #: 3
You have an Azure subscription. The subscription contains 50 virtual machines that run Windows Server and 50 virtual machines that run Linux.
You need to perform vulnerability assessments on the virtual machines. The solution must meet the following requirements:
• Identify missing updates and insecure configurations.
• Use the Qualys engine.
What should you use?
A. Microsoft Defender for Servers
B. Microsoft Defender Threat Intelligence (Defender TI)
C. Microsoft Defender for Endpoint
D. Microsoft Defender External Attack Surface Management (Defender EASM)
Selected Answer: A
