Microsoft Cybersecurity Architect (SC-100)

Your network contains an Active Directory Domain Services (AD DS) domain.

You need to ensure that the built-in administrator account for the domain can be used only for interactive sign-ins to domain controllers.

What should you configure?

You have a Microsoft 365 tenant that uses Microsoft SharePoint Online and Microsoft Purview. Microsoft Purview has a sensitivity

label named Label1 that is applied to the files stored on SharePoint Online sites.

You need to recommend a Microsoft Purview Data Loss Prevention (DLP) policy that meets the following requirements:

• Prevents users from uploading the files to third-party external websites
• Allows users to upload the files to Microsoft OneDrive for Business

To which location should you apply the DLP policy?

You have a Microsoft Entra tenant named contoso.com.

You have an external partner that has a Microsoft Entra tenant named fabnkam.com.

You need to recommend an identity governance solution for contoso.com that meets the following requirements:

• Enables the users in contoso.com and fabrikam.com to communicate by using shared Microsoft Teams channels
• Manages access to shared Teams channels in contoso.com by using groups in fabrikam.com
• Supports single sign-on (SSO)
• Minimizes administrative effort
• Maximizes security

What should you include in the recommendation?

You have an Azure Storage account named storage1.
You plan to secure storage1 by using a Bring Your Own Key (BYOK) strategy.
You create an Azure key vault named AKV1 and upload a compatible key.
You need to configure storage1 to use the key stored in AKV1 for encryption.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

You have an Azure subscription that contains 15 custom apps. The source files for the apps are stored in Git repositories. The apps are deployed by using Azure DevOps.

You need to recommend a DevSecOps solution to implement static application security testing (SAST) of the app code to identify hard-coded secrets.

What should you include in the recommendation?

You have an Azure subscription that contains a web app named App1. App1 uses a Microsoft Entra user account named SRV1 as a service account to authenticate to an Azure SQL database named DB1.

You discover that a developer accessed DB1 directly by using SRV1.

You need to recommend a secure authentication method that will prevent credential misuse outside of App1. The solution must minimize administrative effort.

What should you recommend?

You have an Azure subscription and a Microsoft 365 subscription.

Your company uses several software as a service (SaaS) applications.

To align with Microsoft cloud security benchmark (MCSB) and Microsoft Cybersecurity Reference Architectures (MCRA), you plan to design a solution to provide visibility into user activity across the applications and detect potentially risky behavior in real time.

Which service should you recommend?

You have a multi-cloud environment that contains an Azure subscription and an Amazon Web Services (AWS) account.

You need to implement security services in Azure to manage the resources in both subscriptions. The solution must meet the following requirements:

• Automatically identify threats found in AWS CloudTrail events.
• Enforce security settings on AWS virtual machines by using Azure policies.

What should you include in the solution for each requirement? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Your network contains an Active Directory Domain Services (AD DS) domain named Domain1.
You have a Microsoft Entra tenant.
Domain1 syncs with the tenant by using Microsoft Entra Connect.
You need to evaluate Microsoft Entra smart lockout by testing the following account lockout considerations:

• The number of failed sign-in attempts that trigger a lockout
• The duration of the lockout
What should you use to test each consideration? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have an Azure subscription that contains an Azure Kubernetes Service (AKS) cluster named AKS1. AKS1 hosts a Windows node pool named Pool1 and a Linux node pool named Pool2.

You are designing a pool update strategy for AKS1.

You need to recommend how often to replace the operating system images deployed to the nodes. The solution must meet the following requirements:

• Minimize how long it takes to apply operating system updates once the updates are released.
• Minimize administrative effort.

What should you recommend for each pool? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have an Azure subscription that contains several storage accounts. The storage accounts are accessed by legacy applications that are authenticated by using access keys.
You need to recommend a solution to prevent new applications from obtaining the access keys of the storage accounts. The solution must minimize the impact on the legacy applications.
What should you include in the recommendation?

You have an Azure subscription. The subscription contains 100 virtual machines that run Linux on Windows Server. The subscription uses Microsoft Defender for Servers Plan 1.

You need to recommend a solution to identify and remediate virtual machines that have the following characteristics:

• Are NOT onboarded to Defender for Servers
• Are missing critical updates
• Have risky apps installed

The solution must minimize administrative effort.

What should you include in the recommendation?

You have an Azure subscription that contains a resources group named RG1. RG1 contains multiple Azure Files shares.
You need to recommend a solution to deploy a backup solution for the shares. The solution must meet the following requirements:
• Prevent the deletion of backups and the vault used to store the backups.
• Prevent privilege escalation attacks against the backup solution.
• Prevent the modification of the backup retention period.

Which three actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Your company is migrating data to Azure. The data contains Personally Identifiable Information (PII).
The company plans to use Microsoft Information Protection for the PII data store in Azure.
You need to recommend a solution to discover PII data at risk in the Azure resources.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Your company has on-premises datacenters in Seattle, Chicago, and New York City.

You plan to migrate the on-premises workloads to the East US Azure region.

You need to design a governance solution for the management group hierarchy. The solution must be based on Microsoft Cloud Adoption Framework for Azure principles and must ensure that the hierarchy aligns with the Azure landing conceptual architecture.

What should you use to identify which archetype-aligned management groups to create beneath the landing zones management group?

You have an Azure subscription.

You plan to deploy multiple containerized microservice-based apps to Azure Kubernetes Service (AKS).

You need to recommend a solution that meets the following requirements:

• Manages secrets
• Provides encryption
• Secures service-to-service communication by using mTLS encryption
• Minimizes administrative effort

What should you include in the recommendation?

You have an Azure subscription that contains multiple Azure Data Lake Storage accounts.

You need to recommend a solution to encrypt the content of the accounts by using service-side encryption and customer-managed keys. The solution must ensure that individual encryption keys are applied at the most granular level.

At which level should you recommend the encryption be applied?

You have an Azure subscription. The subscription contains an Azure application gateway that use Azure Web Application Firewall (WAF).

You deploy new Azure App Services web apps. Each app is registered automatically in the DNS domain of your company and accessible from the Internet.

You need to recommend a security solution that meets the following requirements:

• Detects vulnerability scans of the apps
• Detects whether newly deployed apps are vulnerable to attack

What should you recommend using? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

Your company plans to evaluate the security of its Azure environment based on the principles of the Microsoft Cloud Adoption Framework for Azure.

You need to recommend a cloud-based service to evaluate whether the Azure resources comply with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

What should you recommend?

Your company is developing a modern application that will un as an Azure App Service web app.
You plan to perform threat modeling to identity potential security issues by using the Microsoft Threat Modeling Tool.
Which type of diagram should you create?

You have a Microsoft 365 E5 subscription that uses Microsoft Teams.
Your company has an investment department and a research department. Each department has a compliance team.

You are designing a Microsoft Purview Information Barriers (IBs) solution to restrict communication between the departments. The solution must meet the following requirements:

• The employees in each department must only be able to communicate with the employees in their respective department.
• The employees on the compliance team of each department must be able to communicate with the employees on the compliance team of the other department.

What is the minimum number of segments and IB policies required? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have a Microsoft 365 tenant.

You have an Azure subscription that contains Azure App Service web apps. The apps have the following characteristics:

• The apps use third-party and open-source components.
• The apps were developed by using C#, Python, and Java.
• The app deployment process is managed by using Azure DevOps.
• The source code for the apps is stored in GitHub Enterprise Cloud repositories and protected by using GitHub Advanced Security.

You need to reduce the risk of supply chain attacks during the application lifecycle.

What should you implement?

You have an Azure subscription that contains SQL Server on Azure virtual machines located in the West US Azure region. The virtual machines are only accessible by using private IP addresses.

You plan to deploy a Windows-based Azure App Service web apps in the East US Azure region.

You need to recommend a solution to provide the web apps access to the SQL Server databases.

What should you include in the recommendation?

Your company plans to follow DevSecOps best practices of the Microsoft Cloud Adoption Framework for Azure.

You need to perform threat modeling by using a top-down approach based on the Microsoft Cloud Adoption Framework for Azure.

What should you use to start the threat modeling process?

You have a Microsoft 365 subscription that uses Microsoft Defender XDR and Microsoft Purview.

On a Microsoft SharePoint Online site, you have a file named File1 that has a sensitivity label applied.

You need to recommend a solution that will reevaluate Conditional Access policies when a user downloads Filel from the SharePoint site.

What should you include in the recommendation?

You have an Azure subscription.

You have a Microsoft 365 subscription.

You need to assess regulatory compliance of the subscriptions. The solution must meet the following requirements:

• Identify whether data stored in Azure and Microsoft 365 complies with General Data Protection Regulation (GDPR) regulations.

• Identify whether Azure resources comply with National Institute of Standards and Technology (NIST) standards.

• Provide recommendations on controls to improve compliance.

What should you use? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365 Defender and Microsoft Defender for Cloud are enabled.

The Azure subscription contains 50 virtual machines. Each virtual machine runs different applications on Windows Server 2019.

You need to recommend a solution to ensure that only authorized applications can run on the virtual machines. If an unauthorized application attempts to run or be installed, the application must be blocked automatically until an administrator authorizes the application.

Which security control should you recommend?

You have a Microsoft 365 subscription that contains 1,000 users and a group named Group1. All the users have Windows 11 devices. The users sign in to their devices by using their Microsoft Entra account. The users do NOT have administrative rights to their devices.

The members of Group1 remotely assist the users by taking control of user sessions. The remote control sessions run in the security context of the users they are assisting.

You need to recommend a solution that will enable the Group1 members to run apps that require administrative rights to the users' devices. The solution must ensure that the apps are run in the context of each signed-in standard user.

What should you include in the recommendation?

You have an Azure subscription that contains three Azure App Service web apps.

You need to secure the apps by using Azure Web Application Firewall (WAF) on Azure Front Door. The solution must meet the following requirements:

• Block attempts to access the apps from malicious bots.
• Rate limit incoming connections to the apps.

The solution must minimize administrative effort.

What should you configure for each requirement? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point

You have an Azure subscription. The subscription contains 20 App Service web apps that provide services to external customers. Each web app has a unique certificate and key.

You need to recommend a solution to manage the keys and certificates of the web apps. The solution must meet the follow requirements:

• Provide a single tenancy to store the keys and certificates.
• Maintain FIPS 140-2 Level 3 compliance.
• Follow the principle of least privilege.
• Minimize costs.
• Minimize administrative effort.

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have a multicloud environment that contains Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) subscriptions.

You need to discover and review role assignments across the subscriptions.

What should you use?

You have a Microsoft 365 subscription that is protected by using Microsoft 365 Defender.

You are designing a security operations strategy that will use Microsoft Sentinel to monitor events from Microsoft 365 and Microsoft 365 Defender.

You need to recommend a solution to meet the following requirements:

• Integrate Microsoft Sentinel with a third-party security vendor to access information about known malware.
• Automatically generate incidents when the IP address of a command-and-control server is detected in the events.

What should you configure in Microsoft Sentinel to meet each requirement? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You need to recommend a solution to meet the compliance requirements.

What should you recommend? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.

After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. The subscription contains 500 devices that are enrolled in Microsoft Intune. The subscription contains 500 users that connect to external software as a service (SaaS) apps by using the devices.

You need to implement a solution that meets the following requirements:

• Allows user access to SaaS apps that Microsoft has identified as low risk
• Blocks user access to Saas apps that Microsoft has identified as high risk

Solution: From the Microsoft Defender portal, you set Web content filtering to On and create a web content filtering policy.

Does this meet the goal?

You have a Microsoft 365 subscription that contains a Microsoft SharePoint Online site named Site1. Site1 stores documents that are based on a predefined form and include confidential employee information.

You monitor access to Site1 by using a Microsoft Defender for Cloud Apps session policy.

You need to ensure that step-up authentication is triggered when a user downloads documents that are based on the predefined form. The solution must minimize administrative effort.

Which Microsoft Data Classification Service inspection method should you use, and which Conditional Access option should you add to the session policy? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have two Azure subscriptions named Sub1 and Sub2 that contain the vaults shown in the following table.

You have an Azure subscription that contains Azure App Service apps. The apps have the following characteristics:

• The apps are deployed by using continuous integration and continuous deployment (CI/CD) pipelines in Azure DevOps.
• The apps are deployed to a test environment first, and then to a production environment.
• The source code for the apps is stored in Azure Repos.

You plan to implement DevSecOps controls based on the Microsoft Cloud Adoption Framework for Azure.

You need to recommend testing controls to meet the following requirements:

• All the source code must be tested for security vulnerabilities in Azure Repos before deploying the apps.
• Once the apps are deployed to the test environment, they must be tested for security vulnerabilities.

Which testing method should you recommend for each stage? To answer, select the options in the answer area.

NOTE: Each correct answer is worth one point.

You have an Azure subscription that contains multiple apps. The apps are deployed by using continuous integration and continuous delivery (CI/CD) pipelines in Azure DevOps.

You need to integrate static application security testing (SAST) and security smoke testing into the pipelines based on Microsoft Cloud Adoption Framework for Azure principles.

At which stage of the CI/CID process should each type of test be integrated? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have an Azure subscription that contains a Microsoft Sentinel workspace named MSW1. MSW11 includes 50 scheduled analytics rules.

You need to design a security orchestration automated response (SOAR) solution by using Microsoft Sentinel playbooks. The solution must meet the following requirements:

• Ensure that expiration dates can be configured when a playbook runs.
• Minimize the administrative effort required to configure individual analytics rules.

What should you use to invoke the playbooks, and which type of Microsoft Sentinel trigger should you use? To answer, select the options in the answer area.

NOTE: Each correct selection is worth one point.

Your network contains an Active Directory Domain Services (AD DS) domain named Domain1.
You have a Microsoft Entra tenant.
Domain1 syncs with the tenant by using Microsoft Entra Connect.
You need to monitor Domain1 for privilege escalation attacks.

What should you use?

You have an Azure subscription and an Azure DevOps organization.

You need to recommend a solution for connecting Azure DevOps pipelines to the resources in the subscription by using Azure Resource Manager (ARM) service connections. The solution must align with Microsoft Cloud Adoption Framework for Azure best practices, including the principle of least privilege.

What should you include in the recommendation?

You have a Microsoft 365 E5 subscription and an Azure subscription.

You need to recommend a solution to enforce the Zero Trust principle of explicit verification for the subscriptions. The solution must be based on Zero Trust guidance in the Microsoft Cybersecurity Reference Architectures (MCRA).

What should you include in the recommendation?

You have a Microsoft Entra tenant that contains 10 Windows 11 devices and two groups named Group1 and Group2. The Windows 11 devices are joined to the Microsoft Entra tenant and are managed by using Microsoft Intune.

You are designing a privileged access strategy based on the rapid modernization plan (RaMP). The strategy will include the following configurations:

• Each user in Group1 will be assigned a Windows 11 device that will be configured as a privileged access device.

• The Security Administrator role will be mapped to the privileged access security level.

• The users in Group1 will be assigned the Security Administrator role.

• The users in Group2 will manage the privileged access devices.

You need to configure the local Administrators group for each privileged access device. The solution must follow the principle of least privilege.

What should you include in the solution?

You have an Azure DevOps organization that is used to manage the development and deployment of internal apps to multiple Azure subscriptions.
You need to implement a DevSecOps strategy based on Microsoft Cloud Adoption Framework for Azure principles. The solution must meet the following requirements:

• All pull requests must be enforced.
• All deployments to production must be approved.

What should you include in the solution for each requirement? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have a Microsoft Entra tenant that syncs with an Active Directory Domain Services (AD DS) domain.

You have an on-premises datacenter that contains 100 servers. The servers run Windows Server and are backed up by using Microsoft Azure Backup Server (MABS).

You are designing a recovery solution for ransomware attacks. The solution follows Microsoft Security Best Practices.

You need to ensure that a compromised local administrator account cannot be used to stop scheduled backups.

What should you do?

You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain. Client computers run Windows and are hybrid-joined to Azure AD.

You are designing a strategy to protect endpoints against ransomware. The strategy follows Microsoft Security Best Practices.

You plan to remove all the domain accounts from the Administrators groups on the Windows computers.

You need to recommend a solution that will provide users with administrative access to the Windows computers only when access is required. The solution must minimize the lateral movement of ransomware attacks if an administrator account on a computer is compromised.

What should you include in the recommendation?

You need to design a solution to accelerate a Zero Trust security implementation. The solution must be based on the Zero Trust Rapid Modernization Plan (RaMP).

Which three initiatives should you include in the solution, and in which order should you implement the initiatives? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
 

Correct Answer:

You have an Active Directory Domain Services (AD DS) domain that contains a virtual desktop infrastructure (VDI). The VDI uses non-persistent images and cloned virtual machine templates. VDI devices are members of the domain.

You have an Azure subscription that contains an Azure Virtual Desktop environment. The environment contains host pools that use a custom golden image. All the Azure Virtual Desktop deployments are members of a single Microsoft Entra Domain Services domain.

You need to recommend a solution to deploy Microsoft Defender for Endpoint to the hosts. The solution must meet the following requirements:

• Ensure that the hosts are onboarded to Defender for Endpoint during the first startup sequence.
• Ensure that the Microsoft Defender portal contains a single entry for each deployed VDI host.
• Minimize administrative effort.

What should you recommend? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have an Azure subscription that contains App Service apps in four Azure regions. Users connect to the apps from the internet.

You plan to block requests to the apps if the requests contain security threats specified in the Core Rule Set (CRS) of the Open Web Application Security Project (OWASP).

You need to design a solution to block the requests. The solution must meet the following requirements:

• Maintain access to the apps in the event of a region outage.
• Minimize the number of resources required.

What should you include in the design? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You need to recommend a SIEM and SOAR strategy that meets the hybrid requirements, the Microsoft Sentinel requirements, and the regulatory compliance requirements.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point

You have a Microsoft Entra tenant and an Azure subscription.

You are evaluating the use of a risk-based Conditional Access policy to control the access of workload identities to resources.

To which type of identity should you apply the policy, and which signal source can you use as part of the policy? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Your on-premises network contains an Active Directory Domain Services (AD DS) domain and a hybrid deployment between a Microsoft Exchange Server 2019 organization and an Exchange Online tenant. The AD DS domain contains a group named Group1. Group1 is a member of the Organization Management role group for the Exchange deployment.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender.

You have an Azure subscription that uses Microsoft Sentinel.

You need to recommend a solution to ensure that Group1 is marked as a sensitive group and that any changes made to Group1 raises an alert in Microsoft Sentinel. The solution must minimize administrative effort.

What should you include in the recommendation?

You have a Microsoft 365 subscription.

You have an Azure subscription.

You need to implement a Microsoft Purview communication compliance solution for Microsoft Teams and Yammer. The solution must meet the following requirements:

• Assign compliance policies to Microsoft 365 groups based on custom Microsoft Exchange Online attributes.

• Minimize the number of compliance policies.

• Minimize administrative effort.

What should you include in the solution?

You have a Microsoft 365 tenant that contains two groups named Group1 and Group2.

You use Microsoft Defender XDR to manage the tenants of your company’s customers.

You need to ensure that the users in Group1 can perform security tasks in the tenant of each customer. The solution must meet the following requirements:

• The Group1 users must only be assigned the Security Operator role for the customer tenants.

• The users in Group2 must be able to assign the Security Operators role to the Group1 users for the customer tenants.

• The use of quest accounts must be minimized.

• Administrative effort must be minimized.

What should you include in the solution?

You have a Microsoft 365 tenant that contains 5,000 users and 5,000 Windows 11 devices. All users are assigned Microsoft 365 E5 licenses and the Microsoft Defender Vulnerability Management add-on. The Windows 11 devices are managed by using Microsoft Intune and Microsoft Defender for Endpoint. The Windows 11 devices are configured during deployment to comply with Center for Internet Security (CIS) benchmarks for Windows 11.

You need to recommend a compliance solution for the Windows 11 devices. The solution must identify devices that were modified and no longer comply with the CIS benchmarks.

What should you include in the recommendation?

You have an Azure subscription that contains two virtual machines named VM1 and VM2 and an Azure App Service Standard app named App1. VM1 is used to upload data to App1. App1 stores data on VM2.

You need to secure connectivity between the virtual machines and App1. The solution must minimize the risk of data exfiltration.

What should you use to manage connectivity for App1? To answer, select the options in the answer area.

NOTE: Each correct answer is worth one point.

You plan to deploy a dynamically scaling, Linux-based Azure Virtual Machine Scale Set that will host jump servers. The jump servers will be used by support staff who connect from personal and kiosk devices via the internet. The subnet of the jump servers will be associated to a network security group (NSG).

You need to design an access solution for the Azure Virtual Machine Scale Set. The solution must meet the following requirements:

• Ensure that each time the support staff connects to a jump server, they must request access to the server.
• Ensure that only authorized support staff can initiate SSH connections to the jump servers.
• Maximize protection against brute-force attacks from internal networks and the internet.
• Ensure that users can only connect to the jump servers from the internet.
• Minimize administrative effort.

What should you include in the solution? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have an Azure subscription.

You plan to deploy Azure Kubernetes Service (AKS) clusters that will be used to host web services.

You need to recommend an ingress controller solution that will protect the hosted web services.

What should you include in the recommendation?

You open Microsoft Defender for Cloud as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.