SC-100 Cybersecurity Architect Exam Prep

Questions and Answers

What is a benefit of using the hash of a hash in Identity Protection?

It replaces the need for conditional access policies.

It helps identify compromised credentials when scanned on the dark web. (correct)

It ensures stricter password requirements.

It allows for the use of one-time passcodes.

What is the purpose of Azure AD B2B functionality?

To authenticate users from social media accounts.

To manage employee identities solely.

To provide inherent security measures for corporate accounts.

To collaborate with external partners using their own identity systems. (correct)

Which statement accurately describes the use of Azure AD B2C?

It allows customers to authenticate using their social accounts or local credentials. (correct)

It integrates solely with corporate accounts.

It does not support customization of user experience.

It is used exclusively for storing employee information.

What differentiates Azure AD from Azure AD B2C?

Azure AD is designed specifically for corporate identity management.

Which feature does Azure AD use to ensure users change compromised passwords?

Conditional Access Policies

How does Role-Based Access Control (RBAC) enhance security in Azure AD?

By assigning specific permissions based on user roles.

What is the primary purpose of Managed Identities in Azure?

To provide a secure way for Azure services to authenticate with one another.

Which of the following is NOT a characteristic of Azure AD's identity protection?

It mandates password complexity for all user accounts.

What is the main function of Microsoft Endpoint Manager?

To combine management of both internet-connected and network-connected devices.

How does zero trust security treat devices on the corporate network?

Devices are treated like they are on the internet regardless of their location.

What is the purpose of registering endpoints in Azure AD?

To ensure they are known entities within the Azure Active Directory environment.

What primary feature does Azure AD Premium P2 offer that sets it apart from other SKUs?

Identity protection and access reviews

Which of the following is a key aspect of Role-Based Access Control (RBAC) in Azure AD?

It enables assignment of permissions based on user roles.

Which two technologies have combined to form Microsoft Endpoint Manager?

Microsoft Intune and Configuration Manager.

What does Azure AD Privileged Identity Management (PIM) primarily ensure?

Temporary and time-bound access to resources.

What type of identities should external partners have according to the described identity framework?

Separate external identities.

What is the main goal of implementing Security Best Practices for Azure AD?

To prevent unauthorized access and protect sensitive data

Which devices are considered endpoints in the discussed context?

Any device that can connect to a network.

What does treating endpoints like they are on the internet imply?

They undergo thorough verification and security checks.

Managed identities in Azure AD are primarily used for what purpose?

To provide automatic management of credentials for Azure services

What is a key benefit of joining devices to Azure AD?

It allows for centralized management and policy application.

Which statement best describes the approach to compliance tracking for devices?

Recorded compliance helps in managing devices effectively.

What is the primary function of Defender for Identity?

To look for signs of compromise in Active Directory environments

Which service is primarily used to synchronize identities from Active Directory to Azure AD?

Azure AD Connect

What type of authentication does Azure AD facilitate to improve identity protection?

Conditional access and cloud-based authentication

What is a key feature of Azure AD Identity Protection?

Detecting leaked credentials

Why is it recommended to avoid federating from Azure AD to Active Directory via ADFS?

It introduces unnecessary complexity and risks.

How does Azure AD Connect Cloud Sync enhance security during password synchronization?

It sends the hash of the password hash after several iterations.

Which of the following is NOT a feature of Defender for Identity?

Providing secure cloud storage solutions

What does the term 'pass the hash' refer to in identity protection?

A technique used by attackers to impersonate users.

What role do agents play in the Defender for Identity system?

They collect data from domain controllers to look for attack signs.

What is the primary goal of the concept of least privilege in access control?

To ensure users have the smallest amount of access necessary to perform their tasks

Which component allows for just-in-time access elevation in Azure AD?

Privileged Identity Management (PIM)

What is a feature of Azure AD Privileged Identity Management?

It requires Multi-Factor Authentication (MFA) for role elevation

How does Privileged Access Management (PAM) differ from Privileged Identity Management (PIM)?

PIM uses layers of security, while PAM uses a bastion forest for role assignment

What is a characteristic of Role-Based Access Control (RBAC)?

It grants access based on the user's role within an organization

What does a managed identity provide in Azure?

Automatic identity management for Azure resources

What is the role of a bastion forest in Privileged Access Management (PAM)?

To duplicate groups and manage elevated privileges in a secure manner

What is a key principle for assigning permissions in Azure AD roles?

Using the smallest necessary permissions for specific tasks

What does the Just-in-Time feature in Azure AD PIM allow users to do?

Request elevated access only when needed for a limited time

Which of the following describes the RBAC system's approach to users and roles?

Users are assigned roles that define their access to resources

What is the primary principle of zero trust that requires continuous verification of identity?

Verify explicitly

Which principle of zero trust advocates for minimal access permissions according to user needs?

Least privilege

What is the recommended approach to identity validation in a zero trust environment?

Revalidate identities constantly

In a zero trust model, what does the assumption of a breach imply regarding security signals?

Signals should be analyzed to detect potential threats.

Which of the following technologies is emphasized for solving business requirements in a broad exam format?

Comprehensive identity verification systems

What approach should be taken for identity permissions in a zero trust framework?

Elevate roles only when necessary

What is a key strategy for identifying potential security breaches in a zero trust framework?

Gathering telemetry from various signals

What is the primary advantage of using Just-In-Time (JIT) access in Azure AD Privileged Identity Management?

It provides the ability to elevate privileges for a limited time.

Which of the following best describes the concept of least privilege in the context of Role-Based Access Control (RBAC)?

Providing only the essential permissions needed for users to perform their tasks.

In which environment is Privileged Access Management (PAM) primarily utilized?

On-premises Active Directory domain services.

What is a critical feature of Azure AD that directly enhances security for user access?

Privileged Identity Management for time-bound role elevation.

How does Azure AD's Role-Based Access Control (RBAC) differ from traditional access management systems?

RBAC integrates dynamic permissions based on real-time analysis.

What is the purpose of Azure Defender in managing security compliance standards?

To enhance security posture through additional compliance standards

Which statement is true regarding the Azure Security Benchmark in Defender for Cloud?

It provides a framework for establishing a secure score.

What is the primary function of Azure Policy in a cloud environment?

To enforce rules and compliance across resources

What must be enabled to utilize additional compliance standards in Defender for Cloud?

Enhanced protections in Azure Defender

Which of the following components is NOT included in an Azure Blueprint?

Network security groups

Which of the following capabilities does Defender for Cloud NOT provide?

Automatic correction of security deficiencies

What technology does Azure Policy use to enforce in-guest configurations for Windows systems?

PowerShell DSC

When evaluating security posture in Azure, which factor is prioritized?

Focus on elements with lower secure scores first

When linking a policy to a subscription, what is the minimum element required to set compliance parameters in Azure?

A standalone policy

What role does the Azure Security Benchmark play in the overall security posture?

It acts as a baseline for security recommendations.

What is a key benefit of using an Azure initiative?

To manage multiple policies as a single unit

How does Defender for Cloud improve integrations with other cloud services?

By also offering features for AWS and Google Cloud

What benefit do enhanced protections in Defender for Cloud provide?

Specific protections tailored to various Azure resources

In which contexts can Azure Policies be applied?

Both Azure and other cloud providers

What type of storage accounts might Azure Policy restrict users from creating?

Any storage account not in a defined scope

Which criteria must be met to view regulatory compliance after adding standards in Defender for Cloud?

The subscription must allow for the adding of compliance standards.

Which language is involved in managing guest configurations for Linux within Azure Policy?

Chef

What kind of services does Defender for Cloud offer to enhance security?

A mix of services including those for storage and servers

What does the Azure Security Benchmark provide for Azure Policies?

Predefined policies and recommendations

What can Azure Policy use to drive recommendations and secure scores?

Resource Manager

What is the primary purpose of Azure AD identity protection?

To provide intelligence about risk for logons and users.

Which authentication method is NOT available under Azure AD security defaults?

MFA via SMS.

Which license is required to access the full features of multi-factor authentication (MFA) in Azure AD?

P1 license.

Conditional access in Azure AD typically relies on which type of information?

User identity patterns and risk signals.

Which of the following authentication methods is available across all Azure AD SKUs?

Passwordless authentication.

Which feature allows Azure AD to block legacy authentication protocols?

Security defaults.

How does Azure AD handle elevated risk detected during a user login attempt?

It prompts the user for additional authentication steps.

What is a limitation of the multi-factor authentication options available under the free version of Azure AD?

It does not allow SMS verification.

Which feature is introduced with Azure AD Premium P1 that relates to access management?

Identity protection feeding into conditional access.

What is the main purpose of Microsoft Endpoint Manager in device management?

To apply configuration and assess compliance of devices

What can be a basis for creating compliance policies?

The type of platform the device operates on

Which component of Microsoft Endpoint Manager allows for detailed tracking of security incidents?

Defender for Endpoint

What type of profiles can be created within Microsoft Endpoint Manager?

Compliance profiles and configuration profiles

Which of the following statements best describes the functionality of Defender for Endpoint?

It detects and responds to both security breaches and policy violations.

How does compliance information affect access control management?

It aids in making decisions for conditional access.

What is the primary function of Just-in-Time (JIT) access in Azure?

To modify the network security group temporarily for specific IP addresses.

What is the primary function of Defender for Identity in an Active Directory environment?

To monitor and detect signs of compromise within Active Directory

What feature allows organizations to transition from Configuration Manager to a cloud-based solution?

Co-management of functionalities

Which method does Azure AD Connect primarily utilize to synchronize identities from Active Directory to Azure AD?

Synchronization of password hashes

Which Azure service allows management of resources across different clouds and on-premises environments?

Azure Arc

What is one of the initial steps in the management of devices according to the discussed approach?

Establishing compliance policies

Which aspect of Defender for Endpoint helps in understanding the events leading to a security issue?

Visibility into breach paths

What does the process of password hash synchronization entail in Azure AD?

Generating a hash of the password hash with multiple iterations for security

How does Azure Resource Manager (ARM) interact with Azure policies during operations?

It checks compliance with Azure policies before executing operations.

Why is it generally not recommended to federate from Azure AD to Active Directory via ADFS?

Security implications of direct federation

What is a key capability of Defender for Server related to Just-in-Time access?

To offer enhanced protection for certain workloads through JIT.

Which capabilities are associated with compliance policies within device management?

Assessing device security and configuration adherence

What is a benefit of integrating Azure Bastion in network management?

It enhances user access management through conditional access policies.

What is the role of agents deployed by Defender for Identity?

To monitor domain controllers for attack indicators

What is the recommended strategy for handling leaked credentials in Azure AD?

Utilize Azure AD Identity Protection to detect and mitigate risks

What potential compromise indicators does Defender for Identity look for?

Pass the hash and golden ticket attacks

What is the primary reason for registering devices in Azure AD?

To transform devices into known entities in the Azure environment

How does zero trust security approach devices on a corporate network?

It treats all devices like they are on the internet regardless of location

Which two technologies were integrated to create Microsoft Endpoint Manager?

Microsoft Intune and Configuration Manager

What type of external identity is suggested for partners?

Providing them an individual Azure AD instance

What is the significance of the device types mentioned in the context of endpoints?

A diverse range of devices can pose various security challenges

What is a primary function of Microsoft Endpoint Manager?

To blend device management for cloud and on-premises systems

What does registering devices in Azure AD allow organizations to do?

Manage, apply policies, and track compliance effectively

What encapsulates the principle of zero trust security?

Verifying all access requests regardless of the network location

Which types of endpoints are emphasized in the context discussed?

Computers, mobile devices, IoT, and printers among others

What is the primary reason for obtaining a managed identity for Azure resources?

To allow multiple resources to share the same set of permissions.

How does Azure help in securing connection protocols like RDP and SSH to virtual machines?

By using Azure Bastion as a managed jump box.

What is a characteristic of a system-assigned managed identity in Azure?

It is linked exclusively to one specific resource.

What is typically necessary for an application running inside a VM or container to authenticate with Azure AD?

A stored certificate or secret.

In which scenario would a user-assigned managed identity be most beneficial?

When multiple resources need the same permissions across different roles.

What role does Role-Based Access Control (RBAC) play in the management of managed identities?

It determines what roles and permissions are assigned to the managed identities.

What is the main advantage of using managed identities for applications deployed in Azure?

They provide automatic credential management.

Which of the following best describes the purpose of a managed jump box like Azure Bastion?

To provide secure access to virtual machines without direct exposure.

What potential risk is mitigated by avoiding direct exposure of RDP and SSH to the internet?

Vulnerability to unauthorized access and attacks.

What is a key component of using a managed identity to authenticate to Azure resources?

Leveraging RBAC for permission assignments.

Study Notes

SC-100 Cybersecurity Architect Expert Certification Study Cram

• The SC100 exam, a new cyber security architect expert certification exam, is currently in beta.
• To obtain the certification, you need to have passed either SC200, SC300, AZ500, or MS500, plus SC100.
• The SC100 exam covers Azure and Microsoft 365 security solutions.
• The exam is two hours long and contains approximately 45-46 questions.
• The exam assesses broad understanding of security solutions without requiring in-depth knowledge.
• The exam's skills outline should be reviewed thoroughly.
• The business requirements tab should be reviewed for question context.
• The exam is relatively brief and focused on understanding various solutions.
• The exam includes case studies.

Key Concepts

• Zero Trust: A core concept emphasized in the exam, focusing on explicit verification of identities and devices.
• Least Privilege: Granting only the necessary permissions for an action, enhancing security.
• Identity Protection: Understanding threats and risks to user accounts, along with solutions such as multi-factor authentication and device validation.
• Conditional Access: Utilizing policies to control access based on risk levels and factors, including location, devices, and user context.
• Security Signals: Monitoring for indicators of malicious activity (e.g., ransomware, unauthorized access) to better understand and respond to potential threats.
• Network Security Groups (NSGs): Utilizing these to control network traffic within a virtual network environment, including which resources can communicate and the protocols permitted.
• Microsoft Purview: A service to discover relevant data across your organization to support compliance and governance.
• Azure Policy: A management service to define and enforce compliance.
• Azure Sentinel: A security information and event management (SIEM) tool for identifying vulnerabilities and incidents.
• Azure Arc: Extending the Azure control plane to manage resources outside Azure.

Exam Structure

• The exam focuses on broad concepts and requires familiarity with various Microsoft security solutions.
• The exam assesses knowledge of security solutions on an overall level rather than highly specialized functionality.
• The focus is on understanding how various solutions fit into the broader picture.

Description

Prepare for the SC-100 certification exam focused on Azure and Microsoft 365 security solutions. This quiz will cover essential concepts such as Zero Trust and Least Privilege, helping you understand the exam's format and key topics. Ensure you're ready for the brief yet comprehensive assessment.