sc-100 (1).pdf

Summary

This document is a list of questions for a quiz titled 'Questions List'.

Full Transcript

2 Questions List

Questions List

Question #1 8

Question #2 10

Question #3 12

Question #4 14

Question #5 16

Question #6 18

Question #7 19

Question #8 21

Question #9 23

Question #10 25

Question #11 28

Question #12 29

Question #13 32

Question #14 34

Question #15 36

Question #16 38

Question #17 41

Question #18 42

Question #19 45

Question #20 48

Question #21 51

Question #22 52

Question #23 54

Question #24 57

Question #25 60

Question #26 61

Question #27 63

Question #28 65

Page 2 of 460
3 Questions List

Question #29 67

Question #30 69

Question #31 71

Question #32 73

Question #33 76

Question #34 79

Question #35 81

Question #36 83

Question #37 85

Question #38 87

Question #39 89

Question #40 91

Question #41 93

Question #42 95

Question #43 97

Question #44 98

Question #45 100

Question #46 102

Question #47 104

Question #48 107

Question #49 109

Question #50 111

Question #51 113

Question #52 115

Question #53 117

Question #54 119

Question #55 120

Question #56 122

Question #57 124

Question #58 126

Page 3 of 460
4 Questions List

Question #59 130

Question #60 132

Question #61 134

Question #62 135

Question #63 137

Question #64 138

Question #65 140

Question #66 141

Question #67 142

Question #68 143

Question #69 145

Question #70 147

Question #71 149

Question #72 150

Question #73 151

Question #74 152

Question #75 153

Question #76 155

Question #77 157

Question #78 159

Question #79 161

Question #80 162

Question #81 165

Question #82 167

Question #83 168

Question #84 170

Question #85 172

Question #86 175

Question #87 179

Question #88 180

Page 4 of 460
5 Questions List

Question #89 182

Question #90 183

Question #91 184

Question #92 185

Question #93 186

Question #94 189

Question #95 191

Question #96 193

Question #97 195

Question #98 198

Question #99 200

Question #100 203

Question #101 205

Question #102 207

Question #103 209

Question #104 212

Question #105 214

Question #106 217

Question #107 219

Question #108 222

Question #109 224

Question #110 225

Question #111 227

Question #112 229

Question #113 232

Question #114 234

Question #115 236

Question #116 238

Question #117 240

Question #118 242

Page 5 of 460
6 Questions List

Question #119 244

Question #120 247

Question #121 249

Question #122 251

Question #123 252

Question #124 254

Question #125 256

Question #126 258

Question #127 260

Question #128 267

Question #129 274

Question #130 281

Question #131 287

Question #132 294

Question #133 300

Question #134 308

Question #135 314

Question #136 320

Question #137 327

Question #138 334

Question #139 341

Question #140 348

Question #141 354

Question #142 361

Question #143 368

Question #144 374

Question #145 380

Question #146 386

Question #147 393

Question #148 395

Page 6 of 460
7 Questions List

Question #149 397

Question #150 398

Question #151 400

Question #152 402

Question #153 403

Question #154 405

Question #155 406

Question #156 408

Question #157 410

Question #158 411

Question #159 413

Question #160 414

Question #161 416

Question #162 417

Question #163 418

Question #164 420

Question #165 421

Question #166 423

Question #167 425

Question #168 427

Question #169 429

Question #170 430

Question #171 432

Question #172 434

Question #173 436

Question #174 439

Question #175 441

Question #176 443

Question #177 446

Question #178 447

Page 7 of 460
 8 Microsoft - SC-100 Practice Questions - SecExams.com

Question #179 449

Question #180 450

Question #181 452

Question #182 454

Question #183 455

Question #184 457

Question #185 459

Microsoft - SC-100 Practice Questions
- SecExams.com

SecExams - Focus Only on What's Needed to Pass! - [secexams.com]

Question #1
Your company has a Microsoft 365 ES subscription.
The Chief Compliance Officer plans to enhance privacy management in the
working environment.
You need to recommend a solution to enhance the privacy management. The
solution must meet the following requirements:
✑ Identify unused personal data and empower users to make smart data
handling decisions.
✑ Provide users with notifications and guidance when a user sends personal
data in Microsoft Teams.
✑ Provide users with recommendations to mitigate privacy risks.
What should you include in the recommendation?

A) communication compliance in insider risk management
B) Microsoft Viva Insights
C) Privacy Risk Management in Microsoft Priva (Correct Answer)

Page 8 of 460
 9 Microsoft - SC-100 Practice Questions - SecExams.com

D) Advanced eDiscovery

Explanation

Correct Answer:
C
Privacy Risk Management in Microsoft Priva gives you the capability to set up policies
that identify privacy risks in your Microsoft 365 environment and enable easy
remediation. Privacy Risk Management policies are meant to be internal guides and can
help you:
Detect overexposed personal data so that users can secure it.
Spot and limit transfers of personal data across departments or regional borders.
Help users identify and reduce the amount of unused personal data that you store.
Incorrect:
Not B: Microsoft Viva Insights provides personalized recommendations to help you do
your best work. Get insights to build better work habits, such as following through on
commitments made to collaborators and protecting focus time in the day for
uninterrupted, individual work.
Not D: The Microsoft Purview eDiscovery (Premium) solution builds on the existing
Microsoft eDiscovery and analytics capabilities. eDiscovery (Premium) provides an end-
to-end workflow to preserve, collect, analyze, review, and export content that's
responsive to your organization's internal and external investigations.
Reference:
https://docs.microsoft.com/en-us/privacy/priva/risk-management

Community Discussion

I can't still believe that I have never seen such thing while going thru the official SC-100
study material provided by Microsoft. I do have Az-500 and Az-104 so i know there are so
many missing content in the mslearn, but.. this is the newest cert.. common microsoft..
and they want us to pass without using the Dump.

Page 9 of 460
10 Microsoft - SC-100 Practice Questions - SecExams.com

Selected Answer: C

Privacy Risk Management in Microsoft Priva gives you the capability to set up policies
that identify privacy risks in your Microsoft 365 environment and enable easy
remediation. Privacy Risk Management policies are meant to be internal guides and can
help you: Detect overexposed personal data so that users can secure it. Spot and limit
transfers of personal data across departments or regional borders. Help users identify
and reduce the amount of unused personal data that you store. https://
learn.microsoft.com/en-us/privacy/priva/risk-management

Was in the Exam today

Was in the Exam today

Selected Answer: C

C is the answer. https://learn.microsoft.com/en-us/privacy/priva/risk-management
Privacy Risk Management in Microsoft Priva gives you the capability to set up policies
that identify privacy risks in your Microsoft 365 environment and enable easy
remediation. Privacy Risk Management policies are meant to be internal guides and can
help you: - Detect overexposed personal data so that users can secure it. - Spot and limit
transfers of personal data across departments or regional borders. - Help users identify
and reduce the amount of unused personal data that you store.

Question #2
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
Suspicious authentication activity alerts have been appearing in the Workload
protections dashboard.
You need to recommend a solution to evaluate and remediate the alerts by
using workflow automation. The solution must minimize development effort.
What should you include in the recommendation?

A) Azure Monitor webhooks
B) Azure Event Hubs
C) Azure Functions apps
D) Azure Logics Apps (Correct Answer)

Page 10 of 460
11 Microsoft - SC-100 Practice Questions - SecExams.com

Explanation

Correct Answer:
D
The workflow automation feature of Microsoft Defender for Cloud feature can trigger
Logic Apps on security alerts, recommendations, and changes to regulatory compliance.
Note: Azure Logic Apps is a cloud-based platform for creating and running automated
workflows that integrate your apps, data, services, and systems. With this platform, you
can quickly develop highly scalable integration solutions for your enterprise and
business-to-business (B2B) scenarios.
Incorrect:
Not C: Using Azure Functions apps would require more effort.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation

Community Discussion

Selected Answer: D

D is the answer. https://learn.microsoft.com/en-us/azure/defender-for-cloud/workflow-
automation Every security program includes multiple workflows for incident response.
These processes might include notifying relevant stakeholders, launching a change
management process, and applying specific remediation steps. Security experts
recommend that you automate as many steps of those procedures as you can.
Automation reduces overhead. It can also improve your security by ensuring the process
steps are done quickly, consistently, and according to your predefined requirements. This
feature can trigger consumption logic apps on security alerts, recommendations, and
changes to regulatory compliance. For example, you might want Defender for Cloud to
email a specific user when an alert occurs. You'll also learn how to create logic apps
using Azure Logic Apps.

Selected Answer: D

Correct

d - logic apps

Correct. Logic app is required for Workflow automation creation

Selected Answer: D

Page 11 of 460
12 Microsoft - SC-100 Practice Questions - SecExams.com

Yes. Logic Apps.

Question #3
Your company is moving a big data solution to Azure.
The company plans to use the following storage workloads:
✑ Azure Storage blob containers
✑ Azure Data Lake Storage Gen2

Azure Storage file shares -

✑ Azure Disk Storage
Which two storage workloads support authentication by using Azure Active
Directory (Azure AD)? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A) Azure Storage file shares
B) Azure Disk Storage
C) Azure Storage blob containers (Correct Answer)
D) Azure Data Lake Storage Gen2 (Correct Answer)

Explanation

Correct Answer:
CD
C: Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to
blob data. With Azure AD, you can use Azure role-based access control (Azure RBAC) to
grant permissions to a security principal, which may be a user, group, or application
service principal. The security principal is authenticated by Azure AD to return an OAuth
2.0 token. The token can then be used to authorize a request against the Blob service.
You can scope access to Azure blob resources at the following levels, beginning with the
narrowest scope:
* An individual container. At this scope, a role assignment applies to all of the blobs in
the container, as well as container properties and metadata.
* The storage account.
* The resource group.
* The subscription.
* A management group.
D: You can securely access data in an Azure Data Lake Storage Gen2 (ADLS Gen2) account

Page 12 of 460
13 Microsoft - SC-100 Practice Questions - SecExams.com

using OAuth 2.0 with an Azure Active Directory (Azure AD) application service principal for
authentication. Using a service principal for authentication provides two options for
accessing data in your storage account:
A mount point to a specific file or path

Direct access to data -
Incorrect:
Not A: To enable AD DS authentication over SMB for Azure file shares, you need to
register your storage account with AD DS and then set the required domain properties on
the storage account. To register your storage account with AD DS, create an account
representing it in your AD DS.
Reference:
https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-
directory https://docs.microsoft.com/en-us/azure/databricks/data/data-sources/azure/
adls-gen2/azure-datalake-gen2-sp-access

Community Discussion

The two storage workloads that support authentication by using Azure Active Directory
(Azure AD) are: A. Azure Storage file shares D. Azure Data Lake Storage Gen2 Explanation:
Azure Storage file shares and Azure Data Lake Storage Gen2 both support authentication
using Azure AD. Azure Disk Storage and Azure Storage blob containers do not currently
support Azure AD authentication.

Selected Answer: CD

Azure Files supports identity-based authentication for Windows file shares over SMB
using three methods. On-premises AD DS authentication: Azure AD DS authentication:
Azure AD Kerberos for hybrid identities: Which means the answer C & D is correct.

Azure AD DS =/= Azure AD. It's impossible to sync a computer account directly to an Azure
AD identity (without the placement of an AD DS or Azure AD DS to recognize the
machine). Therefore, Azure Storage file shares cannot be authenticated strictly through
Azure AD.

Azure AD DS =/= Azure AD. It's impossible to sync a computer account directly to an Azure
AD identity (without the placement of an AD DS or Azure AD DS to recognize the
machine). Therefore, Azure Storage file shares cannot be authenticated strictly through
Azure AD.

Page 13 of 460
14 Microsoft - SC-100 Practice Questions - SecExams.com

Found out why - https://learn.microsoft.com/en-us/azure/storage/files/storage-files-
active-directory-overview Agree with Answer C & D

Question #4
HOTSPOT -
Your company is migrating data to Azure. The data contains Personally
Identifiable Information (PII).
The company plans to use Microsoft Information Protection for the PII data
store in Azure.
You need to recommend a solution to discover PII data at risk in the Azure
resources.
What should you include in the recommendation? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Explanation

Correct Answer:

Page 14 of 460
15 Microsoft - SC-100 Practice Questions - SecExams.com

Box 1: Azure Purview -
Microsoft Purview is a unified data governance service that helps you manage and
govern your on-premises, multi-cloud, and software-as-a-service (SaaS) data.
Microsoft Purview allows you to:
Create a holistic, up-to-date map of your data landscape with automated data discovery,
sensitive data classification, and end-to-end data lineage.
Enable data curators to manage and secure your data estate.
Empower data consumers to find valuable, trustworthy data.
Box 2: Microsoft Defender for Cloud
Microsoft Purview provides rich insights into the sensitivity of your data. This makes it
valuable to security teams using Microsoft Defender for Cloud to manage the
organization's security posture and protect against threats to their workloads. Data
resources remain a popular target for malicious actors, making it crucial for security
teams to identify, prioritize, and secure sensitive data resources across their cloud
environments. The integration with Microsoft Purview expands visibility into the data
layer, enabling security teams to prioritize resources that contain sensitive data.
References:
https://docs.microsoft.com/en-us/azure/purview/overview
https://docs.microsoft.com/en-us/azure/purview/how-to-integrate-with-azure-security-
products

Community Discussion

Purview and Defender for cloud

Page 15 of 460
16 Microsoft - SC-100 Practice Questions - SecExams.com

The answer is correct, but it's the first time I know about Azure Purview, I thought it
should be Microsoft Purview,

Azure Preview is changed to Microsoft Purview ( the ans is Correct)

as per my knowledge, it should be Purview and for alerting it should be Azure Monitor,
Because Purview is integrated with Azure Monitor for Alerting.

Correct: Azure Purview Defender for Cloud Note the new name change as of April 2022:
Microsoft Purview—a comprehensive set of solutions from Microsoft to help you govern,
protect, and manage your entire data estate. By bringing together the former Azure
Purview and the former Microsoft 365 Compliance portfolio under one brand and over
time, a more unified platform, Microsoft Purview can help you understand and govern
the data across your estate, safeguard that data wherever it lives, and improve your risk
and compliance posture in a much simpler way than traditional solutions on the market
today.

Question #5
You have a Microsoft 365 E5 subscription and an Azure subscription.
You are designing a Microsoft deployment.
You need to recommend a solution for the security operations team. The
solution must include custom views and a dashboard for analyzing security
events.
What should you recommend using in Microsoft Sentinel?

A) notebooks
B) playbooks
C) workbooks (Correct Answer)
D) threat intelligence

Explanation

Correct Answer:
C
After you connected your data sources to Microsoft Sentinel, you get instant visualization
and analysis of data so that you can know what's happening across all your connected
data sources. Microsoft Sentinel gives you workbooks that provide you with the full
power of tools already available in Azure as well as tables and charts that are built in to

Page 16 of 460
17 Microsoft - SC-100 Practice Questions - SecExams.com

provide you with analytics for your logs and queries. You can either use built-in
workbooks or create a new workbook easily, from scratch or based on an existing
workbook.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/get-visibility

Community Discussion

Selected Answer: C

C is the answer. https://learn.microsoft.com/en-us/azure/sentinel/monitor-your-data
Once you have connected your data sources to Microsoft Sentinel, you can visualize and
monitor the data using the Microsoft Sentinel adoption of Azure Monitor Workbooks,
which provides versatility in creating custom dashboards. While the Workbooks are
displayed differently in Microsoft Sentinel, it may be useful for you to see how to create
interactive reports with Azure Monitor Workbooks. Microsoft Sentinel allows you to create
custom workbooks across your data, and also comes with built-in workbook templates to
allow you to quickly gain insights across your data as soon as you connect a data source.

Selected Answer: C

Workbooks https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-
overview

work book is correct (as it has dash board too)

Selected Answer: C

Correct

Workbooks provide a flexible canvas for data analysis and the creation of rich visual
reports within the Azure portal. WorkBook is the correct Answer

Page 17 of 460
18 Microsoft - SC-100 Practice Questions - SecExams.com

Question #6
Your company has a Microsoft 365 subscription and uses Microsoft Defender for
Identity.
You are informed about incidents that relate to compromised identities.
You need to recommend a solution to expose several accounts for attackers to
exploit. When the attackers attempt to exploit the accounts, an alert must be
triggered.
Which Defender for Identity feature should you include in the recommendation?

A) sensitivity labels
B) custom user tags
C) standalone sensors
D) honeytoken entity tags (Correct Answer)

Explanation

Correct Answer:
D
Honeytoken entities are used as traps for malicious actors. Any authentication
associated with these honeytoken entities triggers an alert.
Incorrect:

Not B: custom user tags -
After you apply system tags or custom tags to users, you can use those tags as filters in
alerts, reports, and investigation.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-identity/entity-tags

Community Discussion

Selected Answer: D

https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-
guide#honeytoken-activity

Ans is correct as The Sensitive tag is used to identify high value assets.(user / devices /
groups)Honeytoken entities are used as traps for malicious actors. Any authentication
associated with these honeytoken entities triggers an alert. and Defender for Identity

Page 18 of 460
19 Microsoft - SC-100 Practice Questions - SecExams.com

considers Exchange servers as high-value assets and automatically tags them as
Sensitive

was on exam 15/06/23

honeytoken key

Selected answer: D, In exam Nov 23,

Question #7
Your company is moving all on-premises workloads to Azure and Microsoft 365.
You need to design a security orchestration, automation, and response (SOAR)
strategy in Microsoft Sentinel that meets the following requirements:
✑ Minimizes manual intervention by security operation analysts
✑ Supports triaging alerts within Microsoft Teams channels
What should you include in the strategy?

A) KQL
B) playbooks (Correct Answer)
C) data connectors
D) workbooks

Explanation

Correct Answer:
B
Playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps, a cloud
service that helps you schedule, automate, and orchestrate tasks and workflows across
systems throughout the enterprise.
A playbook is a collection of these remediation actions that can be run from Microsoft
Sentinel as a routine. A playbook can help automate and orchestrate your threat
response; it can be run manually or set to run automatically in response to specific
alerts or incidents, when triggered by an analytics rule or an automation rule,
respectively.
Incorrect:
Not A: Kusto Query Language is a powerful tool to explore your data and discover
patterns, identify anomalies and outliers, create statistical modeling, and more.
The query uses schema entities that are organized in a hierarchy similar to SQL's:

Page 19 of 460
20 Microsoft - SC-100 Practice Questions - SecExams.com

databases, tables, and columns.
Not D: Workbooks provide a flexible canvas for data analysis and the creation of rich
visual reports within the Azure portal. They allow you to tap into multiple data sources
from across Azure, and combine them into unified interactive experiences.
Workbooks allow users to visualize the active alerts related to their resources.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks
https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-overview

Community Discussion

sentinel soar= playbook (logic app), so correct ans

Selected Answer: B

https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook?
tabs=LAC

Selected answer: B, In exam Nov 23,

Selected Answer: B

Answer is B

playbooks

Page 20 of 460
21 Microsoft - SC-100 Practice Questions - SecExams.com

Question #8
You have an Azure subscription that contains virtual machines, storage
accounts, and Azure SQL databases.
All resources are backed up multiple times a day by using Azure Backup.
You are developing a strategy to protect against ransomware attacks.
You need to recommend which controls must be enabled to ensure that Azure
Backup can be used to restore the resources in the event of a successful
ransomware attack.
Which two controls should you include in the recommendation? Each correct
answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A) Enable soft delete for backups.
B) Require PINs for critical operations. (Correct Answer)
C) Encrypt backups by using customer-managed keys (CMKs).
D) Perform offline backups to Azure Data Box.
E) Use Azure Monitor notifications when backup configurations change. (Correct Answer)

Explanation

Correct Answer:
BE
Checks have been added to make sure only valid users can perform various operations.
These include adding an extra layer of authentication. As part of adding an extra layer of
authentication for critical operations, you're prompted to enter a security PIN before
modifying online backups.
Your backups need to be protected from sophisticated bot and malware attacks.
Permanent loss of data can have significant cost and time implications to your business.
To help protect against this, Azure Backup guards against malicious attacks through
deeper security, faster notifications, and extended recoverability.
For deeper security, only users with valid Azure credentials will receive a security PIN
generated by the Azure portal to allow them to backup data. If a critical backup
operation is authorized, such as ‫ג‬€delete backup data,‫ג‬€ a notification is immediately
sent so you can engage and minimize the impact to your business. If a hacker does
delete backup data, Azure Backup will store the deleted backup data for up to 14 days
after deletion.
E: Key benefits of Azure Monitor alerts include:
Monitor alerts at-scale via Backup center: In addition to enabling you to manage the
alerts from Azure Monitor dashboard, Azure Backup also provides an alert management
experience tailored to backups via Backup center. This allows you to filter alerts by

Page 21 of 460
22 Microsoft - SC-100 Practice Questions - SecExams.com

backup specific properties, such as workload type, vault location, and so on, and a way to
get quick visibility into the active backup security alerts that need attention.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-
protect-against-ransomware https://www.microsoft.com/security/blog/2017/01/05/azure-
backup-protects-against-ransomware/ https://docs.microsoft.com/en-us/azure/backup/
move-to-azure-monitor-alerts

Community Discussion

Selected Answer: AB

https://docs.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-
protect-against-ransomware

Selected Answer: AB

Keyword are CONTROLS and ENSURE. So A & B both are the answer. https://
docs.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-protect-
against-ransomware

Selected answer: A,B, In exam Nov 23.

Options B (Require PINs for critical operations), D (Perform offline backups to Azure Data
Box), and E (Use Azure Monitor notifications when backup configurations change) are not
directly related to ensuring the availability and restore capabilities of Azure Backup in
the event of a ransomware attack. Therefore, the recommended controls to include in
the strategy for protecting against ransomware attacks and ensuring the usability of
Azure Backup for resource restoration are: A. Enable soft delete for backups C. Encrypt
backups by using customer-managed keys (CMKs)

A, C, and E are best practices for ransomware attack: https://learn.microsoft.com/en-us/
azure/backup/protect-backups-from-ransomware-faq The right answer is A, soft delete,
and C, enabling CMK, to be able to restore after successful attack. If the attack deletes
the data, enabled soft delete will restore it. If the attack encrypts the data, the backups
that are encrypted by CMK cannot be tampered with and can be decrypted and restored.

Page 22 of 460
23 Microsoft - SC-100 Practice Questions - SecExams.com

Question #9
HOTSPOT -
You are creating the security recommendations for an Azure App Service web
app named App1. App1 has the following specifications:
✑ Users will request access to App1 through the My Apps portal. A human
resources manager will approve the requests.
✑ Users will authenticate by using Azure Active Directory (Azure AD) user
accounts.
You need to recommend an access security architecture for App1.
What should you include in the recommendation? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Explanation

Correct Answer:

Page 23 of 460
24 Microsoft - SC-100 Practice Questions - SecExams.com

Box 1: A managed identity in Azure AD
Use a managed identity. You use Azure AD as the identity provider.
Box 2: An access review in Identity Governance
Access to groups and applications for employees and guests changes over time. To
reduce the risk associated with stale access assignments, administrators can use Azure
Active Directory (Azure AD) to create access reviews for group members or application
access.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/scenario-secure-app-
authentication-app-service https://docs.microsoft.com/en-us/azure/active-directory/
governance/create-access-review

Community Discussion

I would go for: a) Azure AD application (https://docs.microsoft.com/en-us/azure/active-
directory/manage-apps/what-is-application-management) b) An access package in
identity governance (https://docs.microsoft.com/en-us/azure/active-directory/
governance/entitlement-management-access-package-create)

Answer is incorrect Box 1 is the Azure AD Application https://docs.microsoft.com/en-us/
azure/active-directory/develop/quickstart-register-app Box 2 is Access Package in
Identity Governance https://docs.microsoft.com/en-us/azure/active-directory/
governance/entitlement-management-access-package-create

got this in exam 6oct23. passed with 896 marks. I answered AZURE AD APP REGISTRATION
AN ACCESS PACKAGE IN IDENTITY GOVERNANCE

Selected answer: Azure AD application REGISTRATION and Access package in Identity
governance, In exam Nov 23

Agreed with this one, answer is A, A

Page 24 of 460
25 Microsoft - SC-100 Practice Questions - SecExams.com

Question #10
HOTSPOT -
Your company uses Microsoft Defender for Cloud and Microsoft Sentinel.
The company is designing an application that will have the architecture shown
in the following exhibit.

You are designing a logging and auditing solution for the proposed architecture.
The solution must meet the following requirements:
✑ Integrate Azure Web Application Firewall (WAF) logs with Microsoft Sentinel.
✑ Use Defender for Cloud to review alerts from the virtual machines.
What should you include in the solution? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Page 25 of 460
26 Microsoft - SC-100 Practice Questions - SecExams.com

Explanation

Correct Answer:

Box 1: Data connectors -
Microsoft Sentinel connector streams security alerts from Microsoft Defender for Cloud
into Microsoft Sentinel.
Launch a WAF workbook (see step 7 below)
The WAF workbook works for all Azure Front Door, Application Gateway, and CDN WAFs.
Before connecting the data from these resources, log analytics must be enabled on your
resource.
To enable log analytics for each resource, go to your individual Azure Front Door,
Application Gateway, or CDN resource:
1. Select Diagnostic settings.
2. Select + Add diagnostic setting.
3. In the Diagnostic setting page (details skipped)
4. On the Azure home page, type Microsoft Sentinel in the search bar and select the
Microsoft Sentinel resource.
5. Select an already active workspace or create a new workspace.
6. On the left side panel under Configuration select Data Connectors.
7. Search for Azure web application firewall and select Azure web application firewall
(WAF). Select Open connector page on the bottom right.
8. Follow the instructions under Configuration for each WAF resource that you want to
have log analytic data for if you haven't done so previously.
9. Once finished configuring individual WAF resources, select the Next steps tab. Select
one of the recommended workbooks. This workbook will use all log analytic data that
was enabled previously. A working WAF workbook should now exist for your WAF
resources.

Box 2: The Log Analytics agent -

Page 26 of 460
27 Microsoft - SC-100 Practice Questions - SecExams.com

Use the Log Analytics agent to integrate with Microsoft Defender for cloud.

The Log Analytics agent is required for solutions, VM insights, and other services such as
Microsoft Defender for Cloud.
Note: The Log Analytics agent in Azure Monitor can also be used to collect monitoring
data from the guest operating system of virtual machines. You may choose to use either
or both depending on your requirements.

Azure Log Analytics agent -
Use Defender for Cloud to review alerts from the virtual machines.
The Azure Log Analytics agent collects telemetry from Windows and Linux virtual
machines in any cloud, on-premises machines, and those monitored by System
Center Operations Manager and sends collected data to your Log Analytics workspace in
Azure Monitor.
Incorrect:
The Azure Diagnostics extension does not integrate with Microsoft Defender for Cloud.
Reference:
https://docs.microsoft.com/en-us/azure/web-application-firewall/waf-sentinel https://
docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection https://
docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview

Community Discussion

Page 27 of 460
28 Microsoft - SC-100 Practice Questions - SecExams.com

Correct Answer

For WAF - in Sentinel we have Data Conenctor For the VM - we have to install the Log
analytics agent in teh VM in the cloud or on premises The ans is correct

Correct Answers New name for Log Analytics Agent - Azure Monitoring Agent

waf - Data connector VM - LA Agent

1. Data connectors 2. Log Analytics agent (but should use Azure Monitor Agent now)
https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/azure-web-
application-firewall-waf https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate

Question #11
Your company has a third-party security information and event management
(SIEM) solution that uses Splunk and Microsoft Sentinel.
You plan to integrate Microsoft Sentinel with Splunk.
You need to recommend a solution to send security events from Microsoft
Sentinel to Splunk.
What should you include in the recommendation?

A) a Microsoft Sentinel data connector (Correct Answer)
B) Azure Event Hubs
C) a Microsoft Sentinel workbook
D) Azure Data Factory

Explanation

Correct Answer:
A
Microsoft Sentinel Add-On for Splunk allows Azure Log Analytics and Microsoft Sentinel
users to ingest security logs from Splunk platform using the Azure HTTP
Data Collector API.
Reference:
https://splunkbase.splunk.com/app/5312/

Page 28 of 460
29 Microsoft - SC-100 Practice Questions - SecExams.com

Community Discussion

if data need to go to splunk then event hub. https://www.splunk.com/en_us/blog/
platform/splunking-azure-event-hubs.html

Selected Answer: B

B. Data connectors are for receiving data not to send data

agree as i donot see any Splunk data connector in Sentinel and also no Azure Http PI
connector in Sentinel

agree as i donot see any Splunk data connector in Sentinel and also no Azure Http PI
connector in Sentinel

Event Hub is the answer: https://techcommunity.microsoft.com/t5/microsoft-sentinel-
blog/azure-sentinel-side-by-side-with-splunk-via-eventhub/ba-p/2307029

Question #12
A customer follows the Zero Trust model and explicitly verifies each attempt to
access its corporate applications.
The customer discovers that several endpoints are infected with malware.
The customer suspends access attempts from the infected endpoints.
The malware is removed from the endpoints.
Which two conditions must be met before endpoint users can access the
corporate applications again? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A) The client access tokens are refreshed. (Correct Answer)
B) Microsoft Intune reports the endpoints as compliant.
C) A new Azure Active Directory (Azure AD) Conditional Access policy is enforced. (Correct
Answer)
D) Microsoft Defender for Endpoint reports the endpoints as compliant.

Explanation

Correct Answer:

Page 29 of 460
30 Microsoft - SC-100 Practice Questions - SecExams.com

AC
A: When a client acquires an access token to access a protected resource, the client also
receives a refresh token. The refresh token is used to obtain new access/refresh token
pairs when the current access token expires. Refresh tokens are also used to acquire
extra access tokens for other resources.

Refresh token expiration -
Refresh tokens can be revoked at any time, because of timeouts and revocations.
C: Microsoft Defender for Endpoint is an enterprise endpoint security platform designed
to help enterprise networks prevent, detect, investigate, and respond to advanced
threats. It uses a combination of endpoint behavioral sensors, cloud security analytics,
and threat intelligence.
The interviewees said that ‫ג‬€by implementing Zero Trust architecture, their organizations
improved employee experience (EX) and increased productivity.‫ג‬€ They also noted,
increased device performance and stability by managing all of their endpoints with€‫ג‬
Microsoft Endpoint Manager.‫ג‬€ This had a bonus effect of reducing the number of agents
installed on a user's device, thereby increasing device stability and performance. ‫ג‬€For
some organizations, this can reduce boot times from
30 minutes to less than a minute,‫ג‬€ the study states. Moreover, shifting to Zero Trust
moved the burden of security away from users. Implementing single sign-on
(SSO), multifactor authentication (MFA), leveraging passwordless authentication, and
eliminating VPN clients all further reduced friction and improved user productivity.

Note: Azure AD at the heart of your Zero Trust strategy
Azure AD provides critical functionality for your Zero Trust strategy. It enables strong
authentication, a point of integration for device security, and the core of your user-
centric policies to guarantee least-privileged access. Azure AD's Conditional Access
capabilities are the policy decision point for access to resource

Page 30 of 460
31 Microsoft - SC-100 Practice Questions - SecExams.com

Reference:
https://www.microsoft.com/security/blog/2022/02/17/4-best-practices-to-implement-a-
comprehensive-zero-trust-security-approach/ https://docs.microsoft.com/en-us/azure/
active-directory/develop/refresh-tokens

Community Discussion

Selected Answer: AB

AB looks correct to me

I don't think this is correct. Zero Trust its reffering to Conditional Access, so would be
Microsoft Intune reports the endpoints as compliant. https://docs.microsoft.com/en-us/
mem/intune/protect/advanced-threat-protection and I assume The client access tokens
are refreshed.

A second thought ( why NEW conditional access policy??) so the ans seems wrong and
the correct one looks like Microsoft intune reports the endpoints as compliant and The
client access token are refreshed

A second thought ( why NEW conditional access policy??) so the ans seems wrong and
the correct one looks like Microsoft intune reports the endpoints as compliant and The
client access token are refreshed

A second thought ( why NEW conditional access policy??) so the ans seems wrong and
the correct one looks like Microsoft intune reports the endpoints as compliant and The
client access token are refreshed

Page 31 of 460
32 Microsoft - SC-100 Practice Questions - SecExams.com

Question #13
HOTSPOT -
You have a Microsoft 365 subscription and an Azure subscription. Microsoft 365
Defender and Microsoft Defender for Cloud are enabled.
The Azure subscription contains a Microsoft Sentinel workspace. Microsoft
Sentinel data connectors are configured for Microsoft 365, Microsoft 365
Defender,
Defender for Cloud, and Azure.
You plan to deploy Azure virtual machines that will run Windows Server.
You need to enable extended detection and response (EDR) and security
orchestration, automation, and response (SOAR) capabilities for Microsoft
Sentinel.
How should you recommend enabling each capability? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Explanation

Correct Answer:

Page 32 of 460
33 Microsoft - SC-100 Practice Questions - SecExams.com

Box 1: Onboard the servers to Defender for Cloud.
Extended detection and response (XDR) is a new approach defined by industry analysts
that are designed to deliver intelligent, automated, and integrated security across
domains to help defenders connect seemingly disparate alerts and get ahead of
attackers.
As part of this announcement, we are unifying all XDR technologies under the Microsoft
Defender brand. The new Microsoft Defender is the most comprehensive
XDR in the market today and prevents, detects, and responds to threats across identities,
endpoints, applications, email, IoT, infrastructure, and cloud platforms.
Box 2: Configure Microsoft Sentinel playbooks.
As a SOAR platform, its primary purposes are to automate any recurring and predictable
enrichment, response and remediation tasks that are the responsibility of
Security Operations Centers (SOC/SecOps). Leveraging SOAR frees up time and resources
for more in-depth investigation of and hunting for advanced threats.
Automation takes a few different forms in Microsoft Sentinel, from automation rules that
centrally manage the automation of incident handling and response to playbooks that
run predetermined sequences of actions to provide robust and flexible advanced
automation to your threat response tasks.
Reference:
https://www.microsoft.com/security/blog/2020/09/22/microsoft-unified-siem-xdr-
modernize-security-operations/ https://techcommunity.microsoft.com/t5/microsoft-
sentinel-blog/become-a-microsoft-sentinel-automation-ninja/ba-p/3563377

Community Discussion

I agree with the answer but the explanation and links are not very good. For SOAR read
this https://docs.microsoft.com/en-us/azure/sentinel/automate-responses-with-
playbooks Endpoint detection and response (EDR) and eXtended detection and response

Page 33 of 460
34 Microsoft - SC-100 Practice Questions - SecExams.com

(XDR) are both part of Microsoft Defender. https://docs.microsoft.com/en-us/
microsoft-365/security/defender/eval-overview?view=o365-worldwide

Given answer is correct

Gotten this in May 2023 exam.

Gotten this in May 2023 exam.

Agree to the answer provided.

Question #14
You have a customer that has a Microsoft 365 subscription and uses the Free
edition of Azure Active Directory (Azure AD).
The customer plans to obtain an Azure subscription and provision several Azure
resources.
You need to evaluate the customer's security environment.
What will necessitate an upgrade from the Azure AD Free edition to the Premium
edition?

A) Azure AD Privileged Identity Management (PIM)
B) role-based authorization
C) resource-based authorization
D) Azure AD Multi-Factor Authentication (Correct Answer)

Explanation

Correct Answer:
D
Multifactor authentication (MFA), an important component of the Zero Trust Model, is
missing in Azure AD Free edition.

Page 34 of 460
35 Microsoft - SC-100 Practice Questions - SecExams.com

Reference:
https://www.microsoft.com/en-us/security/business/identity-access/azure-active-
directory-pricing

Community Discussion

Selected Answer: A

PIM is correct. MFA can be enable on AAD Free using Security Defaults.

Selected Answer: A

PIM is the correct.

I agree. The picture in the answer shows the whole package. If we look at the detailed
view, we can see that MFA is already available in Azure Free. https://www.microsoft.com/
en-us/security/business/microsoft-entra-pricing

I agree. The picture in the answer shows the whole package. If we look at the detailed
view, we can see that MFA is already available in Azure Free. https://www.microsoft.com/
en-us/security/business/microsoft-entra-pricing

Selected Answer: A

PIM is correct. It's a P2 Feature

Page 35 of 460
36 Microsoft - SC-100 Practice Questions - SecExams.com

Question #15
You are designing the security standards for a new Azure environment.
You need to design a privileged identity strategy based on the Zero Trust model.
Which framework should you follow to create the design?

A) Microsoft Security Development Lifecycle (SDL)
B) Enhanced Security Admin Environment (ESAE)
C) Rapid Modernization Plan (RaMP) (Correct Answer)
D) Microsoft Operational Security Assurance (OSA)

Explanation

Correct Answer:
C
RaMP initiatives for Zero Trust.
To rapidly adopt Zero Trust in your organization, RaMP offers technical deployment
guidance organized in these initiatives.
In particular, meet these deployment objectives to protect your privileged identities with
Zero Trust.
1. Deploy secured privileged access to protect administrative user accounts.
2. Deploy Azure AD Privileged Identity Management (PIM) for a time-bound, just-in-time
approval process for the use of privileged user accounts.
Note 1: RaMP guidance takes a project management and checklist approach:
* User access and productivity
1. Explicitly validate trust for all access requests

Identities -
Endpoints (devices)

Apps -

Network -
* Data, compliance, and governance
2. Ransomware recovery readiness
3. Data
* Modernize security operations
4. Streamline response
5. Unify visibility
6. Reduce manual effort
Note 2: As an alternative to deployment guidance that provides detailed configuration
steps for each of the technology pillars being protected by Zero Trust principles, Rapid

Page 36 of 460
37 Microsoft - SC-100 Practice Questions - SecExams.com

Modernization Plan (RaMP) guidance is based on initiatives and gives you a set of
deployment paths to more quickly implement key layers of protection.
By providing a suggested mapping of key stakeholders, implementers, and their
accountabilities, you can more quickly organize an internal project and define the tasks
and owners to drive them to conclusion.
By providing a checklist of deployment objectives and implementation steps, you can
see the bigger picture of infrastructure requirements and track your progress.
Incorrect:
Not B: Enhanced Security Admin Environment (ESAE)
The Enhanced Security Admin Environment (ESAE) architecture (often referred to as red
forest, admin forest, or hardened forest) is an approach to provide a secure environment
for Windows Server Active Directory (AD) administrators.
Microsoft's recommendation to use this architectural pattern has been replaced by the
modern privileged access strategy and rapid modernization plan (RAMP) guidance as the
default recommended approach for securing privileged users. The ESAE hardened
administrative forest pattern (on-prem or cloud-based) is now considered a custom
configuration suitable only for exception cases listed below.
What are the valid ESAE use cases?
While not a mainstream recommendation, this architectural pattern is valid in a limited
set of scenarios.
In these exception cases, the organization must accept the increased technical
complexity and operational costs of the solution. The organization must have a
sophisticated security program to measure risk, monitor risk, and apply consistent
operational rigor to the usage and maintenance of the ESAE implementation.
Example scenarios include:
Isolated on-premises environments - where cloud services are unavailable such as
offline research laboratories, critical infrastructure or utilities, disconnected operational
technology (OT) environments such as Supervisory control and data acquisition (SCADA)
/ Industrial Control Systems (ICS), and public sector customers that are fully reliant on
on-premises technology.
Highly regulated environments ‫ג‬€" industry or government regulation may specifically
require an administrative forest configuration.
High level security assurance is mandated - organizations with low risk tolerance that are
willing to accept the increased complexity and operational cost of the solution.
Reference:
https://docs.microsoft.com/en-us/security/zero-trust/zero-trust-ramp-overview https://
docs.microsoft.com/en-us/security/zero-trust/user-access-productivity-validate-
trust#identities https://docs.microsoft.com/en-us/security/compass/esae-retirement

Community Discussion

Page 37 of 460
38 Microsoft - SC-100 Practice Questions - SecExams.com

Answer is correct. https://docs.microsoft.com/en-us/security/compass/security-rapid-
modernization-plan This rapid modernization plan (RAMP) will help you quickly adopt
Microsoft's recommended privileged access strategy.

Selected Answer: C

C, BillyB provides a great link. SDL and OSA are SDLC related. ESAE has been retired and
replaced by RAMP.

Selected Answer: C

as pointed out multiple times, C (RaMP) is the correct answer.

Selected Answer: B

I think B. RaMP is not a recognized security framework or model

Selected Answer: C

https://learn.microsoft.com/en-us/security/zero-trust/zero-trust-ramp-overview

Question #16
A customer has a hybrid cloud infrastructure that contains a Microsoft 365 E5
subscription and an Azure subscription.
All on-premises servers in the perimeter network are prevented from
connecting directly to the internet.
The customer recently recovered from a ransomware attack.
The customer plans to deploy Microsoft Sentinel.
You need to recommend solutions to meet the following requirements:
✑ Ensure that the security operations team can access the security logs and the
operation logs.
✑ Ensure that the IT operations team can access only the operations logs,
including the event logs of the servers in the perimeter network.
Which two solutions should you include in the recommendation? Each correct
answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A) a custom collector that uses the Log Analytics agent
B) the Azure Monitor agent (Correct Answer)

Page 38 of 460
39 Microsoft - SC-100 Practice Questions - SecExams.com

C) resource-based role-based access control (RBAC) (Correct Answer)
D) Azure Active Directory (Azure AD) Conditional Access policies

Explanation

Correct Answer:
BC
A: You can collect data in custom log formats to Microsoft Sentinel with the Log Analytics
agent.
Note: You can use the Log Analytics agent to collect data in text files of nonstandard
formats from both Windows and Linux computers. Once collected, you can either parse
the data into individual fields in your queries or extract the data during collection to
individual fields.
You can connect your data sources to Microsoft Sentinel using custom log formats.
C: Microsoft Sentinel uses Azure role-based access control (Azure RBAC) to provide built-
in roles that can be assigned to users, groups, and services in Azure.
Use Azure RBAC to create and assign roles within your security operations team to grant
appropriate access to Microsoft Sentinel. The different roles give you fine-grained control
over what Microsoft Sentinel users can see and do. Azure roles can be assigned in the
Microsoft Sentinel workspace directly (see note below), or in a subscription or resource
group that the workspace belongs to, which Microsoft Sentinel inherits.
Incorrect:
A: You can collect data in custom log formats to Microsoft Sentinel with the Log Analytics
agent.
Note: You can use the Log Analytics agent to collect data in text files of nonstandard
formats from both Windows and Linux computers. Once collected, you can either parse
the data into individual fields in your queries or extract the data during collection to
individual fields.
You can connect your data sources to Microsoft Sentinel using custom log formats.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview https://
docs.microsoft.com/en-us/azure/sentinel/connect-custom-logs?tabs=DCG https://
docs.microsoft.com/en-us/azure/sentinel/roles

Community Discussion

Page 39 of 460
40 Microsoft - SC-100 Practice Questions - SecExams.com

These answer options have been abridged. Other dumps say: A. Create a custom collector
that uses the Log Analytics agent. B. Use the Azure Monitor agent with the multi-homing
configuration. C. Implement resource-based role-based access control (RBAC) in
Microsoft Sentinel. D. Configure Azure Active Directory (Azure AD) Conditional Access
policies.

Given the expanded answers B and C are the clear best choices. B - this use case is
spelled out in exact detail. This is must be the exact wording that the question was
created from https://docs.microsoft.com/en-us/azure/sentinel/best-practices-data#on-
premises-windows-log-collection C - https://docs.microsoft.com/en-us/azure/sentinel/
resource-context-rbac#scenarios-for-resource-context-rbac

Given the expanded answers B and C are the clear best choices. B - this use case is
spelled out in exact detail. This is must be the exact wording that the question was
created from https://docs.microsoft.com/en-us/azure/sentinel/best-practices-data#on-
premises-windows-log-collection C - https://docs.microsoft.com/en-us/azure/sentinel/
resource-context-rbac#scenarios-for-resource-context-rbac

Selected Answer: BC

I agree with B & C after the expaned version of the answers

The link for B also states this Servers do not connect to the internet, Use the Log
Analytics gateway Configuring a proxy to your agent requires extra firewall rules to allow
the Gateway to work.

Page 40 of 460
41 Microsoft - SC-100 Practice Questions - SecExams.com

Question #17
Your company is developing a serverless application in Azure that will have the
architecture shown in the following exhibit.

You need to recommend a solution to isolate the compute components on an
Azure virtual network.
What should you include in the recommendation?

A) Azure Active Directory (Azure AD) enterprise applications
B) an Azure App Service Environment (ASE) (Correct Answer)
C) Azure service endpoints
D) an Azure Active Directory (Azure AD) application proxy

Explanation

Correct Answer:
B
The Azure App Service Environment v2 is an Azure App Service feature that provides a
fully isolated and dedicated environment for securely running App Service apps at high
scale. This capability can host your:

Windows web apps -

Linux web apps -

Docker containers -

Page 41 of 460
42 Microsoft - SC-100 Practice Questions - SecExams.com

Mobile apps -

Functions -
App Service environments (ASEs) are appropriate for application workloads that require:
Very high scale.
Isolation and secure network access.
High memory utilization.
Customers can create multiple ASEs within a single Azure region or across multiple Azure
regions. This flexibility makes ASEs ideal for horizontally scaling stateless application
tiers in support of high requests per second (RPS) workloads.
Reference:
https://docs.microsoft.com/en-us/azure/app-service/environment/intro

Community Discussion

Selected Answer: B

Answer is correct. https://docs.microsoft.com/en-us/azure/app-service/environment/
overview

was on exam 15/06/23

On exam 5/25/2023

Thank you Zelleck. I took AZ-500 and SC-100 shortly after you. You helped me a lot. I know
you wouldn't see this message, but I really appreciate your effort

Glad that my comments are useful! =)

Question #18
You are evaluating an Azure environment for compliance.
You need to design an Azure Policy implementation that can be used to
evaluate compliance without changing any resources.
Which effect should you use in Azure Policy?

A) Deny

Page 42 of 460
43 Microsoft - SC-100 Practice Questions - SecExams.com

B) Modify
C) Append
D) Disabled (Correct Answer)

Explanation

Correct Answer:
D
This effect is useful for testing situations or for when the policy definition has
parameterized the effect. This flexibility makes it possible to disable a single assignment
instead of disabling all of that policy's assignments.
An alternative to the Disabled effect is enforcementMode, which is set on the policy
assignment. When enforcementMode is Disabled, resources are still evaluated.
Incorrect:
Not A: Deny is used to prevent a resource request that doesn't match defined standards
through a policy definition and fails the request.
Not B: Modify evaluates before the request gets processed by a Resource Provider during
the creation or updating of a resource. The Modify operations are applied to the request
content when the if condition of the policy rule is met. Each Modify operation can specify
a condition that determines when it's applied.
Operations with conditions that are evaluated to false are skipped.
Not C: Append is used to add additional fields to the requested resource during creation
or update.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects

Community Discussion

Selected Answer: D

It has to be disabled since deny will send the compliance report as non-complaint.

The question is misleadingly worded. The question asks which effect can be used to
report on compliance without changing anything. The Azure Policy "effect" used to do this
is "Audit", which is not one of the provided options. There isn't an "effect" setting in the
choices that matches the criteria. However, "Disabled" and "Enabled" are the two Azure
Policy "enforcement" setting options. If an Azure Policy's "enforcement" is set to
"Disabled", any "effect" set on this Azure Policy will report but will not make changes.
"Disabled" is the best answer available, although technically incorrect because
"Disabled" isn't an Azure Policy "effect".

Page 43 of 460
44 Microsoft - SC-100 Practice Questions - SecExams.com

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#deny-
evaluation

https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#deny-
evaluation

1. You're confused between "effect" and an "enforcement mode". 2. Policy definitions that
use the Disabled effect have the default compliance state Compliant after assignment.
The only possible answer is A - Deny.

Page 44 of 460
45 Microsoft - SC-100 Practice Questions - SecExams.com

Question #19
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You are evaluating the Azure Security Benchmark V3 report as shown in the
following exhibit.

You need to verify whether Microsoft Defender for servers is installed on all the
virtual machines that run Windows.
Which compliance control should you evaluate?

A) Asset Management
B) Posture and Vulnerability Management
C) Data Protection
D) Endpoint Security (Correct Answer)
E) Incident Response

Page 45 of 460
46 Microsoft - SC-100 Practice Questions - SecExams.com

Explanation

Correct Answer:
D
Microsoft Defender for servers compliance control installed on Windows
Defender for clout "Endpoint Security" azure security benchmark v3
Endpoint Security covers controls in endpoint detection and response, including use of
endpoint detection and response (EDR) and anti-malware service for endpoints in Azure
environments.
Security Principle: Enable Endpoint Detection and Response (EDR) capabilities for VMs
and integrate with SIEM and security operations processes.
Azure Guidance: Azure Defender for servers (with Microsoft Defender for Endpoint
integrated) provides EDR capability to prevent, detect, investigate, and respond to
advanced threats.
Use Microsoft Defender for Cloud to deploy Azure Defender for servers for your endpoint
and integrate the alerts to your SIEM solution such as Azure Sentinel.
Incorrect:
Not A: Asset Management covers controls to ensure security visibility and governance
over Azure resources, including recommendations on permissions for security personnel,
security access to asset inventory, and managing approvals for services and resources
(inventory, track, and correct).
Not B: Posture and Vulnerability Management focuses on controls for assessing and
improving Azure security posture, including vulnerability scanning, penetration testing
and remediation, as well as security configuration tracking, reporting, and correction in
Azure resources.
Not C: Data Protection covers control of data protection at rest, in transit, and via
authorized access mechanisms, including discover, classify, protect, and monitor
sensitive data assets using access control, encryption, key and certificate management in
Azure.
Not E: Incident Response covers controls in incident response life cycle - preparation,
detection and analysis, containment, and post-incident activities, including using Azure
services such as Microsoft Defender for Cloud and Sentinel to automate the incident
response process.
Reference:
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-
endpoint-security

Community Discussion

Selected Answer: D

Page 46 of 460
47 Microsoft - SC-100 Practice Questions - SecExams.com

No grey area. Endpoint security is the option that meets the goal.

D is correct

correct D is fine

The given answer D, is correct.

great, and yes correct

Page 47 of 460
48 Microsoft - SC-100 Practice Questions - SecExams.com

Question #20
HOTSPOT -
You have a Microsoft 365 E5 subscription and an Azure subscription.
You need to evaluate the existing environment to increase the overall security
posture for the following components:
✑ Windows 11 devices managed by Microsoft Intune
✑ Azure Storage accounts
✑ Azure virtual machines
What should you use to evaluate the components? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Page 48 of 460
49 Microsoft - SC-100 Practice Questions - SecExams.com

Explanation

Correct Answer:

Box 1: Microsoft 365 Defender -
The Microsoft 365 Defender portal emphasizes quick access to information, simpler
layouts, and bringing related information together for easier use. It includes
Microsoft Defender for Endpoint.
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to
help enterprise networks prevent, detect, investigate, and respond to advanced threats.
You can integrate Microsoft Defender for Endpoint with Microsoft Intune as a Mobile
Threat Defense solution. Integration can help you prevent security breaches and limit the
impact of breaches within an organization.
Microsoft Defender for Endpoint works with devices that run:

Android -
iOS/iPadOS

Windows 10 -

Page 49 of 460
50 Microsoft - SC-100 Practice Questions - SecExams.com

Windows 11 -
Box 2: Microsoft Defender for Cloud
Microsoft Defender for Cloud currently protects Azure Blobs, Azure Files and Azure Data
Lake Storage Gen2 resources. Microsoft Defender for SQL on Azure price applies to SQL
servers on Azure SQL Database, Azure SQL Managed Instance and Azure Virtual Machines.
Box 3: Microsoft 365 Compliance Center
Azure Storage Security Assessment: Microsoft 365 Compliance Center monitors and
recommends encryption for Azure Storage, and within a few clicks customers can enable
built-in encryption for their Azure Storage Accounts.
Note: Microsoft 365 compliance is now called Microsoft Purview and the solutions within
the compliance area have been rebranded.
Microsoft Purview can be setup to manage policies for one or more Azure Storage
accounts.
Reference:
https://docs.microsoft.com/en-us/azure/purview/tutorial-data-owner-policies-storage
https://docs.microsoft.com/en-us/microsoft-365/security/defender/microsoft-365-
defender
?
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-
defender-endpoint https://azure.microsoft.com/en-gb/pricing/details/defender-for-
cloud/

Community Discussion

Selection 1: Microsoft 365 Defender (Microsoft Defender for Endpoint is part of it).
Selection 2: Microsoft Defender for Cloud. Selection 3: Microsoft Defender for Cloud.

Defender for cloud on VMs & Storage Read "Security posture management for storage" in
this learning module: https://docs.microsoft.com/en-us/learn/modules/design-strategy-
for-secure-paas-iaas-saas-services/8-specify-security-requirements-for-storage-
workloads

got this in exam 6oct23. passed with 896 marks. I answered 1. Microsoft 365 Defender 2.
Microsoft Defender for Cloud. 3. Microsoft Defender for Cloud

agreed.

agreed.

Page 50 of 460
51 Microsoft - SC-100 Practice Questions - SecExams.com

Question #21
Your company has an Azure subscription that has enhanced security enabled for
Microsoft Defender for Cloud.
The company signs a contract with the United States government.
You need to review the current subscription for NIST 800-53 compliance.
What should you do first?

A) From Azure Policy, assign a built-in initiative that has a scope of the subscription. (Correct
Answer)
B) From Microsoft Sentinel, configure the Microsoft Defender for Cloud data connector.
C) From Defender for Cloud, review the Azure security baseline for audit report.
D) From Microsoft Defender for Cloud Apps, create an access policy for cloud applications.

Explanation

Correct Answer:
A
The Azure Policy Regulatory Compliance built-in initiative definition maps to compliance
domains and controls in NIST SP 800-53 Rev. 5.
The following mappings are to the NIST SP 800-53 Rev. 5 controls. Use the navigation on
the right to jump directly to a specific compliance domain. Many of the controls are
implemented with an Azure Policy initiative definition. To review the complete initiative
definition, open Policy in the Azure portal and select the
Definitions page. Then, find and select the NIST SP 800-53 Rev. 5 Regulatory Compliance
built-in initiative definition.
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/samples/gov-nist-
sp-800-53-r5

Community Discussion

Selected Answer: A

The given answer is probably the closest. In real life I'd add a regulatory compliance
standard in Defender for Cloud. This question might be seen written another way where
that is the answer. https://docs.microsoft.com/en-us/azure/defender-for-cloud/update-
regulatory-compliance-packages#what-regulatory-compliance-standards-are-available-
in-defender-for-cloud

Page 51 of 460
52 Microsoft - SC-100 Practice Questions - SecExams.com

was on exam 15/06/23

One keyword in the question is "review". Answer A would "assign" the policy initiative -
not "review". Given that the company has Defender for Cloud, Answer C would be my
choice.

A - I agree that I'd probably use Defender for Cloud as the UI is much better, however this
service simply doesn't do the work, rather it invokes the Azure Policy initiative which is
then reported back to Defender for Cloud. https://learn.microsoft.com/en-us/azure/
defender-for-cloud/policy-reference

A - I agree that I'd probably use Defender for Cloud as the UI is much better, however this
service simply doesn't do the work, rather it invokes the Azure Policy initiative which is
then reported back to Defender for Cloud. https://learn.microsoft.com/en-us/azure/
defender-for-cloud/policy-reference

Question #22
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have an Amazon Web Services (AWS) implementation.
You plan to extend the Azure security strategy to the AWS implementation. The
solution will NOT use Azure Arc.
Which three services can you use to provide security for the AWS resources?
Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A) Microsoft Defender for Containers (Correct Answer)
B) Microsoft Defender for servers
C) Azure Active Directory (Azure AD) Conditional Access (Correct Answer)
D) Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
E) Azure Policy (Correct Answer)

Explanation

Correct Answer:
ACE
Environment settings page (in preview) (recommended) - This preview page provides a
greatly improved, simpler, onboarding experience (including auto provisioning). This
mechanism also extends Defender for Cloud's enhanced security features to your AWS

Page 52 of 460
53 Microsoft - SC-100 Practice Questions - SecExams.com

resources:
*(A) Microsoft Defender for Containers brings threat detection and advanced defenses to
your Amazon EKS clusters. This plan includes Kubernetes threat protection, behavioral
analytics, Kubernetes best practices, admission control recommendations and more.
* Microsoft Defender for Servers, though it requires Arc.
C: AWS installations can benefit from Conditional Access. Defender for Cloud Apps
integrates with Azure AD Conditional Access to enforce additional restrictions, and
monitors and protects sessions after sign-in. Defender for Cloud Apps uses user behavior
analytics (UBA) and other AWS APIs to monitor sessions and users and to support
information protection.
E: Kubernetes data plane hardening.
For a bundle of recommendations to protect the workloads of your Kubernetes
containers, install the Azure Policy for Kubernetes. You can also auto deploy this
component as explained in enable auto provisioning of agents and extensions.
With the add-on on your AKS cluster, every request to the Kubernetes API server will be
monitored against the predefined set of best practices before being persisted to the
cluster. You can then configure to enforce the best practices and mandate them for
future workloads.
Incorrect:
Not B: To enable the Defender for Servers plan you need Azure Arc for servers installed
on your EC2 instances.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?
pivots=env-settings https://docs.microsoft.com/en-us/azure/defender-for-cloud/
defender-for-containers-introduction https://docs.microsoft.com/en-us/azure/
architecture/reference-architectures/aws/aws-azure-security-solutions

Community Discussion

Selected Answer: ACE

I would go for ACE. That being said, this link covers Azure Policy Extension in hardening
Kubernetes data plane. https://docs.microsoft.com/en-us/azure/defender-for-cloud/
supported-machines-endpoint-solutions-clouds-containers?tabs=aws-eks

E can not be an answer, because in-order to apply Azure Policy on AWS based resources,
you must need to use Azure Arc, which can not be the case based on requirements. So,
ACD can be the possible answers.

PIM is privilege identity management.. I wouldn’t say its nice to have..its a must

Page 53 of 460
54 Microsoft - SC-100 Practice Questions - SecExams.com

PIM is privilege identity management.. I wouldn’t say its nice to have..its a must

PIM is privilege identity management.. I wouldn’t say its nice to have..its a must

Question #23
Your company has on-premises network in Seattle and an Azure subscription.
The on-premises network contains a Remote Desktop server.
The company contracts a third-party development firm from France to develop
and deploy resources to the virtual machines hosted in the Azure subscription.
Currently, the firm establishes an RDP connection to the Remote Desktop server.
From the Remote Desktop connection, the firm can access the virtual machines
hosted in Azure by using custom administrative tools installed on the Remote
Desktop server. All the traffic to the Remote Desktop server is captured by a
firewall, and the firewall only allows specific connections from France to the
server.
You need to recommend a modern security solution based on the Zero Trust
model. The solution must minimize latency for developers.
Which three actions should you recommend? Each correct answer presents part
of the solution.
NOTE: Each correct selection is worth one point.

A) Configure network security groups (NSGs) to allow access from only specific logical groupings
of IP address ranges.
B) Deploy a Remote Desktop server to an Azure region located in France.
C) Migrate from the Remote Desktop server to Azure Virtual Desktop. (Correct Answer)
D) Implement Azure Firewall to restrict host pool outbound access. (Correct Answer)
E) Configure Azure Active Directory (Azure AD) Conditional Access with multi-factor
authentication (MFA) and named locations. (Correct Answer)

Explanation

Correct Answer:
CDE
E: Organizations can use this location for common tasks like:
Requiring multi-factor authentication for users accessing a service when they're off the
corporate network.
Blocking access for users accessing a service from specific countries or regions.

Page 54 of 460
55 Microsoft - SC-100 Practice Questions - SecExams.com

The location is determined by the public IP address a client provides to Azure Active
Directory or GPS coordinates provided by the Microsoft Authenticator app.
Conditional Access policies by default apply to all IPv4 and IPv6 addresses.
CD: Use Azure Firewall to protect Azure Virtual Desktop deployments.
Azure Virtual Desktop is a desktop and app virtualization service that runs on Azure.
When an end user connects to an Azure Virtual Desktop environment, their session is run
by a host pool. A host pool is a collection of Azure virtual machines that register to Azure
Virtual Desktop as session hosts. These virtual machines run in your virtual network and
are subject to the virtual network security controls. They need outbound Internet access
to the Azure Virtual Desktop service to operate properly and might also need outbound
Internet access for end users. Azure Firewall can help you lock down your environment
and filter outbound traffic.
Reference:
https://docs.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop

Community Discussion

Selected Answer: CDE

CDE is the answer. https://learn.microsoft.com/en-us/azure/firewall/protect-azure-
virtual-desktop?tabs=azure Azure Virtual Desktop is a desktop and app virtualization
service that runs on Azure. When an end user connects to an Azure Virtual Desktop
environment, their session is run by a host pool. A host pool is a collection of Azure
virtual machines that register to Azure Virtual Desktop as session hosts. These virtual
machines run in your virtual network and are subject to the virtual network security
controls. They need outbound Internet access to the Azure Virtual Desktop service to
operate properly and might also need outbound Internet access for end users. Azure
Firewall can help you lock down your environment and filter outbound traffic.

https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa Users can sign into
Azure Virtual Desktop from anywhere using different devices and clients. However, there
are certain measures you should take to help keep yourself and your users safe. Using
Azure Active Directory (Azure AD) Multi-Factor Authentication (MFA) with Azure Virtual
Desktop prompts users during the sign-in process for another form of identification in
addition to their username and password. You can enforce MFA for Azure Virtual Desktop
using Conditional Access, and can also configure whether it applies to the web client,
mobile apps, desktop clients, or all clients.

https://learn.microsoft.com/en-us/azure/virtual-desktop/set-up-mfa Users can sign into
Azure Virtual Desktop from anywhere using different devices and clients. However, there
are certain measures you should take to help keep yourself and your users safe. Using

Page 55 of 460
56 Microsoft - SC-100 Practice Questions - SecExams.com

Azure Active Directory (Azure AD) Multi-Factor Authentication (MFA) with Azure Virtual
Desktop prompts users during the sign-in process for another form of identification in
addition to their username and password. You can enforce MFA for Azure Virtual Desktop
using Conditional Access, and can also configure whether it applies to the web client,
mobile apps, desktop clients, or all clients.

Selected Answer: CDE

Correct.

Selected Answer: CDE

This is a tricky one… Based on zero trust, minimizing latency, and keeping the existing
firewall requirement in place; I’d go with C,D,E

Page 56 of 460
57 Microsoft - SC-100 Practice Questions - SecExams.com

Question #24
HOTSPOT -
Your company has a multi-cloud environment that contains a Microsoft 365
subscription, an Azure subscription, and Amazon Web Services (AWS)
implementation.
You need to recommend a security posture management solution for the
following components:
✑ Azure IoT Edge devices

AWS EC2 instances -

Which services should you include in the recommendation? To answer, select
the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Explanation

Correct Answer:

Page 57 of 460
58 Microsoft - SC-100 Practice Questions - SecExams.com

Box 1: Microsoft Defender for IoT
Microsoft Defender for IoT is a unified security solution for identifying IoT and OT
devices, vulnerabilities, and threats and managing them through a central interface.
Azure IoT Edge provides powerful capabilities to manage and perform business
workflows at the edge. The key part that IoT Edge plays in IoT environments make it
particularly attractive for malicious actors.
Defender for IoT azureiotsecurity provides a comprehensive security solution for your IoT
Edge devices. Defender for IoT module collects, aggregates and analyzes raw security
data from your Operating System and container system into actionable security
recommendations and alerts.
Box 2: Microsoft Defender for Cloud and Azure Arc
Microsoft Defender for Cloud provides the following features in the CSPM (Cloud Security
Posture Management) category in the multi-cloud scenario for AWS.
Take into account that some of them require Defender plan to be enabled (such as
Regulatory Compliance):
* Detection of security misconfigurations
* Single view showing Security Center recommendations and AWS Security Hub findings
* Incorporation of AWS resources into Security Center's secure score calculations
* Regulatory compliance assessments of AWS resources
Security Center uses Azure Arc to deploy the Log Analytics agent to AWS instances.
Incorrect:
AWS EC2 Microsoft Defender for Cloud Apps
Amazon Web Services is an IaaS provider that enables your organization to host and
manage their entire workloads in the cloud. Along with the benefits of leveraging
infrastructure in the cloud, your organization's most critical assets may be exposed to
threats. Exposed assets include storage instances with potentially sensitive information,

Page 58 of 460
59 Microsoft - SC-100 Practice Questions - SecExams.com

compute resources that operate some of your most critical applications, ports, and
virtual private networks that enable access to your organization.
Connecting AWS to Defender for Cloud Apps helps you secure your assets and detect
potential threats by monitoring administrative and sign-in activities, notifying on
possible brute force attacks, malicious use of a privileged user account, unusual
deletions of VMs, and publicly exposed storage buckets.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-iot/device-builders/security-edge-
architecture https://samilamppu.com/2021/11/04/multi-cloud-security-posture-
management-in-microsoft-defender-for-cloud/

Community Discussion

Dude stop this nonsense

Dude stop this nonsense

Good answer, bad references Defender for IoT https://docs.microsoft.com/en-us/azure/
defender-for-iot/organizations/architecture EC2 instances need Defender for Cloud by
way of Arc https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-
onboard-aws?pivots=env-settings https://docs.microsoft.com/en-us/azure/azure-arc/
servers/overview#supported-cloud-operations

We should still be thankful with examtopic researchers for their efforts, and least such
examples makes us to validate our review and correct those mistakes :D)

We should still be thankful with examtopic researchers for their efforts, and least such
examples makes us to validate our review and correct those mistakes :D)

Page 59 of 460
60 Microsoft - SC-100 Practice Questions - SecExams.com

Question #25
Your company has a hybrid cloud infrastructure.
The company plans to hire several temporary employees within a brief period.
The temporary employees will need to access applications and data on the
company's on-premises network.
The company's secutity policy prevents the use of personal devices for
accessing company data and applications.
You need to recommend a solution to provide the temporary employee with
access to company resources. The solution must be able to scale on demand.
What should you include in the recommendation?

A) Deploy Azure Virtual Desktop, Azure Active Directory (Azure AD) Conditional Access, and
Microsoft Defender for Cloud Apps. (Correct Answer)
B) Redesign the VPN infrastructure by adopting a split tunnel configuration.
C) Deploy Microsoft Endpoint Manager and Azure Active Directory (Azure AD) Conditional
Access.
D) Migrate the on-premises applications to cloud-based applications.

Explanation

Correct Answer:
A
You can connect an Azure Virtual Desktop to an on-premises network using a virtual
private network (VPN), or use Azure ExpressRoute to extend the on- premises network
into the Azure cloud over a private connection.
* Azure AD: Azure Virtual Desktop uses Azure AD for identity and access management.
Azure AD integration applies Azure AD security features like conditional access, multi-
factor authentication, and the Intelligent Security Graph, and helps maintain app
compatibility in domain-joined VMs.
* Azure Virtual Desktop, enable Microsoft Defender for Cloud.
We recommend enabling Microsoft Defender for Cloud's enhanced security features to:
Manage vulnerabilities.
Assess compliance with common frameworks like PCI.
* Microsoft Defender for Cloud Apps, formerly known as Microsoft Cloud App Security, is a
comprehensive solution for security and compliance teams enabling users in the
organization, local and remote, to safely adopt business applications without
compromising productivity.
Reference:
https://docs.microsoft.com/en-us/azure/architecture/example-scenario/wvd/windows-
virtual-desktop https://docs.microsoft.com/en-us/azure/virtual-desktop/security-guide

Page 60 of 460
61 Microsoft - SC-100 Practice Questions - SecExams.com

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-
microsoft-defender-for-cloud-apps/ba-p/2835842

Community Discussion

it is really nice to see that everyone says the same answer

Selected Answer: A

That is the only way.

Gotten this in May 2023 exam.

Gotten this in May 2023 exam.

indeed no brainer

Question #26
Your company is preparing for cloud adoption.
You are designing security for Azure landing zones.
Which two preventative controls can you implement to increase the secure
score? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A) Azure Web Application Firewall (WAF)
B) Azure Active Directory (Azure AD) Privileged Identity Management (PIM) (Correct Answer)
C) Microsoft Sentinel (Correct Answer)
D) Azure Firewall
E) Microsoft Defender for Cloud alerts

Explanation

Correct Answer:
BC
B: Azure identity and access for landing zones, Privileged Identity Management (PIM)
Use Azure AD Privileged Identity Management (PIM) to establish zero-trust and least

Page 61 of 460
62 Microsoft - SC-100 Practice Questions - SecExams.com

privilege access. Map your organization's roles to the minimum access levels needed.
Azure AD PIM can use Azure native tools, extend current tools and processes, or use both
current and native tools as needed.
Azure identity and access for landing zones, Design recommendations include:
* (B) Use Azure AD managed identities for Azure resources to avoid credential-based
authentication. Many security breaches of public cloud resources originate with
credential theft embedded in code or other text. Enforcing managed identities for
programmatic access greatly reduces the risk of credential theft.
* Etc.
C: Improve landing zone security, onboard Microsoft Sentinel
You can enable Microsoft Sentinel, and then set up data connectors to monitor and
protect your environment. After you connect your data sources using data connectors,
you choose from a gallery of expertly created workbooks that surface insights based on
your data. These workbooks can be easily customized to your needs.
Note: Landing zone security best practices
The following list of reference architectures and best practices provides examples of
ways to improve landing zone security:
Microsoft Defender for Cloud: Onboard a subscription to Defender for Cloud.
Microsoft Sentinel: Onboard to Microsoft Sentinel to provide a security information event
management (SIEM) and security orchestration automated response
(SOAR) solution.
Secure network architecture: Reference architecture for implementing a perimeter
network and secure network architecture.
Identity management and access control: Series of best practices for implementing
identity and access t