Good SC-100 Exam Dumps Save Your Preparation Time

1. You have an on-premises network and a Microsoft 365 subscription.

You are designing a Zero Trust security strategy.

Which two security controls should you include as part of the Zero Trust solution? Each correct answer part of the solution. NOTE: Each correct answer is worth one point.

2. For a Microsoft cloud environment, you are designing a security architecture based on the Microsoft Cloud Security Benchmark.

What are three best practices for identity management based on the Azure Security Benchmark? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

3. You need to recommend a solution to meet the security requirements for the virtual machines.

What should you include in the recommendation?

4. You are creating an application lifecycle management process based on the Microsoft Security Development Lifecycle (SDL).

You need to recommend a security standard for onboarding applications to Azure. The standard will include recommendations for application design, development, and deployment.

What should you include during the application design phase?

5. HOTSPOT

You are designing the security architecture for a cloud-only environment.

You are reviewing the integration point between Microsoft 365 Defender and other Microsoft cloud services based on Microsoft Cybersecurity Reference Architectures (MCRA).

You need to recommend which Microsoft cloud services integrate directly with Microsoft 365

Defender and meet the following requirements:

• Enforce data loss prevention (DLP) policies that can be managed directly from the Microsoft 365 Defender portal.

• Detect and respond to security threats based on User and Entity Behavior Analytics (UEBA) with unified alerting.

What should you include in the recommendation for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

6. 1. Topic 1, Fabrikam, Inc Case Study 1



OverView

Fabrikam, Inc. is an insurance company that has a main office in New York and a branch office in Paris.



On-premises Environment

The on-premises network contains a single Active Directory Domain Services (AD DS) domain named corp.fabrikam.com.



Azure Environment

Fabrikam has the following Azure resources:

• An Azure Active Directory (Azure AD) tenant named fabrikam.onmicrosoft.com that syncs with corp.fabnkam.com

• A single Azure subscription named Sub1

• A virtual network named Vnetl in the East US Azure region

• A virtual network named Vnet2 in the West Europe Azure region

• An instance of Azure Front Door named FD1 that has Azure Web Application Firewall (WAR enabled

• A Microsoft Sentinel workspace

• An Azure SQL database named ClaimsDB that contains a table named ClaimDetails

• 20 virtual machines that are configured as application servers and are NOT onboarded to Microsoft Defender for Cloud

• A resource group named TestRG that is used for testing purposes only

• An Azure Virtual Desktop host pool that contains personal assigned session hosts

All the resources in Sub1 are in either the East US or the West Europe region.



Partners

Fabrikam has contracted a company named Contoso, Ltd. to develop applications.

Contoso has the following infrastructure-.

• An Azure AD tenant named contoso.onmicrosoft.com

• An Amazon Web Services (AWS) implementation named ContosoAWS1 that contains AWS EC2 instances used to host test workloads for the applications of Fabrikam Developers at Contoso will connect to the resources of Fabrikam to test or update applications. The developers will be added to a security Group named Contoso Developers in fabrikam.onmicrosoft.com that will be assigned to roles in Sub1.

The ContosoDevelopers group is assigned the db.owner role for the ClaimsDB database.



Compliance Event

Fabrikam deploys the following compliance environment:

• Defender for Cloud is configured to assess all the resources in Sub1 for compliance to the HIPAA HITRUST standard.

• Currently, resources that are noncompliant with the HIPAA HITRUST standard are remediated manually.

• Qualys is used as the standard vulnerability assessment tool for servers.



Problem Statements

The secure score in Defender for Cloud shows that all the virtual machines generate the following recommendation-. Machines should have a vulnerability assessment solution. All the virtual machines must be compliant in Defender for Cloud.



ClaimApp Deployment

Fabrikam plans to implement an internet-accessible application named ClaimsApp that will have the following specification

• ClaimsApp will be deployed to Azure App Service instances that connect to Vnetl and Vnet2.

• Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.

• ClaimsApp will access data in ClaimsDB.

• ClaimsDB must be accessible only from Azure virtual networks.

• The app services permission for ClaimsApp must be assigned to ClaimsDB.



Application Development Requirements

Fabrikam identifies the following requirements for application development:

• Azure DevTest labs will be used by developers for testing.

• All the application code must be stored in GitHub Enterprise.

• Azure Pipelines will be used to manage application deployments.

• All application code changes must be scanned for security vulnerabilities, including application code or configuration files that contain secrets in clear text. Scanning must be done at the time the code is pushed to a repository.



Security Requirement

Fabrikam identifies the following security requirements:

• Internet-accessible applications must prevent connections that originate in North Korea.

• Only members of a group named InfraSec must be allowed to configure network security groups (NSGs} and instances of Azure Firewall, VJM. And Front Door in Sub1.

• Administrators must connect to a secure host to perform any remote administration of the virtual machines. The secure host must be provisioned from a custom operating system image.



AWS Requirements

Fabrikam identifies the following security requirements for the data hosted in ContosoAWSV.

• Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.

• Ensure that the security administrators can query AWS service logs directly from the Azure environment.



Contoso Developer Requirements

Fabrikam identifies the following requirements for the Contoso developers;

• Every month, the membership of the ContosoDevelopers group must be verified.

• The Contoso developers must use their existing contoso.onmicrosoft.com credentials to access the resources in Sub1.

• The Comoro developers must be prevented from viewing the data in a column named MedicalHistory in the ClaimDetails table.



Compliance Requirement

Fabrikam wants to automatically remediate the virtual machines in Sub1 to be compliant with the HIPPA HITRUST standard. The virtual machines in TestRG must be excluded from the compliance assessment.



You need to recommend a solution to meet the security requirements for the InfraSec group.

What should you use to delegate the access?

7. You have the following on-premises servers that run Windows Server:

• Two domain controllers in an Active Directory Domain Services (AD DS) domain

• Two application servers named Server1 and Server2 that run ASP.NET web apps

• A VPN server named Server3 that authenticates by using RADIUS and AD DS End users use a VPN to access the web apps over the internet.

You need to redesign a user access solution to increase the security of the connections to the web apps. The solution must minimize the attack surface and follow the Zero Trust principles of the Microsoft Cybersecurity Reference Architectures (MCRA).

What should you include in the recommendation?

8. Your company has a Microsoft 365 subscription and uses Microsoft Defender for Identity. You are informed about incidents that relate to compromised identities.

You need to recommend a solution to expose several accounts for attackers to exploit. When the attackers attempt to exploit the accounts, an alert must be triggered.

Which Defender for Identity feature should you include in the recommendation?

9. A customer has a Microsoft 365 E5 subscription and an Azure subscription.

The customer wants to centrally manage security incidents, analyze log, audit activity, and search for potential threats across all deployed services.

You need to recommend a solution for the customer. The solution must minimize costs.

What should you include in the recommendation?

10. You are planning the security requirements for Azure Cosmos DB Core (SQL) API accounts. You need to recommend a solution to audit all users that access the data in the Azure Cosmos DB accounts.

Which two configurations should you include in the recommendation? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

11. You have a customer that has a Microsoft 365 subscription and uses the Free edition of Azure Active Directory (Azure AD)

The customer plans to obtain an Azure subscription and provision several Azure resources.

You need to evaluate the customer's security environment.

What will necessitate an upgrade from the Azure AD Free edition to the Premium edition?

12. HOTSPOT

Your company has an Azure App Service plan that is used to deploy containerized web apps. You are designing a secure DevOps strategy for deploying the web apps to the App Service plan. You need to recommend a strategy to integrate code scanning tools into a secure software development lifecycle. The code must be scanned during the following two phases: Uploading the code to repositories Building containers

Where should you integrate code scanning for each phase? To answer, select the appropriate options in the answer area.

13. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You are designing the encryption standards for data at rest for an Azure resource.

You need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.

Solution: For Azure SQL databases, you recommend Transparent Data Encryption (TDE) that uses Microsoft-managed keys.

Does this meet the goal?

14. You have an Azure subscription. The subscription contains 100 virtual machines that run Windows Server. The virtual machines are managed by using Azure Policy and Microsoft Defender for Servers. You need to enhance security on the virtual machines.

The solution must meet the following requirements:

• Ensure that only apps on an allowlist can be run.

• Require administrators to confirm each app added to the allowlist.

• Automatically add unauthorized apps to a blocklist when an attempt is made to launch the app.

• Require administrators to approve an app before the app can be moved from the blocklist to the allowlist.

What should you include in the solution?

15. You are designing a security operations strategy based on the Zero Trust framework.

You need to minimize the operational load on Tier 1 Microsoft Security Operations Center (SOC) analysts.

What should you do?

16. HOTSPOT

You need to recommend a solution to meet the requirements for connections to ClaimsDB.

What should you recommend using for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

17. HOTSPOT

You have an Azure subscription that contains a Microsoft Sentinel workspace named MSW1. MSW1 includes 50 scheduled analytics rules.

You need to design a security orchestration automated response (SOAR) solution by using Microsoft Sentinel playbooks.

The solution must meet the following requirements:

• Ensure that expiration dates can be configured when a playbook runs.

• Minimize the administrative effort required to configure individual analytics rules.

What should you use to invoke the playbooks, and which type of Microsoft Sentinel trigger should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

18. You have an Azure subscription. The subscription contains 50 virtual machines that run Windows Server and 50 virtual machines that run Linux. You need to perform vulnerability assessments on the virtual machines.

The solution must meet the following requirements:

• Identify missing updates and insecure configurations.

• Use the Qualys engine.

What should you use?

19. HOTSPOT

Your network contains an on-premises Active Directory Domain Services (AO DS) domain. The domain contains a server that runs Windows Server and hosts shared folders The domain syncs with Azure AD by using Azure AD Connect Azure AD Connect has group writeback enabled. You have a Microsoft 365 subscription that uses Microsoft SharePoint Online.

You have multiple project teams. Each team has an AD DS group that syncs with Azure AD Each group has permissions to a unique SharePoint Online site and a Windows Server shared folder for its project. Users routinely move between project teams.

You need to recommend an Azure AD identity Governance solution that meets the following requirements:

• Project managers must verify that their project group contains only the current members of their project team

• The members of each project team must only have access to the resources of the project to which they are assigned

• Users must be removed from a project group automatically if the project manager has MOT verified the group s membership for 30 days.

• Administrative effort must be minimized.

What should you include in the recommendation? To answer select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

20. You are designing the encryption standards for data at rest for an Azure resource

You need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.

Solution: For blob containers in Azure Storage, you recommend encryption that uses customer-managed keys (CMKs).

Does this meet the goal?

21. You have an Azure subscription.

You have a DNS domain named contoso.com that is hosted by a third-party DNS registrar. Developers use Azure DevOps to deploy web apps to App Service Environments- When a new app is deployed, a CNAME record for the app is registered in contoso.com.

You need to recommend a solution to secure the DNS record tor each web app.

The solution must meet the following requirements:

• Ensure that when an app is deleted, the CNAME record for the app is removed also

• Minimize administrative effort.

What should you include in the recommendation?

22. You are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance. You need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.

Solution: You recommend access restrictions based on HTTP headers that have the Front Door ID.

Does this meet the goal?

23. You have Windows 11 devices and Microsoft 365 E5 licenses.

You need to recommend a solution to prevent users from accessing websites that contain adult content such as gambling sites.

What should you include in the recommendation?

24. HOTSPOT

Your company wants to optimize using Azure to protect its resources from ransomware.

You need to recommend which capabilities of Azure Backup and Azure Storage provide the strongest protection against ransomware attacks. The solution must follow Microsoft Security Best Practices.

What should you recommend? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

25. HOTSPOT

You have an Azure subscription and an on-premises datacenter. The datacenter contains 100 servers that run Windows Server. AJI the servers are backed up to a Recovery Services vault by using Azure Backup and the Microsoft Azure Recovery Services (MARS) agent.

You need to design a recovery solution for ransomware attacks that encrypt the on-premises servers.

The solution must follow Microsoft Security Best Practices and protect against the following risks:

• A compromised administrator account used to delete the backups from Azure Backup before encrypting the servers

• A compromised administrator account used to disable the backups on the MARS agent before encrypting the servers

What should you use for each risk? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point

26. Your company plans to evaluate the security of its Azure environment based on the principles of the Microsoft Cloud Adoption Framework for Azure.

You need to recommend a cloud-based service to evaluate whether the Azure resources comply with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).

What should you recommend?

27. HOTSPOT

What should you create in Azure AD to meet the Contoso developer requirements?

28. Your company plans to provision blob storage by using an Azure Storage account The blob storage will be accessible from 20 application sewers on the internet. You need to recommend a solution to ensure that only the application servers can access the storage account.

What should you recommend using to secure the blob storage?

29. Your company has a third-party security information and event management (SIEM) solution that uses Splunk and Microsoft Sentinel. You plan to integrate Microsoft Sentinel with Splunk.

You need to recommend a solution to send security events from Microsoft Sentinel to Splunk.

What should you include in the recommendation?

30. Your company wants to optimize using Microsoft Defender for Endpoint to protect its resources against ransomware based on Microsoft Security Best Practices.

You need to prepare a post-breach response plan for compromised computers based on the Microsoft Detection and Response Team (DART) approach in Microsoft Security Best Practices.

What should you include in the response plan?

31. HOTSPOT

You are planning the security levels for a security access strategy.

You need to identify which job roles to configure at which security levels. The solution must meet security best practices of the Microsoft Cybersecurity Reference Architectures (MCRA).

Which security level should you configure for each job role? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

32. You are designing the security standards for containerized applications onboarded to Azure. You are evaluating the use of Microsoft Defender for Containers.

In which two environments can you use Defender for Containers to scan for known vulnerabilities? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

33. You are designing the encryption standards for data at rest for an Azure resource

You need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.

Solution: For Azure SQL databases, you recommend Transparent Data Encryption (TDE) that uses customer-managed keys (CMKs).

Does this meet the goal?

34. HOTSPOT

You need to recommend a strategy for securing the litware.com forest. The solution must meet the identity requirements.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE; Each correct selection is worth one point.

35. HOTSPOT

Your company has a multi-cloud environment that contains a Microsoft 365 subscription, an Azure subscription, and Amazon Web Services (AWS) implementation.

You need to recommend a security posture management solution for the following components:

• Azure loT Edge devices

• AWS EC2 instances

Which services should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

36. You need to recommend a strategy for routing internet-bound traffic from the landing zones. The solution must meet the landing zone requirements.

What should you recommend as part of the landing zone deployment?

37. You have an on-premises server that runs Windows Server and contains a Microsoft SQL Server database named DB1.

You plan to migrate DB1 to Azure.

You need to recommend an encrypted Azure database solution that meets the following requirements:

• Minimizes the risks of malware that uses elevated privileges to access sensitive data

• Prevents database administrators from accessing sensitive data

• Enables pattern matching for server-side database operations

• Supports Microsoft Azure Attestation

• Uses hardware-based encryption

What should you include in the recommendation?

38. DRAG DROP

You have a Microsoft 365 subscription

You need to recommend a security solution to monitor the following activities:

• User accounts that were potentially compromised

• Users performing bulk file downloads from Microsoft SharePoint Online

What should you include in the recommendation for each activity? To answer, drag the appropriate components to the correct activities. Each component may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each Correct selection is worth one Point.

39. You have an Azure subscription that has Microsoft Defender for Cloud enabled. You have an Amazon

Web Services (AWS) implementation.

You plan to extend the Azure security strategy to the AWS implementation. The solution will NOT use Azure Arc.

Which three services can you use to provide security for the AWS resources? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

40. You have an operational model based on the Microsoft Cloud Adoption framework for Azure.

You need to recommend a solution that focuses on cloud-centric control areas to protect resources such as endpoints, database, files, and storage accounts.

What should you include in the recommendation?

41. DRAG DROP

You are designing a security operations strategy based on the Zero Trust framework.

You need to increase the operational efficiency of the Microsoft Security Operations Center (SOC).

Based on the Zero Trust framework, which three deployment objectives should you prioritize in sequence? To answer, move the appropriate objectives from the list of objectives to the answer area and arrange them in the correct order.

42. HOTSPOT

Your company, named Contoso. Ltd... has an Azure AD tenant namedcontoso.com. Contoso has a partner company named Fabrikam. Inc. that has an Azure AD tenant named fabrikam.com. You need to ensure that helpdesk users at Fabrikam can reset passwords for specific users at Contoso.

The solution must meet the following requirements:

• Follow the principle of least privilege.

• Minimize administrative effort.

What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

43. Your company is designing an application architecture for Azure App Service Environment (ASE) web apps as shown in the exhibit. (Click the Exhibit tab.)





Communication between the on-premises network and Azure uses an ExpressRoute connection.

You need to recommend a solution to ensure that the web apps can communicate with the on-premises application server. The solution must minimize the number of public IP addresses that are allowed to access the on-premises network.

What should you include in the recommendation?

44. You have an Azure subscription that contains virtual machines, storage accounts, and Azure SQL databases. All resources are backed up multiple times a day by using Azure Backup. You are developing a strategy to protect against ransomware attacks.

You need to recommend which controls must be enabled to ensure that Azure Backup can be used to restore the resources in the event of a successful ransomware attack.

Which two controls should you include in the recommendation? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

45. You have a Microsoft 365 subscription.

You are designing a user access solution that follows the Zero Trust principles of the Microsoft Cybersecurity Reference Architectures (MCRA).

You need to recommend a solution that automatically restricts access to Microsoft Exchange Online.

SharePoint Online, and Teams m near-real-lime (NRT) in response to the following Azure AD events:

• A user account is disabled or deleted

• The password of a user is changed or reset.

• All the refresh tokens for a user are revoked

• Multi-factor authentication (MFA) is enabled for a user

Which two features should you include in the recommendation? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

46. You are designing a security strategy for providing access to Azure App Service web apps through an Azure Front Door instance.

You need to recommend a solution to ensure that the web apps only allow access through the Front Door instance.

Solution: You recommend configuring gateway-required virtual network integration.

Does this meet the goal?

47. You are designing the encryption standards for data at rest for an Azure resource

You need to provide recommendations to ensure that the data at rest is encrypted by using AES-256 keys. The solution must support rotating the encryption keys monthly.

Solution: For blob containers in Azure Storage, you recommend encryption that uses Microsoft-managed keys within an encryption scope.

Does this meet the goal?

48. What is the primary benefit of integrating Azure Active Directory with Azure Kubernetes Service (AKS)?

49. You have a Microsoft 365 tenant.

Your company uses a third-party software as a service (SaaS) app named App1 that is integrated with an Azure AD tenant.

You need to design a security strategy to meet the following requirements:

• Users must be able to request access to App1 by using a self-service request.

• When users request access to App1, they must be prompted to provide additional information about their request.

• Every three months, managers must verify that the users still require access to Appl.

What should you include in the design?

50. You need to recommend a solution to resolve the virtual machine issue.

What should you include in the recommendation? (Choose Two)

51. Your company finalizes the adoption of Azure and is implementing Microsoft Defender for Cloud.

You receive the following recommendations in Defender for Cloud

• Access to storage accounts with firewall and virtual network configurations should be restricted,

• Storage accounts should restrict network access using virtual network rules.

• Storage account should use a private link connection.

• Storage account public access should be disallowed.

You need to recommend a service to mitigate identified risks that relate to the recommendations.

What should you recommend?

52. You have an Azure subscription that has Microsoft Defender for Cloud enabled.

You are evaluating the Azure Security Benchmark V3 report.

In the Secure management ports controls, you discover that you have 0 out of a potential 8 points. You need to recommend configurations to increase the score of the Secure management ports controls.

Solution: You recommend enabling just-in-time (JIT) VM access on all virtual machines.

Does this meet the goal?

53. You have an Azure subscription that has Microsoft Defender for Cloud enabled. You are evaluating

the Azure Security Benchmark V3 report.

In the Secure management ports controls, you discover that you have 0 out of a potential 8 points. You need to recommend configurations to increase the score of the Secure management ports controls.

Solution: You recommend onboarding all virtual machines to Microsoft Defender for Endpoint.

Does this meet the goal?

54. You have a Microsoft 365 subscription that syncs with Active Directory Domain Services (AD DS). You need to define the recovery steps for a ransomware attack that encrypted data in the subscription The solution must follow Microsoft Security Best Practices.

What is the first step in the recovery plan?

55. What strategy should be employed to enforce least privilege access when configuring Azure services?